KB.15.15

Example 219 How IPv6 mask bit settings define a match

For an example in which an IPv6 prefix-length of 126 is used to select four IPv6 addresses in a

match statement, see Figure 86. The specified source IPv6 address is:

2001:DB8:0000:0000:244:17FF:FEB6:D37D. The IPv6 prefix-length (/126) results in the

IPv6 mask: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFC.

Figure 86 Mask for matching four IPv6 devices

To see the on and off settings in the last block of the resulting IPv6 mask that determine the matching

IPv6 addresses, see Figure 86. In this mask, all bits except the last two are set to 1 (on) and must

be the same in an IPv6 address. The binary equivalent of hexadecimal C is 1100, which allows

the last two bits to differ.

Figure 87 How a mask determines four authorized IPv6 manager addresses

To see how the binary equivalent (1100) of the C value in the last block of the resulting IPv6 mask

supports four possible combinations (D37C, D37D, D37E, and D37F) in the last block of a matching

IPv6 address, see Figure 88. Therefore, the IPv6 mask that results from a /126 prefix-length matches

inbound traffic from four IPv6-based devices.

Figure 88 How hexadecimal C in an IPv6 mask matches four IPv6 addresses

For more detailed information on how to use CIDR notation to specify masks in match criteria, see

the Access Security Guide.

Resequencing match/ignore statements

Use the class command with the resequence option to reconfigure the number at which the

first match/ignore statement in the class starts, and reset the interval used to number other

354 Classifier-based software configuration