The if-match destination command configures a filtering rule based on the destination address.
The undo if-match destination command deletes the filtering rule based on the destination address.
By default, no filtering rule based on the destination address is configured.
Usage Scenario
To filter out the attack traffic to a specified destination, you can run the if-match destination command to configure a filtering rule based on the destination address for the BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route. Traffic matching the filtering rule will be controlled with the action specified by the apply clause.
Prerequisites
A static BGP Flow Specification IPv6 route has been created using the flow-route ipv6 command in the system view.
A static BGP IPv6 VPN Flow Specification route has been configured using the flow-route ipv6 vpn-instance command in the system view.Configuration Impact
If if-match destination is configured in a BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route, a BGP (IPv6) Flow Specification peer or BGP VPN Flow Specification peer authenticates the route after receiving it. The route is valid only when it passes the authentication rule specified by RFC5575.
If you run the if-match destination command for the same BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route several times, the last configuration takes effect.Follow-up Procedure
If the BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route carrying a filtering rule specified by the if-match destination command fails to be authenticated by the remote BGP (IPv6) Flow Specification peer or BGP (IPv6) VPN Flow Specification peer, run the peer validation-disable command to cancel the authentication.
<HUAWEI> system-view [~HUAWEI] ip vpn-instance vpna [~HUAWEI-vpn-instance-vpna] quit [~HUAWEI] flow-route Rule1 ipv6 vpn-instance vpna [*HUAWEI-flow-route-ipv6-vpna] if-match destination 2001:DB8:1::2 120