HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 105

Applying an ACP or Another ACL to the Demand Interface. In addi-
tion to using an ACL to determine which traffic triggers a dial-up connection,
you can use ACLs to control incoming traffic and outgoing traffic on that
connection. You have two options for controlling traffic:
You can apply ACLs directly to the demand interface. If you choose this
option, you can apply one ACL directly to the interface to control incom-
ing traffic, and you can apply another ACL directly to the interface to
control outgoing traffic. (For best practices, you typically apply an
extended ACL closest to the source of incoming traffic so that you do not
waste the router's processing time on traffic that will ultimately be dis-
carded.)
You can apply an access control policy (ACP) to the demand interface.
ACPs control incoming traffic and can contain multiple ACLs.
You use the ip access-group command to apply ACLs directly to the demand
interface, or you use the access-policy command to apply an ACP to the
demand interface. (For more information about using ACLs separately or in
combination with ACPs, see Chapter 5: Applying Access Control to Router
Interfaces.) The ProCurve Secure Router will match traffic to the ACLs or the
ACP to control access to an already-active backup connection. However, the
connection will only be triggered by traffic that matches the ACL that you
specify in the match-interesting list command.
Because you can configure one ACL to trigger the dial-up connection and
another ACL to control access to the dial-up connection, you can allow certain
types of traffic to use a connection only when it is already established. For
example, if you apply an ACL for outbound traffic to the demand interface,
the router will match traffic destined out the demand interface against this list
first. If the router determines that a packet is allowed, it will then check the
ACL specified with the match-interesting list command to determine if the
packet should trigger the backup connection. If the packet is not defined as
interesting traffic, the ProCurve Secure Router will not attempt to establish
the connection. However, if the connection is already established, the router
will transmit packets that are permitted by the ACL, but not selected as
interesting traffic, over the ISDN link. These packets will not reset the idle
timer for the demand interface. (The idle timer determines how long the dial-
up connection will remain connected in the absence of interesting traffic.
When the router receives interesting traffic, it resets the idle timer. For more
information about timers, see "Configuring the idle-timeout Option" on page
3-34 and "Configuring the fast-idle Option" on page 3-35.)
For example, suppose two nodes at a remote site need to communicate with
a server at a local site. One node is specified in the ACL that triggers the
connection, but the other node is not. The first node's communication will
Configuring Backup WAN Connections
Configuring Demand Routing for Backup Connections
3-25