[c-nsp] Why doesn't this IPv6 ACL work?
David Prall
dcp at dcptech.com
Mon Jun 21 22:29:56 EDT 2010
Very little difference between the two:
#sh sdm prefer dual-ipv4-and-ipv6 default
"desktop IPv4 and IPv6 default" template:
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 2K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 3K
number of directly-connected IPv4 hosts: 2K
number of indirect IPv4 routes: 1K
number of IPv6 multicast groups: 1.125k
number of directly-connected IPv6 addresses: 2K
number of indirect IPv6 unicast routes: 1K
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0.5K
number of IPv6 security aces: 0.5K
#sh sdm prefer dual-ipv4-and-ipv6 routing
"desktop IPv4 and IPv6 routing" template:
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 1.5K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 2.75K
number of directly-connected IPv4 hosts: 1.5K
number of indirect IPv4 routes: 1.25K
number of IPv6 multicast groups: 1.125k
number of directly-connected IPv6 addresses: 1.5K
number of indirect IPv6 unicast routes: 1.25K
number of IPv4 policy based routing aces: 0.25K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.5K
number of IPv6 policy based routing aces: 0.25K
number of IPv6 qos aces: 0.5K
number of IPv6 security aces: 0.5K
Security ACES are exactly the same. I'm doing this on a 3560G as compared to
a 3750, but close enough.
--
http://dcp.dcptech.com
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Seth Mattinen
> Sent: Monday, June 21, 2010 10:01 PM
> To: 'Cisco-nsp'
> Subject: Re: [c-nsp] Why doesn't this IPv6 ACL work?
>
> On 6/21/2010 18:48, David Prall wrote:
> > What is the SDM Template that you are using? What version of code?
> >
> > Just tried this on 12.2(46)SE
> >
>
> I'm 12.2(53)SE2 on this switch.
>
>
> > The current template is "desktop IPv4 and IPv6 routing" template.
> >
>
> Mine is set to "desktop IPv4 and IPv6 default"
>
> > Without any issue.
> >
>
>
> I tried changing the prefix to be out of my old /48 instead as a shot
> in
> the dark, and it didn't throw an error at me with this entry:
>
> permit tcp any host 2620:0:950:1:2c0:f0ff:fe5a:abe8 eq 25
>
> However, this continues to not work:
>
> permit tcp any host 2607:fe70:0:1:2c0:f0ff:fe5a:abe8 eq 25
>
> I can try switching to "routing" instead of "default" template.
> Otherwise I guess it's iptables/ip6tables time for me if this thing
> won't accept host addresses under my /32.
>
> ~Seth
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list