The destination-address-exclude command excludes specific destination addresses from a authentication policy rule, so that the device does not match the traffic destined for these addresses with this authentication policy.
The undo destination-address-exclude command deletes the destination addresses excluded from a authentication policy rule.
destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description description ]
undo destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description ]
| Parameter | Description | Value |
|---|---|---|
| address-set address-set-name &<1-6> | Specifies the name of an address or address group. | The specified address or address group must exist. You can add or delete a maximum of six addresses or address groups at a time. |
| ipv4-address | Specifies the IPv4 address. | The value is in dotted decimal notation. |
| ipv4-mask-length | Specifies the mask length of the IPv4 address. | The value is an integer ranging from 1 to 32. |
| mask mask-address | Specifies the mask of an IPv4 address. | The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 255.0.255.0 is not a legitimate wildcard because its binary form is 11111111.00000000.11111111.00000000. In the binary form, digits 1 are to be matched, whereas digits 0 are not. For example, 192.168.1.1/255.0.255.0 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
| wildcard | Specifies the wildcard of an IPv4 address. | The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 0.255.0.255 is not a legitimate wildcard because its binary form is 00000000.11111111.00000000.11111111. In the binary form, digits 0 are to be matched, whereas digits 1 are not. For example, 192.168.1.1/0.255.0.255 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
| ipv6-address | Specifies the IPv6 address. | The value is in hexadecimal notation. |
| ipv6-prefix-length | Specifies the prefix length of an IPv6 address. | The value is an integer ranging from 1 to 128. |
| range | Indicates the address range. | - |
| ipv4-start-address | Specifies the start address of an IPv4 address range. | The value is in dotted decimal notation. |
| ipv4-end-address | Specifies the end address of an IPv4 address range. | The value is in dotted decimal notation. |
| ipv6-start-address | Specifies the start address of an IPv6 address range. | The value is in hexadecimal notation. |
| ipv6-end-address | Specifies the end address of an IPv6 address range. | The value is in hexadecimal notation. |
| description description | Specifies the description of an individual IPv4/IPv6 address or address segment. | The value is a string of 1 to 128 characters. |
When referencing destination addresses in a authentication policy, you can run the destination-address-exclude command to exclude specific destination addresses. Traffic destined for the excluded addresses does not match the policy.
Application Scenarios
When configuring an authentication policy, you can reference a destination address in the policy to implement IP address-based access control. For example, two address ranges Addr_group1 (address range is 10.1.1.40 to 10.1.1.50) Addr_group2 (address range is 10.1.1.0/24) are available. Traffic with destination address Addr_group1 is not subject to user ID identification, and traffic with destination address Addr_group2 needs to experience portal authentication. You can use configuration method 1 in the following table to assign different actions to different addresses. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the destination-address-exclude command to configure the policy. This method has the same effect as method 1 and does not need additional policies.
| Configuration Method | Command |
|---|---|
| Method 1 | <sysname> system-view [sysname] auth-policy [sysname-policy-auth] rule name auth1 [sysname-policy-auth-rule-auth1] destination-address range 10.1.1.40 10.1.1.50 [sysname-policy-auth-rule-auth1] action none [sysname-policy-auth-rule-auth1] quit [sysname-policy-auth] rule name auth2 [sysname-policy-auth-rule-auth2] destination-address 10.1.1.0 24 [sysname-policy-auth-rule-auth2] action auth |
| Method 2 | <sysname> system-view [sysname] auth-policy [sysname-policy-auth] rule name auth3 [sysname-policy-auth-rule-auth3] destination-address-exclude range 10.1.1.40 10.1.1.50 [sysname-policy-auth-rule-auth3] destination-address 10.1.1.0 24 [sysname-policy-auth-rule-auth3] action auth |