HP Procurve Router: ACL Routing & OSPF

General ACL application
ip access-list extended <NAME>
deny ip <SOURCE>/<mask> <destination>/mask log
permit ip any any
# There is an implicit deny by default; thus the permit any statement is necessary
vlan <VLAN_NUMBER> ip access-group <NAME> in


General Routing Map:
ip access-list extended vlan3internet
deny ip
deny ip
permit ip any

route-map NEW_FW permit 10
match ip address vlan3internet
set ip next-hop GATEWAY_IP


Interface VLAN 3
ip policy route-map NEW_FW

ip access-list extended Deny-VLAN9-To-VLAN1
10 deny ip
20 permit ip
<implicit deny>

#Apply ACL to inbound
VLAN 9 ip access-group Deny-VLAN2-To-VLAN3 in

The implicit deny is automatically the last rule of every ACL. No need to put it in. Just something to keep in mind. For instance, if you put only a Deny rule, then ALL traffic both matching and not matching the rule will be denied.

# Create native VLAN and numbered VLAN on SW1
vlan 1 untagged trk1
ip address
vlan 5 tagged trk1
ip address

# Create loopback interface on SW1
int loopback 0
ip address

# SW1 OSPF config
ip routing
ip router-id
vlan 1
ip ospf area
vlan 5
ip ospf area

# commands to verify OSPF routing
sh ip route
sh ip ospf int #show directly connected interfaces with OSPF enabled
sh ip ospf neighbor #display neighbors

DR: Direct Route
BDR: backup DR state
Full (State): proper OSPF adjacency
InterArea (Sub-Type): when a route is not local

# create static route
ip route x.x.x.x x.x.x.x <name>

# Redistribute static routes to remote routers
router ospf
redistribute static

# Enable load sharing via Multi Path OSPF (in lieu of STP Multi Path)
ip load-sharing <2-4>

Leave a Reply

Your email address will not be published. Required fields are marked *