I recently ran into some limitations of IPv6 ACLs on the Catalyst 3750 platform. I had developed an ACL to protect from receiving traffic from unwanted address ranges such as ::, ::1, ::FFFF:0:0/96. The first address is the unspecified address, the second one is the loopback address and the last one is IPv4 mapped traffic. The ACL also contained an entry to deny traffic with routing-type 0.

Note that no error is output when adding the entries in the ACL, only when applying the ACL to an interface.

From the configuration guide, the following limitations apply to the Catalyst 3750 platform.

Cat3750

What this means is that we can’t match on flowlabel, routing-header and undetermined transport upper layer protocol. We also need to match on networks ranging from /0 to /64 and host addresses that are belonging to global unicast or link local.

I believe this is a limitation of the platform regarding how much TCAM space there is available. Because IPv6 addresses are 128 bits compared to 32 of IPv4, a lot more TCAM space is required to implement ACLs for IPv6.

Catalyst 3750 IPv6 ACL Limitations
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: