[c-nsp] "Compressed" IPv6 ACLs on Cat6500

Mack McBride mack.mcbride at viawest.com
Fri Dec 10 16:43:04 EST 2010 

This is exactly the expected behavior for sequence 30.
You can use longer than a /88 but don't expect differentiation on bits 39:24.
This corresponds to standard practice which would have those bits set to zero.
Ie. Allocate a /64 but use a /112 or /120 to reduce exposure to ND cache exhaustion.

Mack McBride
Network Architect

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Thursday, December 09, 2010 2:59 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] "Compressed" IPv6 ACLs on Cat6500

On (2010-12-08 17:39 -0800), Mack McBride wrote:

> The misunderstanding is anything with a prefix longer than /88 includes discarded bits in the subnet portion 
> as opposed to the host portion.

The missing bits are never/rarely going to lead to expected behaviour. Anything
more specific than /88 should just be used.
Checking the TCAM is really useful way to observe how the issue of compression
is irrelevant, and you should only ever use /88 or less specific.

Consider ACL entries:

rtr#sh ipv6 access-list XYZZY                                    
IPv6 access list XYZZY
    deny tcp host 1234:5678:9ABC:DEF1:2345:6789:ABCD:EF12 eq www host 2001:DB8::1 eq 42 sequence 10
    deny tcp F00F:C7C8::/104 eq www host 2001:DB8::1 eq 42 sequence 20
    deny tcp F00F::C7C9:0/120 eq www host 2001:DB8::1 eq 42 sequence 30

Compiled as ACEs:

rtr#show tcam interface TenGigabitEthernet2/0/1.11 acl out ipv6  
    deny         tcp 50:F00F:C7C8::/88(eui) eq www host 2A:2001:DB8::1(eui) eq 42
    deny         tcp 50:F00F::C9:0/104(eui) eq www host 2A:2001:DB8::1(eui) eq 42
    deny         tcp host 50:1234:5678:9ABC:DEF1:2345:67CD:EF12(eui) eq www host 2A:2001:DB8::1(eui) eq 42


Especially observe how the sequence 20 becomes completely different rule in
hardware, certainly not giving useful results.

So the simple answer/rule is, don't use anything more specific than /88, and
you're getting expected results There really isn't any practical scenarios
where compression is relevant, as EUI-64 is less specific than /88 and anything
more specific is going to give undesirable results.

(Don't get confused by the first hextet (yeeeeeaaaaaaaaa), it is just port number)
-- 
  ++ytti
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list