cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4270
Views
5
Helpful
7
Replies

Most strange IPv6 ACL limitation?

wsoderberg
Level 1
Level 1

In the Cisco 3750 Command Reference Guide 12.2(55)SE, link below, you can read this under the IPv6 ACL Limitations section:

The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:

• IPv6 source and destination addresses—ACL matching is supported only on prefixes from /0 to /64

and host addresses (/128) that are in the extended universal identifier (EUI)-64 format. The switch

supports only these host addresses with no loss of information:

– aggregatable global unicast addresses

– link local addresses

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/3750_scg.pdf

Could this be right? The way I'm interpreting this is that I can't statically configure my servers if I want to filter packets to them in the Cisco 3750? Or does it merely mean that the interface identifier must be 64 bits in order to match the address?

1 Accepted Solution

Accepted Solutions

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

This is due to some hardware limitation of the box. Platform like 3750-E or 3560-E don't have this limitation (3560 has it though)

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4312626

HTH

Laurent.

View solution in original post

7 Replies 7

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

This is due to some hardware limitation of the box. Platform like 3750-E or 3560-E don't have this limitation (3560 has it though)

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_40_se/configuration/guide/swv6acl.html#wp4312626

HTH

Laurent.

Ok. So, to check if I've got this correctly.

I can filter this source/destination address:

2001:DB8:1234:0:C202:17FF:FE8A:1

but not, let's say, this one:

2001:DB8:1234:A000::2

Due to hardware limitations?

Correct. For the last one, you can only use a /64 mask.

Ouch.

Thanks for answering.

Laurent Aubert
Cisco Employee
Cisco Employee

I'm sorry it was not what you were expecting. You may be able to filter the traffic the way you want somewhere else.

Thanks,

Laurent.

Let's say I've got about 100 servers (VMs), connected to this unit, that uses it as a default gateway. Would you recommend buying a new device or using SLAAC to address them?

It depends of what is important for you. If it's not acceptable for you to use EUI-64 as interface-id then you need to allocate a /64 for this subnet so you can filter what is received and send to/from this VLAN but you loose the granularity per host. If you really need this granularity, you should upgrade the box. Otherwise use EUI-64 and you have all the flexibility you need but still need to allocate a /64 though for this VLAN.

HTH

Laurent.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: