cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2234
Views
5
Helpful
7
Replies
wsoderberg
Beginner

Most strange IPv6 ACL limitation?

In the Cisco 3750 Command Reference Guide 12.2(55)SE, link below, you can read this under the IPv6 ACL Limitations section:

The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:

• IPv6 source and destination addresses—ACL matching is supported only on prefixes from /0 to /64

and host addresses (/128) that are in the extended universal identifier (EUI)-64 format. The switch

supports only these host addresses with no loss of information:

– aggregatable global unicast addresses

– link local addresses

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/3750_scg.pdf

Could this be right? The way I'm interpreting this is that I can't statically configure my servers if I want to filter packets to them in the Cisco 3750? Or does it merely mean that the interface identifier must be 64 bits in order to match the address?

1 ACCEPTED SOLUTION

Accepted Solutions
Laurent Aubert
Cisco Employee

Hi,

This is due to some hardware limitation of the box. Platform like 3750-E or 3560-E don't have this limitation (3560 has it though)

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4312626

HTH

Laurent.

View solution in original post

7 REPLIES 7
Laurent Aubert
Cisco Employee

Hi,

This is due to some hardware limitation of the box. Platform like 3750-E or 3560-E don't have this limitation (3560 has it though)

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4312626

HTH

Laurent.

View solution in original post

Ok. So, to check if I've got this correctly.

I can filter this source/destination address:

2001:DB8:1234:0:C202:17FF:FE8A:1

but not, let's say, this one:

2001:DB8:1234:A000::2

Due to hardware limitations?

Correct. For the last one, you can only use a /64 mask.

Ouch.

Thanks for answering.

Laurent Aubert
Cisco Employee

I'm sorry it was not what you were expecting. You may be able to filter the traffic the way you want somewhere else.

Thanks,

Laurent.

Let's say I've got about 100 servers (VMs), connected to this unit, that uses it as a default gateway. Would you recommend buying a new device or using SLAAC to address them?

It depends of what is important for you. If it's not acceptable for you to use EUI-64 as interface-id then you need to allocate a /64 for this subnet so you can filter what is received and send to/from this VLAN but you loose the granularity per host. If you really need this granularity, you should upgrade the box. Otherwise use EUI-64 and you have all the flexibility you need but still need to allocate a /64 though for this VLAN.

HTH

Laurent.

Content for Community-Ad
This widget could not be displayed.