The source-address-exclude command excludes specific source addresses from a policy rule, so that the device does not match the traffic from these addresses with this policy.
The undo source-address-exclude command deletes the source addresses excluded from a policy rule.
source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description description ]
undo source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description ]
| Parameter | Description | Value |
|---|---|---|
| address-set address-set-name &<1-6> | Specifies the name of an address or address group. | The specified address or address group must exist. You can add or delete a maximum of six addresses or address groups at a time. |
| ipv4-address | Specifies the IPv4 address. | The value is in dotted decimal notation. |
| ipv4-mask-length | Specifies the mask length of an IPv4 address. | The value is an integer ranging from 1 to 32. |
| mask mask-address | Specifies the mask of an IPv4 address. | The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 255.0.255.0 is not a legitimate wildcard because its binary form is 11111111.00000000.11111111.00000000. In the binary form, digits 1 are to be matched, whereas digits 0 are not. For example, 192.168.1.1/255.0.255.0 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
| wildcard | Specifies the wildcard of an IPv4 address. | The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 0.255.0.255 is not a legitimate wildcard because its binary form is 00000000.11111111.00000000.11111111. In the binary form, digits 0 are to be matched, whereas digits 1 are not. For example, 192.168.1.1/0.255.0.255 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
| ipv6-address | Specifies the IPv6 address. | The value is in hexadecimal notation. |
| ipv6-prefix-length | Specifies the prefix length of an IPv6 address. | The value is an integer ranging from 1 to 128. |
| range | Indicates the address range. | - |
| ipv4-start-address | Specifies the start address of an IPv4 address range. | The value is in dotted decimal notation. |
| ipv4-end-address | Specifies the end address of an IPv4 address range. | The value is in dotted decimal notation. |
| ipv6-start-address | Specifies the start address of an IPv6 address range. | The value is in hexadecimal notation. |
| ipv6-end-address | Specifies the end address of an IPv6 address range. | The value is in hexadecimal notation. |
| description description | Specifies the description of an individual IPv4/IPv6 address or address segment. | The value is a string of 1 to 128 characters. |
When referencing source addresses in a policy, you can run the source-address-exclude command to exclude specific source addresses. Traffic from the excluded addresses does not match the policy.
Application Scenarios
When configuring a policy, you can reference source addresses in the policy to control traffic access based on the addresses. For example, there are address groups Addr_group1 (10.1.1.40-10.1.1.50) and Addr_group2 (10.1.1.0/24). The user wants to configure a policy to block traffic from Addr_group1 but permit traffic from Addr_group2. You can use configuration method 1 in the following table to assign different actions to different addresses. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the source-address-exclude command to configure the policy. This method has the same effect as method 1 and does not need additional policies.
| Configuration Method | Command |
|---|---|
| Method 1 | <sysname> system-view [sysname] security-policy [sysname-policy-security] rule name policy_deny [sysname-policy-security-rule-policy_deny] source-address range 10.1.1.40 10.1.1.50 [sysname-policy-security-rule-policy_deny] action deny [sysname-policy-security-rule-policy_deny] quit [sysname-policy-security] rule name policy_permit [sysname-policy-security-rule-policy_permit] source-address 10.1.1.0 24 [sysname-policy-security-rule-policy_permit] action permit |
| Method 2 | <sysname> system-view [sysname] security-policy [sysname-policy-security] rule name policy_sec [sysname-policy-security-rule-policy_sec] source-address-exclude range 10.1.1.40 10.1.1.50 [sysname-policy-security-rule-policy_sec] source-address 10.1.1.0 24 [sysname-policy-security-rule-policy_sec] action permit |