Procedures for planning and configuring ACLs
- Identify the ACL action to apply.
-
Determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv6 traffic at the edge of the network instead of in the core. Also, on the switch itself, you can improve performance by filtering unwanted IPv6 traffic where it is inbound to the switch instead of outbound.
Traffic source
ACL application
IPv6 traffic from a specific, authenticated client
RADIUS-assigned ACL for inbound IPv6 traffic from an authenticated client on a portFor more information, see chapter "Configuring RADIUS Server Support for Switch Services" in the latest version of the Access Security Guide for your switch. See also the documentation for your RADIUS server.
IPv6 traffic entering or leaving the switch on a specific port
Static port ACL (static-port assigned) for inbound or outbound IPv6 traffic on a port from any source
Switched or routed IPv6 traffic entering or leaving the switch on a specific VLAN
VACL (VLAN ACL)
Routed IPv6 traffic entering or leaving the switch on a specific VLAN
RACL (routed ACL)
-
Identify the IPv6 traffic types to filter:
-
The SA and/or the DA of IPv6 traffic you want to permit or deny; this can be a single host, a group of hosts, a subnet, or all hosts.
-
IPv6 traffic of a specific protocol type (0 to 255).
-
TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed.
-
UDP traffic (only) or UDP traffic for a specific UDP port.
-
ICMP traffic (only) or ICMP traffic of a specific type and code.
-
Any of the above with specific DSCP settings.
-
The SA and/or the DA of IPv6 traffic you want to permit or deny; this can be a single host, a group of hosts, a subnet, or all hosts.
- Design the ACLs for the control points (interfaces) you have selected. Where you are using explicit "deny" or “permit” ACEs, you can optionally use the ACL logging feature for notification that the switch is denying unwanted packets, or permitting packets that you want to go through.
- Configure the ACLs on the selected switches.
- Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL or VACL) appropriate for each assignment.
- If you are using a routed ACL (RACL), ensure that IPv6 routing is enabled on the switch.
- Test for desired results.