Filter
Top Products
Using Access Profiles
45
The subnet mask specified in the access profile command is interpreted as
a
reverse mask
. A reverse mask indicates the bits that are significant in
the IP address. In other words, a reverse mask specifies the part of the
address that must match the IP address to which the profile is applied.
If you configure an IP address that is an exact match that is specifically
denied or permitted, use a mask of /32 (for example, 141.251.24.28/32).
If the IP address represents a subnet address that you wish to deny or
permit, then configure the mask to cover only the subnet portion (for
example, 141.251.10.0/24).
If you are using off-byte boundary subnet masking, the same logic
applies, but the configuration is more tricky. For example, the address
141.251.24.128/27 represents any host from subnet 141.251.24.128.
Access Profile Rules
The following rules apply when using access profiles:
■
Only one access profile can be applied to each application.
■
The access profile can either permit or deny the entries in the profile.
■
The same access profile can be applied to more than one application.
There is an implicit aspect to access profiles. For instance, if an access
profile of mode permit is applied, then all other sources are assumed
denied, and are not permitted access to the application. On the other, if
an access profile of mode deny is applied, then all other sources are
assumed permitted.
Access Profile Example
The following example creates an access profile named
testpro
, and
denies access for the device with the IP address 192.168.10.10:
create access-profile testpro type ipaddress
config access-profile testpro mode deny
config access-profile testpro add ipaddress 192.168.10.10/32
The following command applies the access profile
testpro
to Telnet:
enable telnet access-profile testpro
To view the contents of an access profile, type:
show access-profile <access_profile>