Filter
Top Products
C H A P T E R 17 Access Policies
325
with each entry in the list. Once a match is found, the operation is
either permitted or denied, depending on the configuration of the
matched entry. If no match is found, the operation is implicitly
denied.
To add or delete IP addresses or VLANs from an access profile, use
this command:
configure access-profile <access_profile> [add |
delete] {ipaddress <ipaddress> <mask>}
Then, configure the access profile mode using
configure access-profile <access_profile> mode
[permit | deny | none]
Adding an Access Profile Entry
Next, configure the access profile by adding or deleting IP
addresses, autonomous system path expressions, or BGP
communities, using this command:
configure access-profile <access_profile> [add |
delete | mode] {<seq_number>} {permit | deny}
[ipaddress <ipaddress> | <mask> {exact} | as-path
<path-expression> | bgp-community [internet | no-
export | no-advertise | no-export-subconfed |
<as_no:number> | number <community>]]
These sections describe the configure access-profile add
command.
Specifying Subnet Masks
The subnet mask specified in the access profile command is
interpreted as a reverse mask. A reverse mask indicates the bits that
are significant in the IP address. In other words, a reverse mask
specifies the part of the address that must match the IP address to
which the profile is applied.
If you configure an IP address that is an exact match, specifically
denied or permitted, use a mask of /32 (for example, 141.251.24.28/
32).
If the IP address represents all addresses in a subnet address that you
wish to
deny or permit, then configure the mask to cover only the
subnet portion (for example, 141.251.10.0/24). The keyword
exact