Filtering Traffic That Arrives On The Tunnel - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

Filtering Traffic that Arrives on the Tunnel

You can restrict certain traffic from entering the tunnel by applying an access
control policy (ACP). For example, you might want only traffic sent from a
multicasting video streamer to be able to access the router through the tunnel.
The multicast address for the video stream is 239.255.1.1. You should complete
these steps to place the filter on the tunnel interface:
1. Configure an access control list (ACL) that selects traffic allowed over the
tunnel:
a. Name the ACL and specify whether it is standard (selects traffic by
source IP address) or extended (selects traffic by a variety of IP
header fields). For example:
ProCurve(config)# ip access-list extended TunnelTraffic
b. If necessary, add deny statements for an address or range of addresses
denied the tunnel.
c. Add permit statements for traffic allowed over the tunnel:
Syntax: [permit | deny] ip [any | host <source A.B.C.D> | <source A.B.C.D>
<wildcard bits>] [any | host <destination A.B.C.D> | <destination A.B.C.D>
<wildcard bits>]
In this example, permitted traffic is the traffic destined to the multi-
cast address for the video stream:
ProCurve(config-ext-nacl)# permit ip any host 239.255.1.1
2. Configure an ACP that allows this traffic:
a. Name the ACP:
ProCurve(config)# ip policy-class Tunnel
b. Allow the ACL:
Syntax: [allow | discard] list <ACL listname>
For example:
ProCurve(config-policy-class)# allow list TunnelTraffic
3. Return to the tunnel interface configuration context and apply the ACP
to the tunnel:
Syntax: interface tunnel <interface number>
Syntax: access-policy <policyname>
Configuring a Tunnel with Generic Routing Encapsulation
Configuring GRE
9-11