User Guide
OmniAccess SafeGuard OS Administration Guide
304
Chapter 7: Establishing a Security Policy
phones. However, she wants an exception for one IP phone to be permitted. The order of
the entries becomes important.
Example 1, (incorrect):
(SafeGuardOS) #configure terminal
(SafeGuardOS) (config) #system white-black list
(SafeGuardOS) (whiteblack-list) #mac 1a:2b:3c:00:00:00 ff:ff:ff:00:00:00 deny
description “IP phones”
(SafeGuardOS) (whiteblack-list) #mac 1a:2b:3c:aa:bb:cc ff:ff:ff:ff:ff:ff permit
description “My IP phone”
Example 2, (correct):
(SafeGuardOS) #configure terminal
(SafeGuardOS) (config) #system white-black list
(SafeGuardOS) (whiteblack-list) #mac 1a:2b:3c:aa:bb:cc ff:ff:ff:ff:ff:ff permit
description “My IP phone”
(SafeGuardOS) (whiteblack-list) #mac 1a:2b:3c:00:00:00 ff:ff:ff:00:00:00 deny
description “IP phones”
(SafeGuardOS) (whiteblack-list) #exit
(SafeGuardOS) (config) #exit
(SafeGuardOS) #
Example 2 has the correct configuration because the more specific MAC address/mask
overrides the following deny statement. In example 1 is incorrect because even though
the second statement is more specific, the deny statement has already set all phones to
deny.
Removing an Entry
To remove an entry from the system white-black list, use the no version of the command:
no mac mac_addr mask
The no version of the command removes the MAC address from the system white-black
list. This example removes a printer from the system white-black list:
(SafeGuardOS) #configure terminal
(SafeGuardOS) (config) #system white-black list
(SafeGuardOS) (whiteblack-list) #no mac 11:22:33:44:55:66 ff:ff:ff:ff:ff:ff
(SafeGuardOS) (whiteblack-list) #exit
(SafeGuardOS) (config) #exit
(SafeGuardOS) #
Use the show system white-black list command to see the contents of the list. This
command is further discussed in Showing System White-Black List on page 333.
Syntax Description mask Specifies a subnet mask in dotted-quad notation.
For example, ff:ff:ff:ff:ff:ff.