Foundry
configure policy ip_access_list
This command configures the IP access list for routes.
Ip access lists are used for matching any type of route prefix. An IP access list is said to succeed if any “permit” line in the list matches, or fails, if any “deny” line matches. Matching proceeds sequentially and stops at the first match. A line in an IP access list is said to match according to the rules listed below.
•network netmask
Matches addresses as follows: The bits in the address part of the route being masked that are not covered by “one” bits in net mask must be equal to the corresponding bits in network. The “one” bits in net mask are sometimes referred to as “don’t care” bits, because the policy engine does not care what their values are.
•network netmask mask maskmask
Matches addresses as follows: The first pair of parameters (network, maskmask) match the address part of the route just as in the previous (network netmask) form. The second pair of parameters (mask, maskmask) are used to match against the mask part of the route being matched in a similar fashion. That is, the route is matched if the address part matches and the bits in the mask that are not covered by “one” bits in net mask are equal to the corresponding bits in mask.
If neither permit nor deny is specified, the default is permit. All kinds of access_list entries may be mixed freely within a list, and there are no restrictions on what the access_list number may be. Any number of IP access list lines may be declared. They are evaluated in the order declared.
Parameter | Description |
access_list | Access list number |
| The range is 1 - 99 |
number | Sequence to insert to or delete from an existing access list entry. |
| The range is 0 - 65535. |
action |
|
deny | Route map deny set operation. |
permit | Route map permit set operation. |
network | Network route (IP address in dotted notation) |
netmask | Network mask as wildcard bits (IP address in dotted notation) |
mask | Network route’s mask (IP address in dotted notation) |
maskmask | Wildcard mask for network route’s mask ( in dotted notation) |
|
|
syntax:
[ no ] policy ip_access_list access_list < n > number < n > action < deny permit > [ network < IP address > ] [ netmask < IP address > ] [ mask < IP address > ] [ maskmask < IP address > ]
example:
This example permits prefixes 10.0.0.0/8, 10.0.0.0/9 and so on.
3 - 6 | © 2004 Foundry Networks, Inc. | June 2004 |
