No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of Reflective ACLs

Overview of Reflective ACLs


Reflective ACLs are the application of dynamic ACLs. A reflective ACL controls user access according to upper-layer session information in IP packets. Reflective ACLs allow hosts on a public network to access hosts on a private network only after the hosts on the private network have accessed the hosts on the public network. Therefore, reflective ACLs protect the internal network of an enterprise against attacks from unauthorized external users.


After a reflective ACL is configured, Request messages from an external network user cannot enter the internal network. When a user on the internal network sends a Request message to a user on the external network, a reflective ACL entry is generated on the interface according to the source IP address, destination IP address, and port number in the packet. Then the user on the external network can access the user on the internal network.

As shown in Figure 2-1, PC b on the external network cannot initially access PC a on the internal network. After PC a sends a packet with the source IP address IPa, source port Porta, destination IP address IPb, and destination port Portb to PC b, the device with a reflective ACL configured generates a reflective ACL rule that permits packets with the source IP address IPb, source port Portb, destination IP address IPa, and destination port Porta to pass through.

Figure 2-1  Reflective ACL

Updated: 2019-10-18

Document ID: EDOC1000178319

Views: 151995

Downloads: 84

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next