The destination-address-exclude command excludes specific destination addresses from a policy rule, so that the device does not match the traffic destined for these addresses with this policy.
The undo destination-address-exclude command deletes the destination addresses excluded from a policy rule.
destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description description ]
undo destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description ]
| Parameter | Description | Value |
|---|---|---|
address-set address-set-name &<1-6> |
Specifies the name of an address or address group. |
The address or address group must exist. A maximum of six addresses or address groups can be specified or deleted at a time. |
ipv4-address |
Specifies an IPv4 address. |
The value is in dotted decimal notation. |
ipv4-mask-length |
Specifies the mask length of the IPv4 address. |
The value is an integer ranging from 1 to 32. |
mask mask-address |
Specifies a mask for the IPv4 address. |
The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 255.0.255.0 is not a legitimate wildcard because its binary form is 11111111.00000000.11111111.00000000. In the binary form, digits 1 are to be matched, whereas digits 0 are not. For example, 192.168.1.1/255.0.255.0 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
wildcard |
Specifies the wildcard of an IPv4 address. |
The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 0.255.0.255 is not a legitimate wildcard because its binary form is 00000000.11111111.00000000.11111111. In the binary form, digits 0 are to be matched, whereas digits 1 are not. For example, 192.168.1.1/0.255.0.255 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
ipv6-address |
Specifies an IPv6 address. |
The value is in hexadecimal notation. |
ipv6-prefix-length |
Specifies the prefix length of the IPv6 address. |
The value is an integer ranging from 1 to 128. |
range |
Indicates the address range. |
- |
ipv4-start-address |
Specifies the start address of the IPv4 address range. |
The value is in dotted decimal notation. |
ipv4-end-address |
Specifies the end address of the IPv4 address range. |
The value is in dotted decimal notation. |
ipv6-end-address |
Specifies the end address of the IPv6 address range. |
The value is in hexadecimal notation. |
ipv6-start-address |
Specifies the start address of the IPv6 address range. |
The value is in hexadecimal notation. |
description description |
Specifies the description of an individual IPv4/IPv6 address or address segment. |
The value is a string of 1 to 128 characters. |
When referencing destination addresses in a policy, you can run the destination-address-exclude command to exclude specific destination addresses. Traffic destined for the excluded addresses does not match the policy.
When configuring a policy, you can reference destination addresses in the policy to control traffic access based on the addresses. For example, there are address groups Addr_group1 (10.1.1.40 to 10.1.1.50) and Addr_group2 (10.1.1.1/24). The user wants to configure a policy to permit access to Addr_group2 but block access to Addr_group1. You can use configuration method 1 in the following table to assign different actions to different addresses. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the destination-address-exclude command to configure the policy. This method has the same effect as method 1 and does not need additional policies.