How an ace uses a prefix to screen packets for, Sa and da matches -32 – HP 6200YL User Manual

IPv6 Access Control Lists (ACLs)
Planning an ACL Application

How an ACE Uses a Prefix To Screen Packets for
SA and DA Matches

For an IPv6 ACL, a match with a packet occurs when both the protocol and
the SA/DA configured in a given ACE within the ACL are a match with the
same criteria in a packet being filtered by the ACL.

In IPv6 ACEs, prefixes define how many leading bits in the SA and DA to use
for determining a match. That is, the switch uses IPv6 prefixes in CIDR format
to specify how many leading bits in a packet’s SA and DA must be an exact
match with the same bits in an ACE. The bits to the right of the prefix are
“wildcards”, and are not used to determine a match.

Prefix

Range of Applicable Addresses

Examples

/0

any IPv6 host

::/0

/ 1 — /127

all IPv6 hosts within the range defined by 2001:db8::/48
the number of bits in the prefix

2001:db8::/64

/128

one IPv6 host

2001:db8::218:71ff:fec4:2f00/128

For example, the following ACE applies to Telnet packets from a source
address where the leading bits are set to 2001:db8:10:1 and any destination
address where the leading bits are set to 2001:db8:10:1:218:71ff:fec.

permit tcp 2001:db8:10:1::/64 eq 23 2001:db8:10:1:218:71ff:fec4::/112

Prefix Defining the Mask

for the Leading Bits in the

Prefix Defining the Mask

for the Leading Bits in the

Source Address

Destination Address

Figure 8-6. Example of SA/DA Prefix Lengths

Thus, in the above example, if an IPv6 telnet packet has an SA match with the
ACE’s leftmost 64 bits and a DA match with the ACE’s leftmost 112 bits, then
there is a match and the packet is permitted. In this case, the source and
destination addresses allowed are:

Address

Prefix

Range of Unicast Addresses

Source (SA)

2001:db8:10:1

< prefix >::0

to

< prefix >:FFFF:FFFF:FFFF:FFFF

Destination (DA)

2001:db8:10:1:218:71ff:fec4

< prefix >:0

to

< prefix >:FFFF

8-32