IPv6 traffic management and improved network performance

You can use ACLs to block unnecessary traffic caused by individual hosts, workgroups, or subnets, and to block user access to subnets, devices, and services. Answering the following questions can help you to design and properly position ACLs for optimum network usage.

  • What are the logical points for minimizing unwanted traffic? In many cases it makes sense to block unwanted traffic from the core of your network by configuring ACLs to drop such traffic at or close to the edge of the network. (The earlier in the network path you block unwanted traffic, the greater the network performance benefit.)

  • What traffic should you explicitly block? Depending on your network size and the access requirements of individual hosts, this can involve creating a large number of ACEs in a given ACL (or a large number of ACLs), which increases the complexity of your solution and rapidly consumes the resources.

  • What traffic can you implicitly block by taking advantage of the implicit deny any to deny traffic that you have not explicitly permitted? This can reduce the number of entries needed in an ACL and make more economical use of switch resources.

  • What traffic should you permit? In some cases you will need to explicitly identify permitted traffic. In other cases, depending on your policies, you can insert a permit any (standard ACL) or permit ip any any (extended ACL) entry at the end of an ACL. This means that all IP traffic not specifically matched by earlier entries in the list will be permitted.

You can use ACLs to block IPv6 traffic from individual hosts, workgroups, or subnets, and to block access to VLANs, subnets, devices, and services. Traffic criteria for ACLs include:

  • Switched IPv6 traffic

  • Switched and/or routed IPv6 traffic

  • IPv6 traffic of a specific protocol type (0-255)

  • TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed

  • UDP traffic (only) or UDP traffic for a specific UDP port

  • ICMP traffic (only) or ICMP traffic of a specific type and code

  • Any of the above with specific precedence and/or ToS settings

Depending on the source and/or destination of a given IPv6 traffic type, you must also determine the ACL application(s) (VACL or static port ACL) needed to filter the traffic on the applicable switch interfaces. Depending on the source and/or destination of a given IPv6 traffic type, you must also determine the ACL application(s) (RACL, VACL, or static port ACL) needed to filter the traffic on the applicable switch interfaces. Answering the following questions can help you to design and properly position ACLs for optimum network usage.

  • What are the logical points for minimizing unwanted IPv6 traffic, and what ACL application(s) should be used? In many cases it makes sense to prevent unwanted IPv6 traffic from reaching the core of your network by configuring ACLs to drop unwanted IPv6 traffic at or close to the edge of the network. (The earlier in the network path you can deny unwanted traffic, the greater the benefit for network performance.)

  • From where is the traffic coming? The source and destination of IPv6 traffic you want to filter determines the ACL application to use (VACL, static port ACL, and RADIUS-assigned ACL). The source and destination of IPv6 traffic you want to filter determines the ACL application to use (RACL, VACL, static port ACL, and RADIUS-assigned ACL).

  • What IPv6 traffic should you explicitly deny? Depending on your network size and the access requirements of individual hosts, this can involve creating a large number of ACEs in a given ACL (or a large number of ACLs), which increases the complexity of your solution.

  • What IPv6 traffic can you implicitly deny by taking advantage of the implicit deny ipv6 any any to deny IPv6 traffic that you have not explicitly permitted? This can reduce the number of entries needed in an ACL.

  • What IPv6 traffic should you permit? In some cases you will need to explicitly identify permitted IPv6 traffic. In other cases, depending on your policies, you can insert an ACE with “permit any” forwarding at the end of an ACL. This means that IPv6 traffic not specifically matched by earlier entries in the list will be permitted.