IPv6 traffic management and improved network performance

You can use ACLs to block IPv6 traffic from individual hosts, workgroups, or subnets, and to block access to VLANs, subnets, devices, and services. Traffic criteria for ACLs include:
  • Switched IPv6 traffic

  • Switched and/or routed IPv6 traffic

  • IPv6 traffic of a specific protocol type (0-255)

  • TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed

  • UDP traffic (only) or UDP traffic for a specific UDP port

  • ICMP traffic (only) or ICMP traffic of a specific type and code

  • Any of the above with specific precedence and/or ToS settings

Depending on the source and/or destination of a given IPv6 traffic type, you must also determine the ACL application(s) (VACL or static port ACL) needed to filter the traffic on the applicable switch interfaces. Depending on the source and/or destination of a given IPv6 traffic type, you must also determine the ACL application(s) (RACL, VACL, or static port ACL) needed to filter the traffic on the applicable switch interfaces. Answering the following questions can help you to design and properly position ACLs for optimum network usage.
  • What are the logical points for minimizing unwanted IPv6 traffic, and what ACL application(s) should be used? In many cases it makes sense to prevent unwanted IPv6 traffic from reaching the core of your network by configuring ACLs to drop unwanted IPv6 traffic at or close to the edge of the network. (The earlier in the network path you can deny unwanted traffic, the greater the benefit for network performance.)

  • From where is the traffic coming? The source and destination of IPv6 traffic you want to filter determines the ACL application to use (VACL, static port ACL, and RADIUS-assigned ACL). The source and destination of IPv6 traffic you want to filter determines the ACL application to use (RACL, VACL, static port ACL, and RADIUS-assigned ACL).

  • What IPv6 traffic should you explicitly deny? Depending on your network size and the access requirements of individual hosts, this can involve creating a large number of ACEs in a given ACL (or a large number of ACLs), which increases the complexity of your solution.

  • What IPv6 traffic can you implicitly deny by taking advantage of the implicit deny ipv6 any any to deny IPv6 traffic that you have not explicitly permitted? This can reduce the number of entries needed in an ACL.

  • What IPv6 traffic should you permit? In some cases you will need to explicitly identify permitted IPv6 traffic. In other cases, depending on your policies, you can insert an ACE with “permit any” forwarding at the end of an ACL. This means that IPv6 traffic not specifically matched by earlier entries in the list will be permitted.