IPv6 network policies
Nick Hilliard
nick-lists at netability.ie
Mon Apr 12 09:24:37 CEST 2010
On 12/04/2010 07:48, Jim Burwell wrote:
> Actually, in a particular case, a Cisco style "wildcard" instead of
> prefix length traffic filter would only require two entries to cover
> an entire chunk of space dedicated to ptp links. Say you allocated a
> /48 for a raft of /64 ptp link addresses, and designed it so one side
> would always be :1 and the other side would be :2. You could fashion
> a wildcard match so that the "accept" part matched the first 48 bits
> exactly, was wild for the next 16 bits, and matched exactly all but
> the last two bits (ie: "2001:db8:1234::[12] ::ffff:0:0:0:3" using 1 or
> 2 depending on which side you were on). The "reject" (or drop) part
> would be for the whole /48. That'd cover and entire /48 worth of /64
> ptp links with two ACL entries.
You'd want to make sure that your hardware supported this. ACL TCAM is an
expensive resource, and compromises are often made in terms of not fully
supporting arbitrary masks on ipv6 acls:
> http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1090842
... or in terms of tcam carveup:
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swipv6.html#wp1063564
... or generic limitations:
> http://www.cisco-secure.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swv6acl.html#wp4334642
Having said all this, routers which handle sonet or ppp links don't always
use tcam either.
Nick
More information about the ipv6-ops
mailing list