packet’s SA and DA must be an exact match with the same bits in an ACE. The bits to the right of
the prefix are wildcards, not used to determine a match.
ExamplesRange of Applicable AddressesPrefix
::/0any IPv6 host/0
2001:db8::/48all IPv6 hosts within the range defined by the
number of bits in the prefix
/ 1 — /127
2001:db8::/64
2001:db8::218:71ff:fec4:2f00/128one IPv6 host/128
For example, the following ACE applies to Telnet packets from a source address where the leading
bits are set to 2001:db8:10:1 and any destination address where the leading bits are set to
2001:db8:10:1:218:71ff:fec4.
Example 24 SA/DA prefix lengths
permit tcp 2001:db8:10:1::/64 eq 23 2001:db8:10:1:218:71ff:fec4::/112
“64” is the prefix defining the mask for the leading bits in the source address.
“112” is the prefix defining the mask for the leading bits in the destination address.
Thus, in the above example, if an IPv6 telnet packet has an SA match with the ACE’s leftmost 64
bits and a DA match with the ACE’s leftmost 112 bits, then there is a match and the packet is
permitted. In this case, the source and destination addresses allowed are:
Range of Unicast AddressesPrefixAddress
< prefix >::02001:db8:10:1Source (SA)
to
< prefix >:FFFF:FFFF:FFFF:FFFF
< prefix >:02001:db8:10:1:218:71ff:fec4Destination (DA)
to
< prefix >:FFFF
To summarize, when the switch compares an IPv6 packet to an ACE in an ACL, it uses the subnet
prefixes configured with the SA and DA in the ACE to determine how many leftmost, contiguous
bits in the ACE’s SA and DA must be matched by the same bits in the SA and DA carried by the
packet. Thus, the subnet prefixes specified with the SA and DA in an ACE determine the source
and destination address ranges acceptable for a match between the ACE and a filtered packet.
Prefix usage differences between ACLs and other IPv6 addressing
For ACLs, the prefix specifies the leftmost bits in an address that are meaningful for a packet match.
In other IPv6 usage, the prefix separates network and subnet values from the device identifier in
an address.
NotesExamplesPrefix Usage
All bits. Used for a specific SA
or DA.
2620:0:a03:e102:215:60ff:fe7a:adc0/128For an SA or DA in the ACE belonging to
an IPv6 ACL, the associated prefix
specifies how many consecutive, leading
The first 80 bits. Used for an
SA or DA having
2620:0:a03:e102:215/80
bits in the address are used to define a
match with the corresponding bits in the
SA or DA of a packet being filtered.
2620:0:a03:e102:215 in the
leftmost 80 bits of an address.
Traffic management and improved network performance 73