HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 743
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
To configure an ACL to route traffic based on its source as well as its
destination, complete these steps:
1.
From the global configuration mode, create an extended ACL:
Syntax: ip access-list extended <listname>
2.
The routing policy may not apply to traffic destined to certain addresses.
For example, you could use PBR to forward certain traffic to a device that
filters that traffic before allowing it access a remote site. You might not
want to forward local traffic to this device. In this case, you would deny
traffic destined to local addresses using this command:
Syntax: deny ip [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>] [any | host
<A.B.C.D> | <A.B.C.D> <wildcard bits>]
For example, exclude all traffic destined to network 192.168.25.0 /24:
ProCurve(config-ext-nacl)# deny ip any 192.168.25.0 0.0.0.255
3.
Enter a permit statement to select the traffic for PBR. When you enter the
command, first specify the address of the host, network, or range of
networks for which you want to use PBR to route the traffic. You can then
enter the destination address for the route. The destination can be a single
host (use the host keyword), but you should generally either specify all
all networks not earlier denied (any) or the address for a network or range
of networks. Use wildcard bits to specify a range of addresses.
Syntax: permit ip [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>] [any | host
<A.B.C.D> | <A.B.C.D> <wildcard bits>]
For example, you are configuring PBR on a ProCurve Secure Router that
provides a university access to the Internet. The university wants to subject
student traffic to additional screening. (Student subnets include the second
half of networks in the10.2.0.0 /16 range.) Student traffic destined to the
Internet will be routed to an IDS device. Other traffic (from, for example,
administrators and professors) can access the Internet without further pro-
cessing.
Hosts on the student subnets also need access to various servers on the local
network (10.2.0.0 /16). Because the local router also receives and routes this
traffic, you configure it to route traffic from students destined to local net-
works using the routes in its routing table. Enter these commands:
ProCurve(config)# ip access-list extended students
ProCurve(config-ext-nacl)# deny ip any 10.2.0.0 0.0.255.255
ProCurve(config-ext-nacl)# permit ip 10.2.128.0 0.127.255.255 any
IP Routing—Configuring RIP, OSPF, BGP, and PBR
Configuring Policy-Based Routing
13-129
Advertisement
Chapters
Table of Contents
Troubleshooting
