Yes, it would be best to put that on the port going to the router, though in that case, you want that traffic redirected on egress from the port, instead of ingress.
Yes, you can exclude traffic by using deny statements in the access list. In fact, if you move the redirect to the port, you'll want one to exclude traffic from the WSA from being redirected to itself.
As the router is always the source for the redirection, I would suggest to exclude the according IP addresses from being redirected in the fist place (access-list modified to deny for the particular traffic).
Another way is to use the proxy bypass list which will make advantage of the WCCPv2 protocol to return the SYN packet to the router to indicate to bypass the entire session afterward directly at the router (this is all implemented inside wccp, so nothing to configure further). This solutions is probably more convenient to maintain, however creates a little overhead as the initial SYN packet has to go back and forth to the WSA proxy.
I would advice to only use IP addresses on the Proxy Bypass list as it will be anyway only used to build an IP access-list.
In your case you would have to exclude each other's vlan subnets to assure its being router directly.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...