General steps for planning and configuring ACLs

Procedure
  1. Identify the ACL action to apply. As part of this step, determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv6 traffic at the edge of the network instead of in the core. Also, on the switch itself, you can improve performance by filtering unwanted IPv6 traffic where it is inbound or outbound to the switch instead of outbound.

    Traffic Source

    ACL Application

    IPv6 traffic from a specific, authenticated client

    RADIUS-assigned ACL for inbound IPv6 traffic from an authenticated client on a port

    IPv6 traffic entering or leaving the switch on a specific port

    static port ACL (static-port assigned) for inbound or outbound IPv6 traffic on a port from any source

    switched or routed IPv6 traffic entering or leaving the switch on a specific VLAN

    VACL (VLAN ACL)

  2. Identify the IPv6 traffic types to filter:
    1. The SA and/or the DA of IPv6 traffic you want to permit or deny. This can be a single host, a group of hosts, a subnet, or all hosts.
    2. IPv6 traffic of a specific protocol type (0-255)
    3. TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed
    4. UDP traffic (only) or UDP traffic for a specific UDP port
    5. ICMP traffic (only) or ICMP traffic of a specific type and code
    6. Any of the above with specific DSCP settings
  3. Design the ACLs for the control points (interfaces) you have selected. Where you are using explicit “deny” ACEs, you can optionally use the ACL logging feature for notification that the switch is denying unwanted packets.
  4. Configure the ACLs on the selected switches.
  5. Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL or VACL) appropriate for each assignment. Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL or VACL) appropriate for each assignment.
  6. Test for desired results.

For more details on ACL planning considerations, see Planning an ACL application.