[c-nsp] "Compressed" IPv6 ACLs on Cat6500

[Mack McBride]

The bits that are ignored are a little higher up.

3333:3333:3333:3333:3333:33xx:xx33:AAAA

The rules are a bit more complicated than that as
those bits are fixed in EUI-64 addresses.
A different set of bits is lost if the upper 64 bits are zero.
So you only lose those bits when a statically configured IP is used.
Additionally those bits are only ignored in hardware.
Response in software will be different.
The assumption is that if you are manually assigning addresses then
you are using something less than 256 trillion hosts per vlan and can live
with losing those bits.

The vlan boundary is arbitrarily designed to be a /64.
So if you are assigning /112 you should still reserve the full /64 in case you need more hosts.

Mack McBride
Network Architect

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Hass
Sent: Wednesday, December 08, 2010 1:42 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] "Compressed" IPv6 ACLs on Cat6500

Hi
We just implementing IPv6 in our network. As we operating Cisco
6500/Sup720 we also have to configure some IPv6 ACLs on these devices.
In ACLs we need to match tcp/udp port numbers so we will use 'mls ipv6
acl compress address unicast' mode (only match 112 bits of IPv6
address field).

My question is: After enabled 'ipv6 acl compress' Can I use > 112
addresses (eg. single hosts - /128) in IPv6 ACL line which don't have
port numbers ?

For example:

ipv6 access-list test
 10 permit ip any 3333:3333:3333:3333:3333:33333:3333:AAAA/128
 20 permit tcp any 3333:3333:3333:3333:3333:33333:4444:0000/112 eq 22

Will line '10' work proper or it will match /112 subnet instead of /128 ?

Robert
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/