HP ProCurve Secure 7000dl Series Basic Management And Configuration Manual page 420

Configuring Demand Routing for Primary ISDN Modules
Using Demand Routing for ISDN Connections
8-28
You can apply an access control policy (ACP) to the demand interface.
ACPs control incoming traffic and can contain multiple ACLs.
You use the ip access-group command to apply ACLs directly to the demand
interface, or you use the access-policy command to apply an ACP to the
demand interface. (For more information about using ACLs separately or in
combination with ACPs, see Chapter 5: Applying Access Control to Router
Interfaces.) The ProCurve Secure Router will match traffic to the ACLs or the
ACP to control access to an already-active backup connection. However, the
connection will only be triggered by traffic that matches the ACL that you
specify in the match-interesting list command.
Because you can configure one ACL to trigger the dial-up connection and
another ACL to control access to the dial-up connection, you can allow certain
types of traffic to use a connection only when it is already established. For
example, if you apply an ACL for outbound traffic to the demand interface,
the router will match traffic destined out the demand interface against this list
first. If the router determines that a packet is allowed, it will then check the
ACL specified with the match-interesting list command to determine if the
packet should trigger the backup connection. If the packet is not defined as
interesting traffic, the ProCurve Secure Router will not attempt to establish
the connection. However, if the connection is already established, the router
will transmit packets that are permitted by the ACL, but not selected as
interesting traffic, over the ISDN link. These packets will not reset the idle
timer for the demand interface. (The idle timer determines how long the dial-
up connection will remain connected in the absence of interesting traffic.
When the router receives interesting traffic, it resets the idle timer. For more
information about timers, see "Configuring the idle-timeout Option" on page
8-37 and "Configuring the fast-idle Option" on page 8-38.)
For example, suppose two nodes at a remote site need to communicate with
a server at a local site. One node is specified in the ACL that triggers the
connection, but the other node is not. The first node's communication will
keep the link active until it has completed its transfer of data and the idle timer
has expired. If the idle timer expires when the second node is communicating
with the server, the connection will be terminated because the second node's
traffic does not match the ACL specified in the match-interesting list
command.
In addition to applying an ACL to control outbound traffic, you can apply an
ACL for inbound traffic or an ACP to the demand interface. In this case, the
ACL or the ACP will filter inbound traffic to your network over the backup
connection. If the router determines that a packet is allowed, it will forward