[c-nsp] "Compressed" IPv6 ACLs on Cat6500
Saku Ytti
saku at ytti.fi
Wed Dec 8 15:35:33 EST 2010
On (2010-12-08 09:41 +0100), Robert Hass wrote:
> In ACLs we need to match tcp/udp port numbers so we will use 'mls ipv6
> acl compress address unicast' mode (only match 112 bits of IPv6
> address field).
Where did you arrive to 112? My understanding of the compressed mode is
128-src_port-dst_port-flags = 128-16-16 = 88 usable bits for addresses.
You can use 'show tcam int foo acl in|out ipv6' to see what is actually
being programmed to hardware. In older versions if you punched it too
specific address, it was programmed as punt adjacency, which is undesired,
today it seems to just program more specifics as /88.
> My question is: After enabled 'ipv6 acl compress' Can I use > 112
> addresses (eg. single hosts - /128) in IPv6 ACL line which don't have
> port numbers ?
No.
--
++ytti
More information about the cisco-nsp
mailing list