User guide
E
XTREME
W
ARE
S
OFTWARE
U
SER
G
UIDE
16-17
U
SING
R
OUTING
A
CCESS
P
OLICIES
To configure the access profile mode, use the following command:
config access-profile <access_profile> mode [permit | deny | none]
A
DDING
AN
A
CCESS
P
ROFILE
E
NTRY
Next, configure the access profile by adding or deleting IP addresses, autonomous
system path expressions, or BGP communities, using the following command:
config access-profile <access_profile> add {<seq_number>} {permit |
deny} [ipaddress <ipaddress> <mask> {exact} | as-path <path-expression>
| bgp-community [internet | no-export | no-advertise |
no-export-subconfed | <as_no:number> | number <community>]]
The following sections describe the
config access-profile add
command.
S
PECIFYING
S
UBNET
M
ASKS
The subnet mask specified in the access profile command is interpreted as a reverse
mask. A reverse mask indicates the bits that are significant in the IP address. In other
words, a reverse mask specifies the part of the address that must match the IP address
to which the profile is applied.
If you configure an IP address that is an exact match that is specifically denied or
permitted, use a mask of /32 (for example, 141.251.24.28/32). If the IP address
represents all addresses in a subnet address that you wish to deny or permit, then
configure the mask to cover only the subnet portion (for example, 141.251.10.0/24). The
keyword
exact
may be used when you wish to match only against the subnet address,
and ignore all addresses within the subnet.
If you are using off-byte boundary subnet masking, the same logic applies, but the
configuration is more tricky. For example, the address 141.251.24.128/27 represents any
host from subnet 141.251.24.128.
S
EQUENCE NUMBERING
You can specify the sequence number for each access profile entry. If you do not specify
a sequence number, entries are sequenced in the order they are added. Each entry is
assigned a value of 5 more than the sequence number of the last entry.