Configure policy ip_access_list, Parameter description, Configure – Foundry Networks AR3202-CL User Manual

Foundry AR-Series Router User Guide

3 - 6

© 2004 Foundry Networks, Inc.

June 2004

configure policy ip_access_list

This command configures the IP access list for routes.

Ip access lists are used for matching any type of route prefix. An IP access list is said to succeed if any “permit”
line in the list matches, or fails, if any “deny” line matches. Matching proceeds sequentially and stops at the first
match. A line in an IP access list is said to match according to the rules listed below.

•

network netmask

Matches addresses as follows: The bits in the address part of the route being masked that are not covered by
“one” bits in net mask must be equal to the corresponding bits in network. The “one” bits in net mask are
sometimes referred to as “don’t care” bits, because the policy engine does not care what their values are.

•

network netmask mask maskmask

Matches addresses as follows: The first pair of parameters (network, maskmask) match the address part of
the route just as in the previous (network netmask) form. The second pair of parameters (mask, maskmask)
are used to match against the mask part of the route being matched in a similar fashion. That is, the route is
matched if the address part matches and the bits in the mask that are not covered by “one” bits in net mask
are equal to the corresponding bits in mask.

If neither permit nor deny is specified, the default is permit. All kinds of access_list entries may be mixed freely
within a list, and there are no restrictions on what the access_list number may be. Any number of IP access list
lines may be declared. They are evaluated in the order declared.

Parameter

Description

syntax:

[ no ] policy ip_access_list access_list < n > number < n > action < deny | permit > [ network < IP address > ] [
netmask < IP address > ] [ mask < IP address > ] [ maskmask < IP address > ]

example:

Foundry-AR1208/configure# policy ip_access_list 1 1 permit network 10.0.0.0 netmask 0.255.255.255

This example permits prefixes 10.0.0.0/8, 10.0.0.0/9 and so on.

access_list

Access list number

The range is 1 - 99

number

Sequence to insert to or delete from an existing access list entry.

The range is 0 - 65535.

action

deny

Route map deny set operation.

permit

Route map permit set operation.

network

Network route (IP address in dotted notation)

netmask

Network mask as wildcard bits (IP address in dotted notation)

mask

Network route’s mask (IP address in dotted notation)

maskmask

Wildcard mask for network route’s mask ( in dotted notation)