(Optional) Configuring an if-match Clause

Procedure

1. Run system-view

   The system view is displayed.

2. Run route-policy route-policy-name { permit | deny } node node

   The route-policy view is displayed.

3. Configure if-match clauses in the route-policy.
   • To configure a rule to match routes against a basic ACL, perform the following steps:

     1. Run if-match acl { acl-number | acl-name }

        A matching rule based on a basic ACL is configured.

     2. Run quit

        Return to the system view.

     3. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

        The ACL view is displayed.

     4. Run rule [ rule-id ] [ name rule-name ] { deny | permit }

        A rule is configured for the ACL.

        When the rule command is used to configure a filtering rule for a named ACL, only the configurations specified by source and time-range take effect.

        When a filter-policy of a routing protocol is used to filter routes:

        • If the action specified in an ACL rule is permit, a route matching the rule will be accepted or advertised by the system.

        • If the action specified in an ACL rule is deny, a route matching the rule will not be accepted or advertised by the system.

        • If the network segment of a route is not within the range specified in an ACL rule, the route will not be accepted or advertised by the system.

        • If an ACL does not contain any rules, none of the routes matched against the filter-policy that uses this ACL will be accepted or advertised by the system.

        • Routes can be filtered using a blacklist or whitelist:

          If ACL rules are used for matching in configuration order, the system matches the rules in ascending order of their IDs.

          Filtering using a blacklist: Configure a rule with a smaller ID and specify the action deny in this rule to filter out the unwanted routes. Then, configure another rule with a larger ID in the same ACL and specify the action permit in this rule to accept or advertise the other routes.

          Filtering using a whitelist: Configure a rule with a smaller ID and specify the action permit in this rule to permit the routes to be accepted or advertised. Then, configure another rule with a larger ID in the same ACL and specify the action deny in this rule to filter out the unwanted routes.

   • To configure a rule to match routes against a specified cost, run the if-match cost cost or if-match cost { greater-equal greater-equal-value [ less-equal less-equal-value ] | less-equal less-equal-value } command.

   • To configure a rule to match routes against a specified outbound interface, run the if-match interface { { interface-name | interface-type interface-number } &<1-16> } command.

   • To configure a rule to match routes against a specified route preference, run the if-match preference preference command.

   • To configure a rule to match IPv4 routes against a specified next hop or source address, run the if-match ip { next-hop | route-source | group-address } { acl { acl-number | acl-name } | ip-prefix ip-prefix-name } command.

   • To configure a rule to match routes against a specified IP prefix list, run the if-match ip-prefix ip-prefix-name command.

   • To configure a rule to match IPv6 routes, run the if-match ipv6 { address | next-hop | route-source } { acl { acl-number | acl-name } | prefix-list ipv6-prefix-name } command.
   • Run any of the following commands as needed to match routes of a specific type:
     • To configure a rule to match OSPF routes of a specified type, run the if-match route-type { external-type1 | external-type1or2 | external-type2 | internal | nssa-external-type1 | nssa-external-type1or2 | nssa-external-type2 } command.
     • To configure a rule to match IS-IS routes of a specified level, run the if-match route-type { is-is-level-1 | is-is-level-2 } command.
     • To configure a rule to match BGP routes, run the if-match route-type { ibgp | ebgp } command.
     • To configure a rule to match MVPN routes, run the if-match route-type mvpn { 1 | 3 } ^* command.
     • To configure a rule to match EVPN routes, run the if-match route-type evpn { ad | es | inclusive | mac | prefix | join | leave | smet } ^* command.
   • To configure a rule to match routes carrying a specified tag value, run the if-match tag tag command.
   • To configure a rule to match routes of a specific type of protocol, run the if-match protocol { direct | static | rip | ripng | ospf | ospfv3 | bgp | isis | unr } ^* command.
   • To configure a rule to match routes against a specified AS_Path length, run the if-match as-path length command.
   • To configure a rule to match routes against a specified AS_Path filter, run the if-match as-path-filter command.
   • To configure a rule to match routes against a specified Community filter, run the if-match community-filter command.
   • To configure a rule to match routes against a specified extcommunity filter, run any of the following commands as needed:
     • To match routes against a VPN target extcommunity filter, run the if-match extcommunity-filter command.
     • To match routes against an encapsulation extcommunity filter, run the if-match extcommunity-list encapsulation encapsulation-name command.
     • To match routes against an SoO extcommunity filter, run the if-match extcommunity-list soo extcomm-filter-name command.
     • To match routes against a segmented-nh extcommunity filter, run the if-match extcommunity-list segmented-nh segmented-nh-name command.
   • To configure a rule to match routes against a specified Large-Community filter, run the if-match large-community-filter lcfName [ whole-match ] command.
   • To configure a rule to match routes against a specified RD filter, run the if-match rd-filter rd-filter-number command.
   • To configure a rule to match BGP routes against a specified origin AS validation result, run the if-match rpki origin-as-validation { valid | invalid | not-found } command.
   • To configure a rule to match routes against a specified MPLS label, run the if-match mpls-label command.
   • To configure a rule to match routes against a specified MPLS Label2 value, run the if-match mpls-label2 command.
   • To configure a rule to match routes against a specified Layer 2 VNI list, run the if-match l2vni [ l2vni-list-name ] command.
   • To configure a rule to match routes against a specified Layer 3 VNI list, run the if-match l3vni [ l3vni-list-name ] command.
   • To configure a rule to match routes against a specified MAC address list, run the if-match mac-list mac-list-name command.
   • To configure a rule to match routes against a specified Ethernet tag list, run the if-match eth-tag-list eth-tag-list-name command.

   The commands in Step 3 can be run in any required order. A node may have multiple if-match clauses or no if-match clause.

   

   If multiple if-match clauses of a node in a route-policy define the same matching condition type, the relationship between them is "OR"; if the if-match clauses define different matching condition types, the relationship between these clauses is "AND". If you run any of the following if-match commands more than once, the latest configuration overrides the previous one:

   • if-match acl { acl-number | acl-name }
   • if-match cost cost
   • if-match extcommunity-list soo extcomm-filter-name
   • if-match ip next-hop { acl { acl-number | acl-name } | ip-prefix ip-prefix-name }
   • if-match ip route-source { acl { acl-number | acl-name } | ip-prefix ip-prefix-name }
   • if-match ip group-address { acl { acl-number | acl-name } | ip-prefix ip-prefix-name }
   • if-match ip-prefix ip-prefix-name
   • if-match ipv6 address { acl { acl-number | acl-name } | prefix-list ipv6-prefix-name }
   • if-match ipv6 next-hop { acl { acl-number | acl-name } | prefix-list ipv6-prefix-name }
   • if-match ipv6 route-source { acl { acl-number | acl-name } | prefix-list prefix-list ipv6-prefix-name }
   • if-match rd-filter rd-filter-number
   • if-match rpki origin-as-validation { invalid | not-found | valid }
   • if-match tag tag
   • if-match preference preference
   • if-match protocol { direct | static | rip | ripng | ospf | ospfv3 | bgp | isis | unr } ^*
   • if-match { mpls-label | mpls-label2 } ^*
   • if-match as-path length
   • if-match l2vni [ l2vni-list-name ]
   • if-match l3vni [ l3vni-list-name ]
   • if-match mac-list mac-list-name
   • if-match eth-tag-list eth-tag-list-name
   • if-match extcommunity-list encapsulation encapsulation-name
   • if-match extcommunity-list segmented-nh segmented-nh-name

   If no if-match clause is specified, all routes will match the route-policy node.

   You are not advised to use the same route-policy to filter both IPv4 and IPv6 routes when the route-policy address-family mismatch-deny command is not configured. Otherwise, services may be interrupted in the following scenarios:

   1. For the same route-policy, some nodes match IPv4 routes, and some nodes match IPv6 routes.
   2. A route-policy matches only IPv4 routes, but the route-policy is referenced by IPv6.
   3. A route-policy matches only IPv6 routes, but the route-policy is referenced by IPv4.

4. Run commit

   The configuration is committed.