Question:
I have already got OSPF WS-C3560X-48P-L setup with area 0
for my backbone and area 1 for my WAN sites. Got one of the my remote site
which have a static default route that points to their firewall. On my remote
site router I need to filter out a certain ip address off the 192.168.0.0/16
route that OSPF create so I can block
users from that remote site to connect to that particular IP.
Answer:
If I am understanding your request
correctly, the remote site is learning a 192.168.0.0/16 route from the
"headend" router. There is one particular host address within
192.168.0.0/16 that you want to block as a destination from the remote site?
Like most problems in IT, there are several
ways to solve this. Commonly, IP access control lists are used for traffic
'policy enforcement'. By implementing an ACL to deny the source of remote-site
IP's to a destination of this particular host IP, the remote site users would
no longer be able to communicate with the particular IP.
A less polished, but also effective way, to
make this happen: you could null route the particular host address on your
remote site router. This means that the remote site router, when it looks up
the next-hop for that particular destination, it sees the next hop as the 'bit
bucket' and traffic is dropped in your routing logic. WS-C3560V2-48PS-S This is nice and
efficient, but you lose any logging/visibility.
没有评论:
发表评论