Which statements about reflexive access lists are true? (Choose three.)
A . Reflexive access lists create a permanent ACE
B . Reflexive access lists approximate session filtering using the established keyword
C . Reflexive access lists can be attached to standard named IP ACLs
D . Reflexive access lists support UDP sessions
E . Reflexive access lists can be attached to extended named IP ACLs
F . Reflexive access lists support TCP sessions
Answer: D,E,F
Explanation:
To define a reflexive access list, you use an entry in an extended named IP access list. This entry must use the reflect keyword. A reflexive access list is triggered when a new IP upper-layer session (such as TCP or UDP) is initiated from inside your network, with a packet traveling to the external network. Moreover, the previous method of using the established keyword was available only for the TCP upper- layer protocol. So, for the other upper-layer protocols (such as UDP, ICMP, and so forth), you would have to either permit all incoming traffic or define all possible permissible source/destination host/port address pairs for each protocol. (Besides being an unmanageable task, this could exhaust NVRAM space.)
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/ scfreflx.html#54908
Leave a Reply