if-match destination (Flow-Route-IPv6 view)

Function

The if-match destination command configures a filtering rule based on the destination address.

The undo if-match destination command deletes the filtering rule based on the destination address.

By default, no filtering rule based on the destination address is configured.

Format

if-match destination ipv6Address maskLenEx

undo if-match destination

Parameters

Parameter	Description	Value
ipv6Address	Specifies the destination IPv6 address of a flow.	The address is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
maskLenEx	Specifies the destination address mask of the traffic.	The value is an integer ranging from 0 to 128.

Parameter

Description

Value

ipv6Address

Specifies the destination IPv6 address of a flow.

The address is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

maskLenEx

Specifies the destination address mask of the traffic.

The value is an integer ranging from 0 to 128.

Views

Flow-Route-IPv6 view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
flow-route	write

Usage Guidelines

Usage Scenario

To filter out the attack traffic to a specified destination, you can run the if-match destination command to configure a filtering rule based on the destination address for the BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route. Traffic matching the filtering rule will be controlled with the action specified by the apply clause.

Prerequisites

A static BGP Flow Specification IPv6 route has been created using the flow-route ipv6 command in the system view.

A static BGP IPv6 VPN Flow Specification route has been configured using the flow-route ipv6 vpn-instance command in the system view.

Configuration Impact

If if-match destination is configured in a BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route, a BGP (IPv6) Flow Specification peer or BGP VPN Flow Specification peer authenticates the route after receiving it. The route is valid only when it passes the authentication rule specified by RFC5575.

If you run the if-match destination command for the same BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route several times, the last configuration takes effect.

Follow-up Procedure

If the BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route carrying a filtering rule specified by the if-match destination command fails to be authenticated by the remote BGP (IPv6) Flow Specification peer or BGP (IPv6) VPN Flow Specification peer, run the peer validation-disable command to cancel the authentication.

Example

# Configure a filtering rule based on the destination address 2001:db8:1::2/120 for the static BGP IPv6 Flow Specification route Rule 1.

<HUAWEI> system-view
[~HUAWEI] flow-route Rule1 ipv6
[*HUAWEI-flow-route-ipv6] if-match destination 2001:db8:1::2 120