This is exactly the expected behavior for sequence 30. You can use longer than a /88 but don't expect differentiation on bits 39:24. This corresponds to standard practice which would have those bits set to zero. Ie. Allocate a /64 but use a /112 or /120 to reduce exposure to ND cache exhaustion.
Mack McBride Network Architect -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Saku Ytti Sent: Thursday, December 09, 2010 2:59 PM To: [email protected] Subject: Re: [c-nsp] "Compressed" IPv6 ACLs on Cat6500 On (2010-12-08 17:39 -0800), Mack McBride wrote: > The misunderstanding is anything with a prefix longer than /88 includes > discarded bits in the subnet portion > as opposed to the host portion. The missing bits are never/rarely going to lead to expected behaviour. Anything more specific than /88 should just be used. Checking the TCAM is really useful way to observe how the issue of compression is irrelevant, and you should only ever use /88 or less specific. Consider ACL entries: rtr#sh ipv6 access-list XYZZY IPv6 access list XYZZY deny tcp host 1234:5678:9ABC:DEF1:2345:6789:ABCD:EF12 eq www host 2001:DB8::1 eq 42 sequence 10 deny tcp F00F:C7C8::/104 eq www host 2001:DB8::1 eq 42 sequence 20 deny tcp F00F::C7C9:0/120 eq www host 2001:DB8::1 eq 42 sequence 30 Compiled as ACEs: rtr#show tcam interface TenGigabitEthernet2/0/1.11 acl out ipv6 deny tcp 50:F00F:C7C8::/88(eui) eq www host 2A:2001:DB8::1(eui) eq 42 deny tcp 50:F00F::C9:0/104(eui) eq www host 2A:2001:DB8::1(eui) eq 42 deny tcp host 50:1234:5678:9ABC:DEF1:2345:67CD:EF12(eui) eq www host 2A:2001:DB8::1(eui) eq 42 Especially observe how the sequence 20 becomes completely different rule in hardware, certainly not giving useful results. So the simple answer/rule is, don't use anything more specific than /88, and you're getting expected results There really isn't any practical scenarios where compression is relevant, as EUI-64 is less specific than /88 and anything more specific is going to give undesirable results. (Don't get confused by the first hextet (yeeeeeaaaaaaaaa), it is just port number) -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
