IPv6 Configuration Guide K/KA/KB.15.15
packet's SA and DA must be an exact match with the same bits in an ACE. The bits to the right of
the prefix are "wildcards" and are not used to determine a match.
ExamplesRange of applicable addressesPrefix
::/0Any IPv6 host/0
2001:db8::/48
2001:db8::/64
All IPv6 hosts within the range defined by the number
of bits in the prefix
/ 1 — /127
2001:db8::218:71ff:fec4:2f00/128One IPv6 host/128
Example 62 SA/DA prefix lengths
The following ACE applies to Telnet packets from a source address where the leading bits are set
to 2001:db8:10:1 and any destination address where the leading bits are set to
2001:db8:10:1:218:71ff:fec.
permit tcp 2001:db8:10:1::/64 eq 23
2001:db8:10:1:218:71ff:fec4::/112
“::/64”
Prefix Defining the Mask for the Leading Bits in the Source Address
“::/112”
Prefix Defining the Mask for the Leading Bits in the Destination Address
Thus, in the above example, if an IPv6 Telnet packet has an SA match with the
ACE's leftmost 64 bits and a DA match with the ACE's leftmost 112 bits, there is
a match and the packet is permitted. In this case, the source and destination
addresses allowed are:
Range of unicast addressesPrefixAddress
prefix ::0
to
2001:db8:10:1Source (SA)
prefix :FFFF:FFFF:FFFF:FFFF
prefix :0
to
2001:db8:10:1:218:71ff:fec4Destination (DA)
prefix :FFFF
To summarize, when the switch compares an IPv6 packet to an ACE in an ACL, it uses the subnet
prefixes configured with the SA and DA in the ACE to determine how many leftmost, contiguous
bits in the ACE's SA and DA must be matched by the same bits in the SA and DA carried by the
packet. Thus, the subnet prefixes specified with the SA and DA in an ACE determine the ranges
of source and destination addresses acceptable for a match between the ACE and a packet being
filtered.
108 IPv6 Access Control Lists (ACLs)