05-11-2011 08:49 AM - edited 03-01-2019 05:27 PM
In the Cisco 3750 Command Reference Guide 12.2(55)SE, link below, you can read this under the IPv6 ACL Limitations section:
The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:
• IPv6 source and destination addresses—ACL matching is supported only on prefixes from /0 to /64
and host addresses (/128) that are in the extended universal identifier (EUI)-64 format. The switch
supports only these host addresses with no loss of information:
– aggregatable global unicast addresses
– link local addresses
Could this be right? The way I'm interpreting this is that I can't statically configure my servers if I want to filter packets to them in the Cisco 3750? Or does it merely mean that the interface identifier must be 64 bits in order to match the address?
Solved! Go to Solution.
05-11-2011 11:51 AM
Hi,
This is due to some hardware limitation of the box. Platform like 3750-E or 3560-E don't have this limitation (3560 has it though)
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4312626
HTH
Laurent.
05-11-2011 11:51 AM
Hi,
This is due to some hardware limitation of the box. Platform like 3750-E or 3560-E don't have this limitation (3560 has it though)
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4312626
HTH
Laurent.
05-11-2011 12:07 PM
Ok. So, to check if I've got this correctly.
I can filter this source/destination address:
2001:DB8:1234:0:C202:17FF:FE8A:1
but not, let's say, this one:
2001:DB8:1234:A000::2
Due to hardware limitations?
05-11-2011 12:28 PM
Correct. For the last one, you can only use a /64 mask.
05-11-2011 12:30 PM
Ouch.
Thanks for answering.
05-11-2011 12:34 PM
I'm sorry it was not what you were expecting. You may be able to filter the traffic the way you want somewhere else.
Thanks,
Laurent.
05-16-2011 01:54 PM
Let's say I've got about 100 servers (VMs), connected to this unit, that uses it as a default gateway. Would you recommend buying a new device or using SLAAC to address them?
05-16-2011 09:14 PM
It depends of what is important for you. If it's not acceptable for you to use EUI-64 as interface-id then you need to allocate a /64 for this subnet so you can filter what is received and send to/from this VLAN but you loose the granularity per host. If you really need this granularity, you should upgrade the box. Otherwise use EUI-64 and you have all the flexibility you need but still need to allocate a /64 though for this VLAN.
HTH
Laurent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide