beautypg.com

Specifying subnet masks, Sequence numbering, Permit and deny entries – Extreme Networks 200 Series User Manual

Page 131: Deleting an access profile entry, Applying access profiles, Routing access policies for rip

background image

Using Routing Access Policies

Summit 200 Series Switch Installation and User Guide

129

Specifying Subnet Masks

The subnet mask specified in the access profile command is interpreted as a reverse mask. A reverse
mask indicates the bits that are significant in the IP address. In other words, a reverse mask specifies the
part of the address that must match the IP address to which the profile is applied.

If you configure an IP address that is an exact match that is specifically denied or permitted, use a mask
of /32 (for example, 141.251.24.28/32). If the IP address represents all addresses in a subnet address that
you want to deny or permit, then configure the mask to cover only the subnet portion (for example,
141.251.10.0/24). The keyword

exact

can be used when you wish to match only against the subnet

address, and ignore all addresses within the subnet.

If you are using off-byte boundary subnet masking, the same logic applies, but the configuration is
more tricky. For example, the address 141.251.24.128/27 represents any host from subnet 141.251.24.128.

Sequence Numbering

You can specify the sequence number for each access profile entry. If you do not specify a sequence
number, entries are sequenced in the order they are added. Each entry is assigned a value of 5 more
than the sequence number of the last entry.

Permit and Deny Entries

If you have configured the access profile mode to be

none

, you must specify each entry type as either

‘permit’ or ‘deny’. If you do not specify the entry type, it is added as a permit entry. If you have
configured the access profile mode to be

permit

or

deny

, it is not necessary to specify a type for each

entry.

Deleting an Access Profile Entry

To delete an access profile entry, use the following command:

config access-profile delete

Applying Access Profiles

Once the access profile is defined, apply it to one or more routing protocols or VLANs. When an access
profile is applied to a protocol function (for example, the export of RIP routes) or a VLAN, this forms an
access policy. A profile can be used by multiple routing protocol functions or VLANs, but a protocol
function or VLAN can use only one access profile.

Routing Access Policies for RIP

If you are using the RIP protocol, the switch can be configured to use an access profile to determine:

• Trusted Neighbor

—Use an access profile to determine trusted RIP router neighbors for the VLAN

on the switch running RIP. To configure a trusted neighbor policy, use the following command:

config rip vlan [ | all] trusted-gateway [ | none]

• Import Filter

—Use an access profile to determine which RIP routes are accepted as valid routes. This

policy can be combined with the trusted neighbor policy to accept selected routes only from a set of
trusted neighbors. To configure an import filter policy, use the following command:

config rip vlan [ | all] import-filter [ | none]

See also other documents in the category Extreme Networks Computer Accessories: