Function
The ip ipv6-prefix command configures an new IPv6 prefix list or one entry in an existing IPv6 prefix list.
The undo ip ipv6-prefix command deletes an IPv6 prefix list or one entry from the IPv6 prefix list.
By default, no IPv6 prefix list is configured.
Format
ip ipv6-prefix ipv6-prefix-name [ index index-number ] { deny | permit } ipv6-address prefix-length [ match-network ] [ greater-equal greater-equal-value ] [ less-equal less-equal-value ]
undo ip ipv6-prefix ipv6-prefix-name [ index index-number ]
ip ipv6-prefix ipv6-prefix-name description text
undo ip ipv6-prefix ipv6-prefix-name description text
Parameters
| Parameter | Description | Value |
|---|---|---|
| ipv6-prefix-name | Specifies the name of an IPv6 prefix list. | The name is a string of 1 to 169 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
| index index-number | Specifies the sequence number of the entry in the IPv6 prefix list. | The value is an integer that ranges from 1 to 4294967295. By default, the sequence number increases with a step of 10 according
to the configuration order, and the first number is 10. NOTE:
A maximum of 65535 entries can be configured in an IPv6 prefix list. |
| permit | Specifies the matching mode of the IPv6 prefix list as permit. In permit mode, if the IPv6 address to be filtered is in the defined prefix range, the IPv6 address matches the route-policy and does not continue to match the next entry. Otherwise, the IPv6 address continues to match the next entry. | - |
| deny | Specifies the matching mode of the IPv6 prefix list as deny. In deny mode, if the IPv6 address to be filtered is in the defined prefix range, the IPv6 address fails to match the route-policy and cannot match the next entry. Otherwise, the IPv6 address continues to match the next entry. | - |
| ipv6-address | Specifies the IPv6 prefix range in the form of an IPv6 address. If :: is specified, the address 0::0 is matched. | - |
| prefix-length | Specifies the IPv6 prefix range by using the mask length. | The value is an integer ranging from 0 to 128. If ::0 less-equal 128 is used, it indicates that all the IPv6 addresses are matched. |
| match-network | Specifies to match the network address. match-network is used to filter routes to a specified IPv6 address and can be configured only when ipv6-address is 0.0.0.0. For example, the ip ipv6-prefix prefix1 permit :: 96 command filters all IPv6 routes with mask length 96, while the ip ipv6-prefix prefix1 permit :: 96 match-network command filters all routes to the IPv6 address range from ::1 to ::FFFF:FFFF. | - |
| greater-equal greater-equal-value | Specifies the minimum value for the matching range of the mask length. | The value of greater-equal-value should be: mask-length <= greater-equal-value <= less-equal-value <= 128. |
| less-equal less-equal-value | Specifies the maximum value for the matching range of the mask length. | The value of less-equal-value should be: mask-length <= greater-equal-value <= less-equal-value <= 128. If the value of less-equal-value is 0, routes of any mask length match the filtering. |
| description text | Specifies the description information of the IPv6 prefix list. | It is a string of 1 to 80 characters case-sensitive characters, with spaces not supported. |
NOTE: Each entry in an IP prefix list has a sequence number specified by index-number. If no index-number is configured when a new entry is created, a default index-number is used based on the following rules:
- The default value is the index-number of the previously created entry plus 10, and the value of a subsequent entry increases by 10 based on that of its previously created entry.
- When the index-number of an entry reaches 4294967295, the default value of the new entry without index-number configured is the previously created entry in the same prefix list plus 1 because the index-number cannot exceed 4294967295. Then, the value of a subsequent entry increases by 1 based on that of its previously created entry. If the index-number of an entry increases by 1 and reaches 4294967295, you must manually specify the index-number of a new entry. If you do not specify the value for the new entry, the configuration will fail.
If an IPv6 route to be filtered matches the IPv6 prefix in the current entry, you can match the mask length of this route against the specified mask length or a specified mask length range in the current entry.
- If you do not configure greater-equal and less-equal, the matching mode is accurate matching, specifically, only the IPv6 route whose mask length is prefix-length meets the matching conditions.
- If you configure only greater-equal, the matching range of mask length is [greater-equal-value, 128].
