Introduction to IPv6 ACLs

An Access Control List (ACL) contains one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch’s interfaces.

This chapter describes how to configure, apply, and edit static IPv6 ACLs for filtering IPv6 traffic in a network populated with the switches covered by this guide, and how to monitor IPv6 ACL actions.

NOTE:
Because the switches covered by this guide operate in an IPv4/IPv6 dual stack mode, IPv6 and IPv4 ACLs can operate simultaneously in these switches. However:
  • Static IPv6 ACLs and IPv4 ACLs do not filter each other’s traffic.

  • IPv6 and IPv4 ACEs cannot be configured in the same static ACL.

  • RADIUS-assigned ACLs can be configured to filter either IPv4 traffic only, or both IPv4 and IPv6 traffic.

In this chapter, unless otherwise noted:

  • The term “ACL” refers to IPv6 ACLs.

  • Descriptions of ACL operation apply only to IPv6 traffic.

For information on configuring and applying static IPv4 ACLs, see the chapter titled “IPv4 Access Control Lists (ACLs)” in the ArubaOS-Switch Access Security Guide for your switch.

IPv6 traffic filtering with ACLs can help to improve network performance and restrict network use by creating policies for:
  • Switch Management Access: Permits or denies in-band management access. This includes limiting and/or preventing the use of designated protocols that run on top of IPv6, such as TCP, UDP, ICMP, and others. Also included are the use of DSCP criteria, and control for application transactions based on source and destination IPv6 addresses and transport layer port numbers.

  • Application Access Security: Eliminates unwanted IPv6 traffic in a path by filtering IPv6 packets where they enter or leave the switch on specific VLAN interfaces.

CAUTION:

The ACLs described in this chapter can enhance network security by blocking selected IPv6 traffic, and can serve as part of your network security program. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IPv6 packet transmissions, they should not be relied upon for a complete security solution.

Static IPv6 ACLs on the switches covered by this manual do not screen non- IPv6 traffic such as IPv4, AppleTalk, and IPX packets.