KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

101

102

103

104

105

106

107

108

109

110

NOTE: IPv6 traffic entering the switch on a given interface is filtered by the ACLs configured for

inbound traffic on that interface. For this reason, an inbound packet is denied (dropped) if it has

a match with an implicit (or explicit) deny ipv6 any any in any of the inbound ACLs applied

to the interface. (This does not apply to IPv6 traffic leaving the switch, because only one type of

ACL—RACL—can be applied to outbound traffic, and only to routed IPv6 traffic.)

See “Multiple ACL assignments on an interface” (page 97).

IPv6 traffic management and improved network performance

You can use ACLs to block IPv6 traffic from individual hosts, workgroups, or subnets, and to block

access to VLANs, subnets, devices, and services. Traffic criteria for ACLs include:

• Switched IPv6 traffic

• Switched and/or routed IPv6 traffic

• IPv6 traffic of a specific protocol type (0 to 255)

• TCP traffic (only) for a specific TCP port or range of ports, including optional control of

connection traffic based on whether the initial request should be allowed

• UDP traffic (only) or UDP traffic for a specific UDP port

• ICMP traffic (only) or ICMP traffic of a specific type and code

• Any of the above with specific precedence and/or ToS settings

Depending on the source, destination, or both of a given IPv6 traffic type, you must also determine

the ACL applications (VACL or static port ACL) needed to filter the traffic on the applicable switch

interfaces. Depending on the source and/or destination of a given IPv6 traffic type, you must also

determine the ACL applications (RACL, VACL, or static port ACL) needed to filter the traffic on the

applicable switch interfaces. Answering the following questions can help you to design and properly

position ACLs for optimum network usage:

• What are the logical points for minimizing unwanted IPv6 traffic, and what ACL applications

should be used?

In many cases, it makes sense to prevent unwanted IPv6 traffic from reaching the core of your

network by configuring ACLs to drop unwanted IPv6 traffic at or close to the edge of the

network. (The earlier in the network path you can deny unwanted traffic, the greater the benefit

for network performance.)

• From where is the traffic coming?

The source and destination of IPv6 traffic you want to filter determines the ACL application to

use (VACL, static port ACL, and RADIUS-assigned ACL). The source and destination of IPv6

traffic you want to filter determines the ACL application to use (RACL, VACL, static port ACL,

and RADIUS-assigned ACL).

• What IPv6 traffic should you explicitly deny?

Depending on your network size and the access requirements of individual hosts, this can

involve creating a large number of ACEs in a given ACL (or a large number of ACLs), which

increases the complexity of your solution.

• What IPv6 traffic can you implicitly deny by taking advantage of the implicit deny ipv6

any any to deny IPv6 traffic that you have not explicitly permitted? This can reduce the

number of entries needed in an ACL.

• What IPv6 traffic should you permit?

In some cases, you will need to explicitly identify permitted IPv6 traffic. In other cases,

depending on your policies, you can insert an ACE with "permit any" forwarding at the end

104 IPv6 Access Control Lists (ACLs)