Manualshelf

Configuration Guide for A7000 dl T1 and E1 WAN Interfaces 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP 1-port ADSL2 + Annex A dl Module
21222324252627282930
Understanding SROS Queuing Methods Access List and Access Policy Example
5991-3823 21
Begin by planning the ACL selectors for the traffic received on the connection to the branch office. Use
extended ACLs to use source and destination IP addresses to sort the traffic received from the remote
LANs into two categories – traffic destined for the corporate LAN or traffic destined for the public
Internet. Each category requires an extended ACL to select the appropriate traffic. All traffic destined for
the public Internet requires a many-to-one NAT configuration to hide the private IP addresses and to allow
a single, public IP address for access to the Internet.
Next, plan the ACL selectors for the traffic received on the local network (Ethernet interface). Use
extended ACLs to use source and destination IP addresses to sort the traffic received from the local
network into two categories – traffic destined for the branch office LAN or traffic destined for the public
Internet. Each category requires an extended ACL to select the appropriate traffic. All traffic destined for
the public Internet requires a many-to-one NAT configuration to hide private IP addresses and to allow a
single, public IP address for access to the Internet.
The following table provides sample ACL commands for the various traffic on our sample network.
The traffic selectors required for traffic on the connection to the branch office and the local network are
basically identical but contain different IP subnets on the 10.0.0.0 network. If we modify the IP addresses
listed in the permit statements to encompass the entire 10.0.0.0 network (by using 10.0.0.0 with wildcard
bits 0.255.255.255), we can create a single set of ACLs that can be used in ACPs on both interfaces. All
traffic on IP subnets of the 10.0.0.0 network will be allowed to transmit data to one another and the
Internet.
The following activates the security features in the SROS router and creates two extended ACLs to select
our traffic:
ProCurve>enable
ProCurve#config terminal
ProCurve(config)#ip firewall
ProCurve(config)#ip access-list extended INTERLAN
ProCurve(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
ProCurve(config-ext-nacl)#exit
ProCurve(config)#ip access-list extended INTERNET
ProCurve(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 any
ProCurve(config-ext-nacl)#exit
ProCurve(config)#
Action Description Command(s)
Allow traffic between LANs (10.10.4.0/16 to
10.25.15.0/24)
permit ip 10.10.4.0 0.0.0.255 10.25.15.0 0.0.0.255
Allow traffic from remote LAN (10.10.4.0/24) to the
Internet through the PPP interface
permit ip 10.10.4.0 0.0.0.255 any
Allow traffic from Corp LAN (10.25.15.0/24) to remote
LAN (10.10.4.0/24)
permit ip 10.25.15.0 0.0.0.255 10.10.4.0 0.0.0.255
Allow traffic from Corp LAN (10.25.15.0/24) to the
Internet
permit ip 10.10.0.0 0.0.0.255 any