On (2010-02-10 09:17 +0000), Phil Mayers wrote: > >I assume that ipv6 nd is sufficiently high up the protocol stack that it > >can be managed by copp? > > Off the top of my head I think CoPP is run in software for ipv6 traffic.
Actually it is fully supported in hardware, I was also long under impression it is not. Of course one has to remember the ACL compression issue, PFC3 does not have enough bits in ACL TCAM for full IPv6 data, so you can decide one of two way to operate a) default - lookup up-to /128 in ACL is in hardware - lookup to L4 data is punted b) compressed - lookup up-to /88 is in hardware - lookup past /88 is punted - lookup to L4 ports and flags are hardware (16+16+8+88 -> 128) I would argue that default is mostly useless and that you want to run your system in compressed mode. Just remember always to round the IP lookup to /88, usually this shouldn't be any security concern, as you assign so large netblocks that all hosts inside /88 would have same security posture. -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/