C H A P T E R 17 Access Policies
329
Assuming the backbone VLAN interconnects all the routers in the
company (and, therefore, the Internet router does not have the best
routes for other local subnets), the commands to build the access
policy for the switch would be:
create access-profile nointernet type ipaddress
configure access-profile nointernet mode deny
configure access-profile nointernet add ipaddress
10.0.0.10/32
configure rip vlan backbone trusted-gateway
nointernet
If the administrator wants to restrict any user belonging to the
VLAN Engsvrs from reaching the VLAN Sales (IP address
10.2.1.0/24), the additional access policy commands to build the
access policy would be:
create access-profile nosales type ipaddress
configure access-profile nosales mode deny
configure access-profile nosales add ipaddress
10.2.1.0/24
configure rip vlan backbone import-filter nosales
This configuration results in the switch having no route back to the
VLAN Sales.
Routing Access Policies for OSPF
For information on
converting an OSPF area
into an IP type format see
"OSPF (Open Shortest
Path First)" on page 443.
Because OSPF is a link-state protocol, the access policies
associated with OSPF are different in nature than those associated
with RIP. Access policies for OSPF are intended to extend the
filtering and security capabilities of OSPF (for example, link
authentication and the use of IP address ranges). If the OSPF
protocol is being used, you can configure the switch to use an access
profile to determine any of these:
• Inter-area Filter—For switches configured to support multiple
OSPF areas (an ABR function), you can apply an access profile to
an OSPF area that filters a set of OSPF inter-area routes from
being sourced from any other areas. To configure an inter-area
filter policy, use this command:
configure ospf area <area_id> interarea-filter
[<access_profile> | none]