[c-nsp] "Compressed" IPv6 ACLs on Cat6500
Saku Ytti
saku at ytti.fi
Thu Dec 9 16:59:24 EST 2010
On (2010-12-08 17:39 -0800), Mack McBride wrote:
> The misunderstanding is anything with a prefix longer than /88 includes discarded bits in the subnet portion
> as opposed to the host portion.
The missing bits are never/rarely going to lead to expected behaviour. Anything
more specific than /88 should just be used.
Checking the TCAM is really useful way to observe how the issue of compression
is irrelevant, and you should only ever use /88 or less specific.
Consider ACL entries:
rtr#sh ipv6 access-list XYZZY
IPv6 access list XYZZY
deny tcp host 1234:5678:9ABC:DEF1:2345:6789:ABCD:EF12 eq www host 2001:DB8::1 eq 42 sequence 10
deny tcp F00F:C7C8::/104 eq www host 2001:DB8::1 eq 42 sequence 20
deny tcp F00F::C7C9:0/120 eq www host 2001:DB8::1 eq 42 sequence 30
Compiled as ACEs:
rtr#show tcam interface TenGigabitEthernet2/0/1.11 acl out ipv6
deny tcp 50:F00F:C7C8::/88(eui) eq www host 2A:2001:DB8::1(eui) eq 42
deny tcp 50:F00F::C9:0/104(eui) eq www host 2A:2001:DB8::1(eui) eq 42
deny tcp host 50:1234:5678:9ABC:DEF1:2345:67CD:EF12(eui) eq www host 2A:2001:DB8::1(eui) eq 42
Especially observe how the sequence 20 becomes completely different rule in
hardware, certainly not giving useful results.
So the simple answer/rule is, don't use anything more specific than /88, and
you're getting expected results There really isn't any practical scenarios
where compression is relevant, as EUI-64 is less specific than /88 and anything
more specific is going to give undesirable results.
(Don't get confused by the first hextet (yeeeeeaaaaaaaaa), it is just port number)
--
++ytti
More information about the cisco-nsp
mailing list