Routing Access Policies For Ospf - Extreme Networks 200 Series Installation And User Manual

In addition, if the administrator wants to restrict any user belonging to the VLAN Engsvrs from
reaching the VLAN Sales (IP address 10.2.1.0/24), the additional access policy commands to build the
access policy would be:
create access-profile nosales ipaddress
config access-profile nosales mode deny
config access-profile nosales add 10.2.1.0/24
config rip vlan backbone import-filter nosales
This configuration results in the switch having no route back to the VLAN Sales.

Routing Access Policies for OSPF

Because OSPF is a link-state protocol, the access policies associated with OSPF are different in nature
than those associated with RIP. Access policies for OSPF are intended to extend the existing filtering
and security capabilities of OSPF (for example, link authentication and the use of IP address ranges). If
you are using the OSPF protocol, the switch can be configured to use an access profile to determine any
of the following:
• Inter-area Filter—For switches configured to support multiple OSPF areas (an ABR function), an
access profile can be applied to an OSPF area that filters a set of OSPF inter-area routes from being
sourced from any other areas. To configure an inter-area filter policy, use the following command:
config ospf area <area_id> interarea-filter [<access_profile> | none]
• External Filter—For switches configured to support multiple OSPF areas (an ABR function), an
access profile can be applied to an OSPF area that filters a set of OSPF external routes from being
advertised into that area. To configure an external filter policy, use the following command:
config ospf area <area_id> external-filter [<access_profile> | none]
NOTE
If any of the external routes specified in the filter have already been advertised, those routes will remain
until the associated LSAs in that area time-out.
• ASBR Filter—For switches configured to support RIP and static route re-distribution into OSPF, an
access profile can be used to limit the routes that are advertised into OSPF for the switch as a whole.
To configure an ASBR filter policy, use the following command:
config ospf asbr-filter [<access_profile> | none]
• Direct Filter—For switches configured to support direct route re-distribution into OSPF, an access
profile can be used to limit the routes that are advertised into OSPF for the switch as a whole. To
configure a direct filter policy, use the following command:
config ospf direct-filter [<access_profile> | none]
Example
Figure 23 illustrates an OSPF network that is similar to the network used previously in the RIP example.
In this example, access to the Internet is accomplished by using the ASBR function on the switch labeled
Internet. As a result, all routes to the Internet will be done through external routes. Suppose the
network administrator wishes to only allow access to certain internet addresses falling within the range
192.1.1.0/24 to the internal backbone.
Summit 200 Series Switch Installation and User Guide
Using Routing Access Policies
131