IpAddrSet statement

Use the IpAddrSet statement to encapsulate either a prefix or range of IP address specifications. It can be referenced from any statement that allows for a set specification of IP addresses.

Syntax

Read syntax diagramSkip visual syntax diagramIpAddrSet name Put Braces and Parameters on Separate Lines
Put Braces and Parameters on Separate Lines
Read syntax diagramSkip visual syntax diagram{Prefix  ipaddress/prefixLengthRange  ipaddress-ipaddress}

Parameters

name
A string 1 - 32 characters in length specifying the name of this IpAddrSet statement.

Rule: If this IpAddrSet statement is not specified inline within another statement, a name value must be provided. If a name is not specified for an inline IpAddrSet statement, a nonpersistent system name is created.

Prefix
A prefix IP address specification.

The prefixLength value is the number of unmasked leading bits in the ipaddress value. The prefixLength value can be in the range 0 - 32 for IPv4 addresses and from 0 - 128 for IPv6 addresses. A packet matches this condition if its unmasked bits are identical to the unmasked bits defined.

Range
A range of IP addresses.
Rules for AT-TLS policies:
  • If the IP address is an IPv6 address, it cannot be an IPv4-mapped IPv6 address in hexadecimal or dotted decimal format or an IPv6 address with the reserved prefix ::/96. If the IPv6 address is one of these types, an error message is logged.
  • IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.
Rules for IPSec policies:
  • IPv4-mapped IPv6 addresses and IPv6 addresses with the reserved prefix ::/96 are valid only for IP filter rules and for the Identity parameter on local and remote security end points. If the IPv6 address is one of these types for any other IPSec policies, an error message is logged.
  • IPv6 policy is installed, but is not enforceable in a stack that is not IPv6 enabled.
Rules for IDS policies:
  • If the IP address is an IPv6 address, it cannot be an IPv4-mapped IPv6 address in hexadecimal or dotted decimal format or an IPv6 address with the reserved prefix ::/96. If the IPv6 address is one of these types, an error message is logged.
  • IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.
Rules for Routing policies:
  • If the IP address is an IPv6 address, it cannot be an IPv4-mapped address in hexadecimal or dotted decimal format or an IP address with the reserved prefix ::/96. If the IPv6 address is one of these types, then an error message is logged.
  • IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.
Rules for ZERT policies:
  • If the IP address is IPv6, it cannot be an IPv4-mapped IPv6 address (in hexadecimal or dotted decimal format) or an IPv6 address with the reserved prefix ::/96. If the IPv6 address is one of these two types, an error message is logged.
  • IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.
Restriction:
  • This statement is not available for use with QoS policies.