[c-nsp] "Compressed" IPv6 ACLs on Cat6500

Saku Ytti saku at ytti.fi
Sat Dec 11 05:26:01 EST 2010


On (2010-12-10 13:43 -0800), Mack McBride wrote:

> This is exactly the expected behavior for sequence 30.
> You can use longer than a /88 but don't expect differentiation on bits 39:24.
> This corresponds to standard practice which would have those bits set to zero.
> Ie. Allocate a /64 but use a /112 or /120 to reduce exposure to ND cache exhaustion.

I have no argument that this is what the platform should do, I'm just
saying that operator using (assigning) more specific than /88 is not going
to be happy, so it makes sense to just not use more specific than /88.
What you're doing, is using more specific but you're making sure that
security posture is same inside the /88 (or in this case /64).

-- 
  ++ytti


More information about the cisco-nsp mailing list