destination-address-exclude command excludes specific destination addresses from a policy rule.
undo destination-address-exclude command deletes the destination addresses excluded from a policy rule.
destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description description ]
undo destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description description ]
| Parameter | Description | Value |
|---|---|---|
| address-set address-set-name &<1-6> | Specifies the name of an address or address group. | The value must be the name of an existing address or address group. You can add a maximum of six addresses (address groups) to (or delete them from) a proxy policy rule at a time. |
| ipv4-address | Specifies the IPv4 address. | The value is in dotted decimal notation. |
| ipv4-mask-length | Specifies the mask length of an IPv4 address. | The value is an integer ranging from 1 to 32. |
| mask mask-address | Specifies the mask of an IPv4 address. | The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 255.0.255.0 is not a legitimate wildcard because its binary form is 11111111.00000000.11111111.00000000. In the binary form, digits 1 are to be matched, whereas digits 0 are not. For example, 192.168.1.1/255.0.255.0 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
| wildcard | Specifies the wildcard of an IPv4 address. | The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 0.255.0.255 is not a legitimate wildcard because its binary form is 00000000.11111111.00000000.11111111. In the binary form, digits 0 are to be matched, whereas digits 1 are not. For example, 192.168.1.1/0.255.0.255 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
| range | Indicates the address range. | - |
| ipv4-start-address | Specifies the start address of an IPv4 address range. | The value is in dotted decimal notation. |
| ipv4-end-address | Specifies the end address of an IPv4 address range. | The value is in dotted decimal notation. |
| description description | Specifies the description of an individual IPv4 address or address segment. | The value is a string of 1 to 128 characters. |
If the destination address of a flow matches an exception destination address set in the proxy policy rule view, the flow skips and is not controlled by the proxy policy.
Application Scenarios
For example, a user wants to apply TCP proxy to traffic destined for 10.1.1.0/24 but does not want to apply TCP proxy to traffic defined for 10.1.1.40 to 10.1.1.50 (exception destination addresses). Based on this requirement, there are two types of proxy policy configuration plans. In Configuration Plan 1 in the following table, two policies are configured to take different actions on the two flows. This plan increases the number of policies, not facilitating policy maintenance. In Configuration Plan 2, only one policy is configured. Exception destination addresses can be added to this policy to achieve the same effect as Configuration Plan 1. This plan reduces the policy maintenance workload and configuration complexity.
| Configuration Plan | Configuration Command |
|---|---|
| Configuration Plan 1 | <sysname> system-view [sysname] proxy-policy [sysname-policy-proxy] rule name no_policy_proxy [sysname-policy-proxy-rule-no_policy_proxy] destination-address range 10.1.1.40 10.1.1.50 [sysname-policy-proxy-rule-no_policy_proxy] action no-proxy [sysname-policy-proxy-rule-no_policy_proxy] quit [sysname-policy-proxy] rule name policy_proxy [sysname-policy-proxy-rule-policy_proxy] destination-address 10.1.1.0 24 [sysname-policy-proxy-rule-policy_proxy] action tcp-proxy |
| Configuration Plan 2 | <sysname> system-view [sysname] proxy-policy [sysname-policy-proxy] rule name policy_proxy [sysname-policy-proxy-rule-policy_proxy] destination-address-exclude range 10.1.1.40 10.1.1.50 [sysname-policy-proxy-rule-policy_proxy] destination-address 10.1.1.0 24 [sysname-policy-proxy-rule-policy_proxy] action tcp-proxy |