How an ACE uses a mask to screen packets for matches

For an IPv6 ACL, a match with a packet occurs when both the protocol and the SA/DA configured in a given ACE within the ACL are a match with the same criteria in a packet being filtered by the ACL.

In IPv6 ACEs, prefixes define how many leading bits in the SA and DA to use for determining a match. That is, the switch uses IPv6 prefixes in CIDR format to specify how many leading bits in a packet’s SA and DA must be an exact match with the same bits in an ACE. The bits to the right of the prefix are “wildcards”, and are not used to determine a match.

Prefix

Range of applicable addresses

Examples

/0

Any IPv6 host

::/0

/ 1 — /127

All IPv6 hosts within the range defined by the number of bits in the prefix

2001:db8::/482001:db8::/64

/128

One IPv6 host

2001:db8::218:71ff:fec4:2f00/128

For example, the following ACE applies to Telnet packets from a source address where the leading bits are set to 2001:db8:10:1 and any destination address where the leading bits are set to 2001:db8:10:1:218:71ff:fec.

SA/DA prefix lengths

permit tcp 2001:db8:10:1::/64 eq 23 2001:db8:10:1:218:71ff:fec4::/112

permit tcp 2001:db8:10:1::/64: The prefix defining the mask for the leading bits in the source address.

eq 23 2001:db8:10:1:218:71ff:fec4::/112: The prefix defining the mask for the leading bits in the destination address.

Thus, in the above example, if an IPv6 telnet packet has an SA match with the ACE’s leftmost 64 bits and a DA match with the ACE’s leftmost 112 bits, then there is a match and the packet is permitted. In this case, the source and destination addresses allowed are:

Address

Prefix

Range of unicast addresses

Source (SA)

2001:db8:10:1

<prefix>

::0 to<prefix> :FFFF:FFFF:FFFF:FFFF

Destination (DA)

2001:db8:10:1:218:71ff:fec4

<prefix>

:0to<prefix> :FFFF

To summarize, when the switch compares an IPv6 packet to an ACE in an ACL, it uses the subnet prefixes configured with the SA and DA in the ACE to determine how many leftmost, contiguous bits in the ACE’s SA and DA must be matched by the same bits in the SA and DA carried by the packet. Thus, the subnet prefixes specified with the SA and DA in an ACE determine the ranges of source and destination addresses acceptable for a match between the ACE and a packet being filtered.