Within an exception filter policy, configure exception entries that contain criteria against which ingress, egress, and network traffic is matched. Packets that match the entry criteria are allowed to transit the NGE domain in clear text.
Enter an exception filter entry ID. The system does not dynamically assign a value.
Specify matching criteria.
Use the following CLI syntax to configure IP exception filter matching criteria:
- config>filter# ip-exception filter-id
- entry entry-id [create]
- description description-string
- match
- dst-ip {ip-address/mask | ip-address ipv4-address-mask}
- dst-port {lt | gt | eq} dst-port-number
- dst-port range dst-port-number dst-port-number
- icmp-code icmp-code
- icmp-type icmp-type
- src-ip {ip-address/mask | ip-address ipv4-address-mask}
- src-port {lt | gt | eq} src-port-number
- src-port range src-port-number src-port-number- config>filter>ip-except# entry 1 create
- config>filter>ip-except>entry# match
- config>filter>ip-except>entry>match# src-ip 10.10.10.10/32
- config>filter>ip-except>entry>match# dst-ip 10.10.10.91/24
- config>filter>ip-except>entry>match# exitThe following example displays a matching configuration.
A:domain1>config>filter>ip-exception# info
----------------------------------------------
description "exception-main"
scope exclusive
entry 1
match
dst-ip 10.10.10.91/24
src-ip 10.10.10.10/32
exit
exit
----------------------------------------------
A:domain1>config>filter>ip-except#