Using CIDR notation for IPv4/IPv6 addresses

You can use CIDR (Classless Inter-Domain Routing) notation to enter an IPv4 mask-length or an IPv6 prefix-length with a source and destination address that are used as match criteria in a match/ignore statement. The switch interprets the IP address with CIDR notation to compute the range of corresponding IP source or destination addresses in packet headers that are considered to be a match for the traffic class.

When the switch uses a match/ignore statement to compare an IP address and corresponding mask/prefix length to the IP source/destination address carried in a packet, the IPv4 mask-bit settings and IPv6 prefix-bit settings select packets in different ways.

  • An IPv4 mask length creates a mask in which:
    • A mask-bit setting set to 0 (off) requires the corresponding bit in a packet's IPv4 source/destination address to be the same binary value as the mask-bit in the matching IPv4 source/destination address.

    • A mask-bit setting set to 1 (on) is used as a wildcard and allows the corresponding bit in a packet's IPv4 source/destination address to be either binary value (0 or 1).
      How CIDR notation is used with IPv4 SA/DA match criteria

      IPv4 Source/Destination address used with CIDR notation in a Match/Ignore statement

      Resulting mask

      Range of IPv4 addresses selected by the match criteria

      10.38.240.125/15

      0.1.255.255

      The leftmost 15 bits must match; the remaining bits are wildcards.

      10.38.240.125/20

      0.0.15.255

      The leftmost 20 bits must match; the remaining bits are wildcards.

      10.38.240.125/21

      0.0.7.255

      The leftmost 21 bits must match; the remaining bits are wildcards.

      10.38.240.125/24

      0.0.0.255

      The leftmost 24 bits must match; the remaining bits are wildcards.

      18.38.240.125/32

      0.0.0.0

      All bits must match.

  • An IPv6 prefix-length creates a mask in which:
    • A mask-bit setting set to 1 (on) requires the corresponding bit in a packet's IPv6 source/destination address to be the same binary value as the mask-bit in the matching IPv6 source/destination address.

    • A mask-bit setting set to 0 (off) is used as a wildcard and allows the corresponding bit in a packet's IPv6 source/destination address to be either binary value (0 or 1).

      How CIDR notation is used with IPv6 SA/DA match criteria

      IPv6 source/destination address used with CIDR notation in a Match/Ignore statement

      Resulting mask

      Range of IPv6 addresses selected by the match criteria

      2001:db8:0:7::5/64

      FFFF:FFFF:FFFF:FFFF::

      The leftmost 64 bits must match; the remaining bits are wildcards.

      2001:db8:0:7::5/72

      FFFF:FFFF:FFFF:FFFF:FF00::

      The leftmost 72 bits must match; the remaining bits are wildcards.

      2001:db8::244:17ff:feb6:d37d/126

      FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFC

      The first 126 bits mst match; the C value in the mask allows four possible combinations (D37C, D37D, D37E, and D37F) in the last block of a matching IPv6 address.

      2001:db8:0:7:af:e2:c1:5/128

      FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

      All bits must match.

    NOTE:
    Although IPv4 and IPv6 masks are applied in opposite directions:
    • An IPv4 mask-length is applied from right to left, starting from the rightmost bits.

    • An IPv6 prefix-length is applied from left to right, starting from the leftmost bits.

    The behavior of IPv4 and IPv6 masks as match criteria and wildcards is the same.