On Thu, 11 Nov 2004 15:01:36 EST, Leo Bicknell said:
Having to double the size of every ACL in your network (once for the local address, once for the "public" address) does not seem simpler. It also seems dangerous, since almost all devices have a limit to ACL size. As if larger addresses wasn't already enough penality on those boxes now we have to list each machine twice.
Actually, probably not - in the majority of cases, you can put in *one* ACL that drops (for example) all outbound packets for anything in the /32 and avoid having to list each machine twice. Yes, it's still double - but it's two subnet entries, not two copies of all 2,048 addresses in the subnet.... (Hint - you'd *have* to do it that way - you *cant* enumerate all the possible addresses in an IPv6 /64 unless your router has terabytes of memory...)