if-match destination (Flow-Route VPN instance view)

Function

The if-match destination command configures a filtering rule based on the destination address.

The undo if-match destination command deletes the filtering rule based on the destination address.

By default, no filtering rule based on the destination address is configured.

Format

if-match destination ipv4Address [ maskLenEx | mask ]

undo if-match destination

Parameters

Parameter	Description	Value
ipv4Address	Specifies the destination address of the traffic.	This value is in dotted decimal notation.
maskLenEx	Specifies the destination address mask of the traffic.	The value is an integer ranging from 0 to 32.
mask	Specifies the destination address mask of the traffic.	This value is in dotted decimal notation.

Parameter

Description

Value

ipv4Address

Specifies the destination address of the traffic.

This value is in dotted decimal notation.

maskLenEx

Specifies the destination address mask of the traffic.

The value is an integer ranging from 0 to 32.

mask

Specifies the destination address mask of the traffic.

This value is in dotted decimal notation.

Views

Flow-Route VPN instance view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
flow-route	write

Usage Guidelines

Usage Scenario

To filter out the attack traffic to a specified destination, you can run the if-match destination command to configure a filtering rule based on the destination address for the BGP Flow Specification route or BGP VPN Flow Specification route. Traffic matching the filtering rule will be controlled with the action specified by the apply clause.

Prerequisites

A static BGP Flow Specification IPv4 route has been created using the flow-route command in the system view.

A static BGP VPN Flow Specification route has been configured using the flow-route vpn-instance command in the system view.

Configuration Impact

If if-match destination is configured in a BGP Flow Specification route or BGP VPN Flow Specification route, a BGP (IPv6) Flow Specification peer or BGP VPN Flow Specification peer authenticates the route after receiving it. The route is valid only when it passes the authentication rule specified by RFC5575.

If you run the if-match destination command for the same BGP Flow Specification route or BGP VPN Flow Specification route several times, the last configuration takes effect.

Follow-up Procedure

If the BGP Flow Specification route or BGP VPN Flow Specification route carrying a filtering rule specified by the if-match destination command fails to be authenticated by the remote BGP (IPv6) Flow Specification peer or BGP (IPv6) VPN Flow Specification peer, run the peer validation-disable command to cancel the authentication.

Example

# Configure a filtering rule that is based on the destination address of 10.1.1.1/24 for the static BGP VPN Flow Specification route Rule 1.

<HUAWEI> system-view
[~HUAWEI] ip vpn-instance vpna
[~HUAWEI-vpn-instance-vpna] quit
[~HUAWEI] flow-route Rule1 vpn-instance vpna
[*HUAWEI-flow-route-vpna] if-match destination 10.1.1.1 24