Using Separate Acls On Ip Follower Virtual Routing Interfaces - HP ProCurve 9304M Installation And Configuration Manual
Routing switches
Hide thumbs
Also See for ProCurve 9304M:
- Management and configuration manual (690 pages) ,
- Installation and getting started manual (348 pages) ,
- User manual (236 pages)
Table of Contents
Advertisement
Configuring Virtual LANs (VLANs)
Using Separate ACLs on IP Follower Virtual Routing Interfaces
NOTE: This section applies to flow-based ACLs only.
The IP follower feature allows multiple virtual routing interfaces to share the same IP address. One virtual routing
interface has the IP address and the other virtual routing interfaces are configured to follow the virtual routing
interface that has the address.
By default, the follower interfaces are secured by the ACLs that are applied to the interface that has the address.
In fact, an ACL applied to a follower interface is ignored. For example, if you configure virtual routing interfaces 1,
2, and 3, and configure interfaces 2 and 3 to follow interface 1, then the ACLs applied to interface 1 also apply to
interfaces 2 and 3. Any ACLs applied separately to interface 2 or 3 are ignored.
You can enable a follower virtual routing interface to use the ACLs you apply to it instead of using the ACLs
applied to the interface that has the address. For example, you can enable virtual routing interface 2 to use its
own ACLs instead of using interface 1's ACLs.
To enable a virtual routing interface to use its own ACLs instead of the ACLs of the interface it is following, enter
the following command at the configuration level for the interface:
HP9300(config-vif-2)# no ip follow acl
Syntax: [no] ip follow acl
The following commands show a complete IP follower configuration. Virtual routing interfaces 2 and 3 have been
configured to share the IP address of virtual routing interface 1, but also have been configured to use their own
ACLs instead of virtual routing interface 1's ACLs.
HP9300(config)# vlan 1 name primary_vlan
HP9300(config-vlan-1)# untag ethernet 1/1
HP9300(config-vlan-1)# tag ethernet 1/8
HP9300(config-vlan-1)# router-interface ve 1
HP9300(config-vlan-1)# exit
HP9300(config)# interface ve 1
HP9300(config-ve-1)# ip address 10.0.0.1/24
HP9300(config-ve-1)# ip access-group 1 in
HP9300(config-ve-1)# exit
HP9300(config)# vlan 2 name followerA
HP9300(config-vlan-2)# untag ethernet 1/2
HP9300(config-vlan-2)# tag ethernet 1/8
HP9300(config-vlan-2)# router-interface ve 2
HP9300(config-vlan-2)# exit
HP9300(config)# interface ve 2
HP9300(config-ve-2)# ip follow ve 1
HP9300(config-v2-2)# no ip follow acl
HP9300(config-ve-2)# ip access-group 2 in
HP9300(config-ve-2)# exit
HP9300(config)# vlan 3 name followerB
HP9300(config-vlan-3)# untag ethernet 1/5 to 1/6
HP9300(config-vlan-3)# tag ethernet 1/8
HP9300(config-vlan-3)# router-interface ve 3
HP9300(config-vlan-3)# exit
HP9300(config)# interface ve 3
HP9300(config-ve-3)# ip follow ve 1
HP9300(config-ve-3)# no ip follow acl
HP9300(config-ve-3)# ip access-group 3 out
HP9300(config-ve-3)# exit
11 - 37
Advertisement
Chapters
Table of Contents
Troubleshooting