- If you configure only less-equal, the matching range of mask length is [prefix-length, less-equal-value].
- If you configure both greater-equal and less-equal, the matching range of mask length is [greater-equal-value, less-equal-value].
Usage Guidelines
Usage Scenario
The IPv6 prefix list can be used by the protocols as a prefix filter, or used with the if-match ipv6 command as a matching condition of routing policies.
Each entry in the IPv6 prefix list can be considered as a filter rule. When a route to be filtered matches one of the entries, the route can be determined whether it is permitted the IPv6 prefix list based on the matching mode. Entries in the IPv6 prefix list can be matched with routes to be filtered based on the following rules:
Sequence match: Each entry in the IP prefix list is matched in ascending order of the index number. When setting index numbers for entries, you can arrange your expected matching order.
Unique match: When the route to be filtered matches one entry, the route stops to match the other entries.
Default deny: By default, if routes to be filtered do not match any entry in the IP prefix list, the routes are denied by IP prefix list.
Case |
Commands |
Matching result |
Note |
|---|---|---|---|
1 |
ip ipv6-prefix aa index 10 permit 1::1 96 |
Only the route 1::1/96 is permitted, and the other routes are denied. |
This is a single-node accurate matching case, which indicates that only the route whose destination IPv6 address and mask are the same as those specified by the entry meets the matching conditions. In addition, permit is configured as the matching mode. Therefore, the route 1::1/96 is permitted, and other routes are denied because they fail to meet the matching conditions. |
2 |
ip ipv6-prefix aa index 10 deny 1::1 96 |
All routes are denied. |
This is also a single-node accurate matching case. deny is configured as the matching mode. Therefore, the route 1::1/96 is denied, and the other routes are denied based on the rule of matching failure by default because they fail to meet the matching conditions. |
3 |
ip ipv6-prefix aa index 10 permit 1::1 96 less-equal 128 |
The routes 1::1/96, 1::1/128, and 1::1/100 are permitted, and the other routes are denied. |
This is also a single-node accurate matching case. permit is configured as the matching mode, and less-equal is set to 128. Therefore, the routes with 1::1 as the prefix and the mask ranging from 96 to 128 can be permitted, and the other routes are denied based on the rule of matching failure by default because they fail to meet the matching conditions. |
4 |
ip ipv6-prefix aa index 10 permit 1::1 96 greater-equal 96 less-equal 128 |
The routes 1::1/96, 1::1/128, and 1::1/100 are permitted, and the other routes are denied. |
This is also a single-node accurate matching case. permit is configured as the matching mode, greater-equal is set to 96, and less-equal is set to 128. Therefore, the routes with 1::1 as the prefix and the mask ranging from 96 to 128 can be permitted, and the other routes are denied based on the rule of matching failure by default because they fail to meet the matching conditions. This case is similar to case 3 in terms of the matching result. |
5 |
ip ipv6-prefix aa index 10 permit 1::1 96 greater-equal 100 |
The routes 1::1/128 and 1::1/100 are permitted, and the other routes are denied. |
This is also a single-node accurate matching case. permit is configured as the matching mode, and greater-equal is set to 100. Therefore, the routes with 1::1 as the prefix and the mask ranging from 100 to 128 can be permitted, and the other routes are denied based on the rule of matching failure by default because they fail to meet the matching conditions. |
6 |
ip ipv6-prefix aa index 10 permit 1::1 96 greater-equal 100 less-equal 128 |
The routes 1::1/128 and 1::1/100 are permitted, and the other routes are denied. |
This is also a single-node accurate matching case. permit is configured as the matching mode, greater-equal is set to 100, and less-equal is set to 128. Therefore, the routes with 1::1 as the prefix and the mask ranging from 100 to 128 can be permitted, and the other routes are denied based on the rule of matching failure by default because they fail to meet the matching conditions. This case is similar to case 5 in terms of the matching result. |
7 |
ip ipv6-prefix aa index 10 deny 1::1 96 ip ipv6-prefix aa index 20 permit 1::1 128 |
The route 1::1/128 is permitted, and the other routes are denied. |
This is a multi-node accurate matching case. deny is configured as the matching mode of the matching entry indexed 10, and therefore the route 1::1/96 is denied by the matching entry indexed 10 based on the rule of one-time matching. The route 1::1/128 fails to match the matching conditions, and it is then matched against the entry indexed 20 for which permit is configured as the matching mode. Consequently, the route 1::1/128 matches the matching conditions of the entry indexed 20. The other routes are denied based on the rule of matching failure by default because they fail to meet the matching conditions. |
8 |
ip ipv6-prefix aa index 10 permit :: 64 less-equal 128 |
The routes 1::1/96, 1::1/128, 1::1/100, 2::2/96, and 1::2/64 are all permitted. |
If the IPv6 prefix is :: and you specify a mask and a mask length range after this IPv6 prefix, all routes with the mask length within the specified mask length range are denied or permitted, regardless of the mask. The mask length range is from 64 to 128, :: is specified as the IPv6 address, and permit is configured as the matching mode. Therefore, all routes with the mask length within the range are permitted. |
9 |
ip ipv6-prefix aa index 10 deny :: 96 less-equal 128 ip ipv6-prefix aa index 20 permit :: 0 less-equal 128 |
The route 1::2/64 is permitted, and the other routes are denied. |
For the entry indexed 10, the mask length range is from 96 to 128, :: is specified as the IPv6 address, and deny is configured as the matching mode. Therefore, all routes with the mask length within the range are denied, and the route 1::2/64 that fails to match its matching conditions is then matched against the entry indexed 20. For the entry indexed 20, the mask length range is from 0 to 128, :: is specified as the IPv6 address, and permit is configured as the matching mode. Therefore, the route 1::2/64 is permitted by the entry indexed 20. |
10 |
ip ipv6-prefix aa index 10 deny 2::2 96 ip ipv6-prefix aa index 20 permit :: 0 less-equal 128 |
All routes except the route 2::2/96 are permitted. |
Note: For the entry indexed 10, deny is configured as the matching mode. Therefore, the route 2::2/96 that matches its matching conditions is denied, and the other routes that fail to match the matching conditions are then matched against the entry indexed 20. For the entry indexed 20, the mask length range is from 0 to 128, :: is specified as the IPv6 address, and permit is configured as the matching mode. Therefore, all routes except the route 2::2/96 are permitted by the entry indexed 20. |
Configuration Impact
If you create an entry whose index number is the same as an existing entry in the IPv6 prefix list, the created entry will replace the existing entry.
Before you run the undo ip ipv6-prefix command to delete an IPv6 prefix list that is referenced by another command, delete the reference configuration.
Precautions
If you specify ipv6-address prefix-length to be :: 0, only IPv6 default routes are matched.
If ipv6-address prefix-length is set to :: 0 less-equal 128, all routes will be matched.
NOTE: The IPv6 prefix list adopts default deny as the matching mode. If you have created one or multiple entries in deny mode, but no entry in the permit mode, you must create an entry permit :: 0 less-equal 128 to permit IPv6 routes which do not match the entries in deny mode.
After a configuration is delivered, the device checks the validity of the parameters in the configuration and processes these parameters. After the processing, the generated configuration is the result of the AND calculation between the specified ipv6-address and prefix-length. For example, if the specified ipv6-address and prefix-length are 1::1 and 64, respectively, the generated configuration is 1:: 64.
If the ipv6-address in the generated configuration is ::, the configuration matches all IPv6 addresses. In this case, routes are filtered based on the following rules.
