How an ACE uses a prefix to screen packets for SA and DA matches
For an IPv6 ACL, a match with a packet occurs when both the protocol and the SA/DA configured in a given ACE within the ACL are a match with the same criteria in a packet being filtered by the ACL.
In IPv6 ACEs, prefixes define how many leading bits in the SA and DA to use for determining a match. That is, the switch uses IPv6 prefixes in CIDR format to specify how many leading bits in a packet's SA and DA must be an exact match with the same bits in an ACE. The bits to the right of the prefix are "wildcards" and are not used to determine a match.
Prefix |
Range of applicable addresses |
Examples |
---|---|---|
/0 |
Any IPv6 host |
::/0 |
/ 1-/127 |
All IPv6 hosts within the range defined by the number of bits in the prefix |
2001:db8::/482001:db8::/64 |
/128 |
One IPv6 host |
2001:db8::218:71ff:fec4:2f00/128 |
SA/DA prefix lengths
The following ACE applies to Telnet packets from a source address where the leading bits are set to 2001:db8:10:1 and any destination address where the leading bits are set to 2001:db8:10:1:218:71ff:fec.
permit tcp 2001:db8:10:1::/64 eq 23 2001:db8:10:1:218:71ff:fec4::/112
- ::/64
Prefix Defining the Mask for the Leading Bits in the Source Address
- ::/112
Prefix Defining the Mask for the Leading Bits in the Destination Address
Thus, in the above example, if an IPv6 Telnet packet has an SA match with the ACE's leftmost 64 bits and a DA match with the ACE's leftmost 112 bits, there is a match and the packet is permitted. In this case, the source and destination addresses allowed are:
Address | Prefix | Range of unicast addresses |
---|---|---|
Source (SA) |
2001:db8:10:1 |
prefix
::0 toprefix :FFFF:FFFF:FFFF:FFFF |
Destination (DA) |
2001:db8:10:1:218:71ff:fec4 |
prefix
:0toprefix :FFFF |
To summarize, when the switch compares an IPv6 packet to an ACE in an ACL, it uses the subnet prefixes configured with the SA and DA in the ACE to determine how many leftmost, contiguous bits in the ACE's SA and DA must be matched by the same bits in the SA and DA carried by the packet. Thus, the subnet prefixes specified with the SA and DA in an ACE determine the ranges of source and destination addresses acceptable for a match between the ACE and a packet being filtered.