IPv6 ACL doesn't accept /128 prefix?

gwhuang5398 · ‎10-28-2012

When I was configuring IPv6 ACL with "permit ipv6 any host ff05::1000" (muticast group), there was error message saying ""%Error: Group prefix must be less than 128, skipping FF05::1000/128". The ACL showed in the running-config as "permit ipv6 any host FF05::1000", but the ACL entry had no hits at all (not functioning).

It was a 2800 router running 12.4(24)T2. Does this mean /128 prefix or host can't be configured in IPv6 ACL?

Thanks

Marcin Latosiewicz · ‎10-29-2012

I've checked on 15.2(3)T. There's no problem.

GH2_R2(config)#ipv6 access-list
GH2_R2(config)#ipv6 access-list TEST
GH2_R2(config-ipv6-acl)#permit ipv6 any ho
GH2_R2(config-ipv6-acl)#permit ipv6 any host ff05::1000
GH2_R2(config-ipv6-acl)#do sh hist
  ipv6 access-list TEST
  permit ipv6 any host ff05::1000
  do sh hist
GH2_R2(config-ipv6-acl)#

Do you have that list applied anywhere? (PIM or such?)

M.

gwhuang5398 · ‎10-29-2012

I was using it in "ipv6 pim rp-address" command.

If it's fine in 15.2(3)T, it could be just a IOS bug in older 12.4T releases.

Marcin Latosiewicz · ‎10-29-2012

Now that makes more sense.

The limitation you're mentioning is not an ACL limitation buy IPv6 PIM AFAIR.

Example:

GH2_R2(config)#ipv6 pim rp-address 2001:db8::1 TEST

%Error: Group prefix must be less than 128, skipping FF05::1000/128

It's something that has been there for a while.

If you want more details I'm afraid I have to ask you to open up a TAC case.

Deepak Ambotkar · ‎10-30-2012

IPv6 ACL above is fine. It seems to be an issue when ACL referenced with RP.

The ACL parameter lists the groups that are mapped to this particular RP. You could have multiple RP using different group lists on every router, for the purpose of loadbalancing.

The IPv4 ACL of /32 works fine when referenced with RP.

Please open a case with TAC and let us know. I am curious.

-Deepak