IPv6 filtering (was Re: IPv6 internet broken, cogent/telia/hurricane not peering)

Seth Mattinen sethm at rollernet.us
Tue Oct 13 18:52:36 UTC 2009


Matthew Petach wrote:
> 
> As I understand it, (and Cisco's documentation seems to support this,
> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/M1.html#wpxref54198
> as an example), if you put a /128 in an ACL, you cannot specify any L4 port
> information for the address due to the limited width of the TCAM; in
> order to specify L4 information for the ACL, Cisco stuffs it into bits 24
> through 39, losing what information was originally stored in those bits.
> It just so happens those are the fixed FFFE bits in an EUI-64 address,
> so if you're using EUI-64, no "real" information is lost.  You can do your
> own non-EUI-64 addressing and still use ACLs with layer 4 port information
> as long as you don't put any addressing information into bits 24 through 39.
> 

Interesting; makes sense though. Thanks for the explanation.

~Seth




More information about the NANOG mailing list