On (2010-12-08 09:41 +0100), Robert Hass wrote: > In ACLs we need to match tcp/udp port numbers so we will use 'mls ipv6 > acl compress address unicast' mode (only match 112 bits of IPv6 > address field).
Where did you arrive to 112? My understanding of the compressed mode is 128-src_port-dst_port-flags = 128-16-16 = 88 usable bits for addresses. You can use 'show tcam int foo acl in|out ipv6' to see what is actually being programmed to hardware. In older versions if you punched it too specific address, it was programmed as punt adjacency, which is undesired, today it seems to just program more specifics as /88. > My question is: After enabled 'ipv6 acl compress' Can I use > 112 > addresses (eg. single hosts - /128) in IPv6 ACL line which don't have > port numbers ? No. -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
