cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
914
Views
5
Helpful
7
Replies
Highlighted
Beginner

Most strange IPv6 ACL limitation?

In the Cisco 3750 Command Reference Guide 12.2(55)SE, link below, you can read this under the IPv6 ACL Limitations section:

The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:

• IPv6 source and destination addresses—ACL matching is supported only on prefixes from /0 to /64

and host addresses (/128) that are in the extended universal identifier (EUI)-64 format. The switch

supports only these host addresses with no loss of information:

– aggregatable global unicast addresses

– link local addresses

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/3750_scg.pdf

Could this be right? The way I'm interpreting this is that I can't statically configure my servers if I want to filter packets to them in the Cisco 3750? Or does it merely mean that the interface identifier must be 64 bits in order to match the address?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Most strange IPv6 ACL limitation?

Hi,

This is due to some hardware limitation of the box. Platform like 3750-E or 3560-E don't have this limitation (3560 has it though)

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4312626

HTH

Laurent.

7 REPLIES 7
Cisco Employee

Re: Most strange IPv6 ACL limitation?

Hi,

This is due to some hardware limitation of the box. Platform like 3750-E or 3560-E don't have this limitation (3560 has it though)

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4312626

HTH

Laurent.

Beginner

Re: Most strange IPv6 ACL limitation?

Ok. So, to check if I've got this correctly.

I can filter this source/destination address:

2001:DB8:1234:0:C202:17FF:FE8A:1

but not, let's say, this one:

2001:DB8:1234:A000::2

Due to hardware limitations?

Cisco Employee

Re: Most strange IPv6 ACL limitation?

Correct. For the last one, you can only use a /64 mask.

Beginner

Re: Most strange IPv6 ACL limitation?

Ouch.

Thanks for answering.

Cisco Employee

Re: Most strange IPv6 ACL limitation?

I'm sorry it was not what you were expecting. You may be able to filter the traffic the way you want somewhere else.

Thanks,

Laurent.

Beginner

Re: Most strange IPv6 ACL limitation?

Let's say I've got about 100 servers (VMs), connected to this unit, that uses it as a default gateway. Would you recommend buying a new device or using SLAAC to address them?

Cisco Employee

Re: Most strange IPv6 ACL limitation?

It depends of what is important for you. If it's not acceptable for you to use EUI-64 as interface-id then you need to allocate a /64 for this subnet so you can filter what is received and send to/from this VLAN but you loose the granularity per host. If you really need this granularity, you should upgrade the box. Otherwise use EUI-64 and you have all the flexibility you need but still need to allocate a /64 though for this VLAN.

HTH

Laurent.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards