Which statements about reflexive access lists are true? (Choose three.)
A.
Reflexive access lists create a permanent ACE
B.
Reflexive access lists approximate session filtering using the established keyword
C.
Reflexive access lists can be attached to standard named IP ACLs
D.
Reflexive access lists support UDP sessions
E.
Reflexive access lists can be attached to extended named IP ACLs
F.
Reflexive access lists support TCP sessions
Explanation:
BD
To define a reflexive access list, you use an entry in an extended named IP access list. This entry must use
the reflect keyword.
A reflexive access list is triggered when a new IP upper-layer session (such as TCP or UDP) is initiated from
inside your network, with a packet traveling to the external network.
Moreover, the previous method of using the established keyword was available only for the TCP upperlayer protocol. So, for the other upper-layer protocols (such as UDP, ICMP, and so forth), you would have toeither permit all incoming traffic or define all possible permissible source/destination host/port address pairs for
each protocol. (Besides being an unmanageable task, this could exhaust NVRAM space.)
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/
scfreflx.html#54908