The destination-address-exclude command excludes specific destination addresses from a policy rule, so that the device does not match the traffic destined for these addresses with this policy.
The undo destination-address-exclude command deletes the destination addresses excluded from a policy rule.
destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description description ]
undo destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range { ipv4-start-address ipv4-end-address } [ description ]
| Parameter | Description | Value |
|---|---|---|
address-set address-set-name &<1-6> |
Specifies the name of an address or address group. |
The specified address or address group must exist. You can add or delete a maximum of six addresses or address groups at a time. |
ipv4-address |
Specifies the IPv4 address. |
The value is in dotted decimal notation. |
ipv4-mask-length |
Specifies the mask length of an IPv4 address. |
The value is an integer ranging from 1 to 32. |
mask mask-address |
Specifies the mask of an IPv4 address. |
The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 255.0.255.0 is not a legitimate wildcard because its binary form is 11111111.00000000.11111111.00000000. In the binary form, digits 1 are to be matched, whereas digits 0 are not. For example, 192.168.1.1/255.0.255.0 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
wildcard |
Specifies the wildcard of an IPv4 address. |
The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 0.255.0.255 is not a legitimate wildcard because its binary form is 00000000.11111111.00000000.11111111. In the binary form, digits 0 are to be matched, whereas digits 1 are not. For example, 192.168.1.1/0.255.0.255 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
range |
Indicates the address range. |
- |
ipv4-start-address |
Specifies the start address of an IPv4 address range. |
The value is in dotted decimal notation. |
ipv4-end-address |
Specifies the end address of an IPv4 address range. |
The value is in dotted decimal notation. |
description |
Specifies the description of an individual IPv4 address or address segment. |
The value is a string of 1 to 128 characters. |
When referencing destination addresses in a policy, you can run the destination-address-exclude command to exclude specific destination addresses. Traffic destined for the excluded addresses does not match the policy.
Application Scenarios
When configuring a policy, you can reference destination addresses in the policy to control traffic access based on the addresses. For example, there are address groups Addr_group1 (10.1.1.40 to 10.1.1.50) and Addr_group2 (10.1.1.0/24). The user wants to configure a policy to permit access to Addr_group2 but block access to Addr_group1. You can use configuration method 1 in the following table to assign different actions to different addresses. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the destination-address-exclude command to configure the policy. This method has the same effect as method 1 and does not need additional policies.
Configuration Method |
Command |
|---|---|
Method 1 |
<sysname> system-view [sysname] rightm-policy [sysname-policy-rightm] rule name policy_deny [sysname-policy-rightm-rule-policy_deny] destination-address range 10.1.1.40 10.1.1.50 [sysname-policy-rightm-rule-policy_deny] action deny [sysname-policy-rightm-rule-policy_deny] quit [sysname-policy-rightm] rule name policy_permit [sysname-policy-rightm-rule-policy_permit] destination-address 10.1.1.0 24 [sysname-policy-rightm-rule-policy_permit] action permit |
Method 2 |
<sysname> system-view [sysname] rightm-policy [sysname-policy-rightm] rule name policy_permit [sysname-policy-rightm-rule-policy_permit] destination-address-exclude range 10.1.1.40 10.1.1.50 [sysname-policy-rightm-rule-policy_permit] destination-address 10.1.1.0 24 [sysname-policy-rightm-rule-policy_permit] action permit |