HP Procurve Router: ACL Routing & OSPF

General ACL application
------------------------------------------------------------------------
ip access-list extended <NAME>
deny ip <SOURCE>/<mask> <destination>/mask log
permit ip any any
# There is an implicit deny by default; thus the permit any statement is necessary
vlan <VLAN_NUMBER> ip access-group <NAME> in

-------------------------------------------------------------------------

General Routing Map:
-------------------------------------------------------------------------
ip access-list extended vlan3internet
deny ip 10.0.30.0 0.0.0.255 10.0.10.0 0.0.0.255
deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255
permit ip 10.0.30.0 0.0.0.255 any

route-map NEW_FW permit 10
  match ip address vlan3internet
  set ip next-hop GATEWAY_IP

Then

Interface VLAN 3
ip policy route-map NEW_FW
--------------------------------

ip access-list extended Deny-VLAN9-To-VLAN1
10 deny ip 192.168.1.0.0 0.0.0.255 192.168.2.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
<implicit deny>

#Apply ACL to inbound
VLAN 9 ip access-group Deny-VLAN2-To-VLAN3 in


The implicit deny is automatically the last rule of every ACL. No need to put it in. Just something to keep in mind. For instance, if you put only a Deny rule, then ALL traffic both matching and not matching the rule will be denied.

# Create native VLAN and numbered VLAN on SW1
vlan 1 untagged trk1
ip address 10.10.1.0 255.255.255.0
vlan 5 tagged trk1
ip address 10.10.5.0 255.255.255.0

# Create loopback interface on SW1
int loopback 0
ip address 1.1.1.1

# SW1 OSPF config
ip routing
area 0.0.0.0
area 0.0.0.5
ip router-id 1.1.1.1
vlan 1
ip ospf area 0.0.0.0
vlan 5
ip ospf area 0.0.0.5

# commands to verify OSPF routing
sh ip route
sh ip ospf int #show directly connected interfaces with OSPF enabled
sh ip ospf neighbor #display neighbors

Definitions:
DR: Direct Route
BDR: backup DR state
Full (State): proper OSPF adjacency
InterArea (Sub-Type): when a route is not local

# create static route
ip route x.x.x.x x.x.x.x <name>

# Redistribute static routes to remote routers
router ospf
redistribute static

# Enable load sharing via Multi Path OSPF (in lieu of STP Multi Path)
ip load-sharing <2-4>