Understanding IPv6 Exceptions and Best Practices

The IPv6 best practices are provided below:

Ensure that you enable IPv6 globally.
The uplink port must be trusted. This is the same behavior as IPv4.
Ensure that the validuser session ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. does not block IPv6 traffic.
There must not be any ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. that drop ICMPv6 or DHCPv6 traffic. It is acceptable to drop DHCPv6 traffic if the deployment uses SLAAC Stateless Address Autoconfiguration. SLAAC provides the ability to address a host based on a network prefix that is advertised from a local network router through router advertisements. only.
If an external device provides RA Router Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers.:
- It is not recommended to advertise too many prefixes in RA Router Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers..
- The managed device supports a maximum of four IPv6 user entries in the user table. If a client uses more than four IPv6 addresses at a time, the user table is refreshed with the latest four active entries without disrupting the traffic flow. However, this may have some performance impact.
Enable BCMC Optimization under interface VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to drop any random IPv6 multicast traffic. DHCPv6, ND, NS, and RA Router Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers. traffic are not dropped when you enable this option.
It is recommended to enable BCMC Optimization only if mDNS Multicast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. traffic is not used in the network, as mDNS Multicast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. traffic gets dropped if this option is enabled.

While selecting a source address, the number of common bits between each source address in the list, is checked from the left most bit. This is followed by selection of the source address that has the maximum number of matching bits with the destination address. If more than one source addresses has the same number of matching bits with the destination address, the kernel selects that source address that is most recently configured on the system. It is essential that the administrator or user configures the network appropriately, if a particular VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface needs to be selected as the source. For example, in case of 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication the administrator or user can configure the source interface appropriately so that it is selected for authentication process. For more information on IPv6 source address selection, see RFC 3848.

Ensure that support for IPv6 Unique Local Address is added to enable configuring authentication-server hosts. .

AOS-8 does not support the following functions for IPv6 clients:

The managed device offers limited routing services to IPv6 clients, so it is recommended to use an external IPv6 router for a complete routing experience (dynamic routing).
VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. ALG Application Layer Gateway. ALG is a security component that manages application layer protocols such as SIP, FTP and so on. is not supported for IPv6 clients.
IPv6 Auto configuration and IPv6 Neighbor Discovery mechanisms does not apply to IPv6 tunnels.
Tunnel Encapsulation Limit, Tunnel-group, and MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. discovery options on IPv6 tunnels are not supported.
When the show upgrade managed-devices status copy all command is executed after a managed device is upgraded, only the IPv4 address is displayed.
IPv6 tunnel is not supported in tunnel-group. Hence, you cannot add Layer-2 or Layer-3 IPv6 GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels to a tunnel-group in both dual-stack and native IPv6 deployments.