Configuring Virtual LANs (VLANs)
December 2005 © Foundry Networks, Inc. 11 - 39
Using Separate ACLs on IP Follower Virtual Routing Interfaces
NOTE: This section applies to flow-based ACLs only.
The IP follower feature allows multiple virtual routing interfaces to share the same IP address. One virtual routing
interface has the IP address and the other virtual routing interfaces are configured to follow the virtual routing
interface that has the address.
By default, the follower interfaces are secured by the ACLs that are applied to the interface that has the address.
In fact, an ACL applied to a follower interface is ignored. For example, if you configure virtual routing interfaces 1,
2, and 3, and configure interfaces 2 and 3 to follow interface 1, then the ACLs applied to interface 1 also apply to
interfaces 2 and 3. Any ACLs applied separately to interface 2 or 3 are ignored.
You can enable a follower virtual routing interface to use the ACLs you apply to it instead of using the ACLs applied
to the interface that has the address. For example, you can enable virtual routing interface 2 to use its own ACLs
instead of using interface 1’s ACLs.
To enable a virtual routing interface to use its own ACLs instead of the ACLs of the interface it is following, enter
the following command at the configuration level for the interface:
FastIron SuperX Router(config-vif-2)# no ip follow acl
Syntax: [no] ip follow acl
The following commands show a complete IP follower configuration. Virtual routing interfaces 2 and 3 have been
configured to share the IP address of virtual routing interface 1, but also have been configured to use their own
ACLs instead of virtual routing interface 1’s ACLs.
FastIron SuperX Router(config)# vlan 1 name primary_vlan
FastIron SuperX Router(config-vlan-1)# untag ethernet 1/1
FastIron SuperX Router(config-vlan-1)# tag ethernet 1/8
FastIron SuperX Router(config-vlan-1)# router-interface ve 1
FastIron SuperX Router(config-vlan-1)# exit
FastIron SuperX Router(config)# interface ve 1
FastIron SuperX Router(config-ve-1)# ip address 10.0.0.1/24
FastIron SuperX Router(config-ve-1)# ip access-group 1 in
FastIron SuperX Router(config-ve-1)# exit
FastIron SuperX Router(config)# vlan 2 name followerA
FastIron SuperX Router(config-vlan-2)# untag ethernet 1/2
FastIron SuperX Router(config-vlan-2)# tag ethernet 1/8
FastIron SuperX Router(config-vlan-2)# router-interface ve 2
FastIron SuperX Router(config-vlan-2)# exit
FastIron SuperX Router(config)# interface ve 2
FastIron SuperX Router(config-ve-2)# ip follow ve 1
FastIron SuperX Router(config-v2-2)# no ip follow acl
FastIron SuperX Router(config-ve-2)# ip access-group 2 in
FastIron SuperX Router(config-ve-2)# exit
FastIron SuperX Router(config)# vlan 3 name followerB
FastIron SuperX Router(config-vlan-3)# untag ethernet 1/5 to 1/6
FastIron SuperX Router(config-vlan-3)# tag ethernet 1/8
FastIron SuperX Router(config-vlan-3)# router-interface ve 3
FastIron SuperX Router(config-vlan-3)# exit
FastIron SuperX Router(config)# interface ve 3
FastIron SuperX Router(config-ve-3)# ip follow ve 1
FastIron SuperX Router(config-ve-3)# no ip follow acl
FastIron SuperX Router(config-ve-3)# ip access-group 3 out
FastIron SuperX Router(config-ve-3)# exit
To Next Page
Loading...
Need help?
General
