Reflexive ACL on 3750

What does the feature navigator say about the feature availability on that platform?

My 3750 running will do it. * 1 24 WS-C3750G-24T

12.1(19)EA1c C3750-I5-M

Here is a *very* simple example from my 6500. The syntax is the same:

interface Vlan10 ip address 10.0.0.254 255.255.255.0 ip access-group vlan10_in in ip access-group vlan10_out out

ip access-list extended vlan10_in evaluate vlan10_reflect permit icmp 10.0.0.0 0.0.0.255 any packet-too-big permit icmp 10.0.0.0 0.0.0.255 any time-exceeded ip access-list extended vlan10_out permit tcp any any reflect vlan10_reflect permit udp any any reflect vlan10_reflect permit icmp any any reflect vlan10_reflect

Hope it helps.

Thing is, you may want to find out if it does it in hardware, since if it does not you may find that the performance does not meet your requirements.

I would guess that 3750 may do a few 10s of thousands of packets per second in software as opposed to 'whatever it says on the tin' in hardware. Lots and lots of millions I would guess.

OH!

The switch does not support these IOS router ACL-related features: - Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch clustering feature)

The switch does not support these Cisco IOS router ACL-related features: - Reflexive ACLs .......

Cisco seem to be putting (leaving?) commands in IOS that are not always suported. This to me seems a bizarre practise. Maybe this is one of those cases?

Anyway, unless it's a toy installation, I would take cisco's advice.

If you want a firewall, buy one:-)