Whether greater-equal and less-equal Exist in the Post-Processing Configuration |
Condition |
Matching Result |
Example |
|---|---|---|---|
Neither greater-equal nor less-equal exists. |
The post-processing ipv6-address and prefix-length are :: and 0, respectively. | Matches only the default IPv6 route. |
Pre-processing: ip ipv6-prefix aa index 10 permit 1::1 0 Post-processing: ip ipv6-prefix aa index 10 permit :: 0 Matching result: Only the default IPv6 route is permitted. |
| The post-processing ipv6-address and prefix-length are :: and X (non-0 value), respectively. | Matches all IPv6 routes with the prefix length of X. |
Pre-processing: ip ipv6-prefix aa index 10 permit ::1:1 96 Post-processing: ip ipv6-prefix aa index 10 permit :: 96 Matching result: The IPv6 routes with the prefix length of 96 are permitted. |
|
greater-equal exists, but less-equal does not. |
The post-processing ipv6-address and prefix-length are :: and 0, respectively. | Matches all the IPv6 routes whose prefix length is within the range from greater-equal to 128. |
Pre-processing: ip ipv6-prefix aa index 10 permit 1::1 0 greater-equal 16 Post-processing: ip ipv6-prefix aa index 10 permit :: 0 greater-equal 16 less-equal 128 Matching result: The IPv6 routes whose prefix length is within the range from 16 to 128 are permitted. |
| The post-processing ipv6-address and prefix-length are :: and X (non-0 value), respectively. | Matches all the IPv6 routes whose prefix length is within the range from greater-equal to 128. |
Pre-processing: ip ipv6-prefix aa index 10 permit ::1:1 96 greater-equal 120 Post-processing: ip ipv6-prefix aa index 10 permit :: 96 greater-equal 120 less-equal 128 Matching result: The IPv6 routes whose prefix length is within the range from 120 to 128 are permitted. |
|
greater-equal does not exist, but less-equal does. |
The post-processing ipv6-address and prefix-length are :: and 0, respectively. | Matches all the IPv6 routes whose prefix length is within the range from 0 to less-equal. |
Pre-processing: ip ipv6-prefix aa index 10 permit 1::1 0 less-equal 120 Post-processing: ip ipv6-prefix aa index 10 permit :: 0 less-equal 120 Matching result: The IPv6 routes whose prefix length is within the range from 0 to 120 are permitted. |
| The post-processing ipv6-address and prefix-length are :: and X (non-0 value), respectively. | Matches all the IPv6 routes whose prefix length is within the range from X to less-equal. |
Pre-processing: ip ipv6-prefix aa index 10 permit ::1:1 96 less-equal 120 Post-processing: ip ipv6-prefix aa index 10 permit :: 96 greater-equal 96 less-equal 120 Matching result: The IPv6 routes whose prefix length is within the range from 96 to 120 are permitted. |
|
Both greater-equal and less-equal exist. |
The post-processing ipv6-address and prefix-length are :: and 0, respectively. | Matches all the IPv6 routes whose prefix length is within the range from greater-equal to less-equal. |
Pre-processing: ip ipv6-prefix aa index 10 permit 1::1 0 greater-equal 5 less-equal 30 Post-processing: ip ipv6-prefix aa index 10 permit :: 0 greater-equal 5 less-equal 30 Matching result: The IPv6 routes whose prefix length is within the range from 5 to 30 are permitted. |
| The post-processing ipv6-address and prefix-length are :: and X (non-0 value), respectively. | Matches all the IPv6 routes whose prefix length is within the range from greater-equal to less-equal. |
Pre-processing: ip ipv6-prefix aa index 10 permit ::1:1 96 greater-equal 120 less-equal 124 Post-processing: ip ipv6-prefix aa index 10 permit :: 96 greater-equal 120 less-equal 124 Matching result: The IPv6 routes whose prefix length is within the range from 120 to 124 are permitted. |
Follow-up Procedure
In a scenario in which a used routing policy is being modified, after you configure the IPv6 prefix list, RM immediately notifies the protocols of re-applying the routing policy. However, you must run several commands to modify the routing policy. To prevent the protocols from repeatedly re-applying the routing policy which is being modified, you can run the route-policy-change notify-delay command to configure delay time for re-applying the routing policy, after you configure the IPv6 prefix list.
Example
# Configure the IPv6 prefix list named p1 to permit the routes with the mask length ranging from 32 to 64 bits.
<sysname> system-view
[sysname] ip ipv6-prefix abc permit :: 0 greater-equal 32 less-equal 64
# Configure the IPv6 prefix list named p2 to deny the routes with the IP prefix 3FFE:D00::/32 and with the prefix longer than 32 bits.
<sysname> system-view
[sysname] ip ipv6-prefix abc deny 3FFE:D00:: 32 less-equal 128
[sysname] ip ipv6-prefix abc permit :: 0 less-equal 128
<sysname> system-view
[sysname] ip ip-prefix p3 index 10 deny :: 96 match-network
[sysname] ip ip-prefix p3 index 20 permit :: 0 less-equal 128