PREREQUISITE: You should have a knowledgeable understanding of IPv6 and IPv6 routing infrastructures. And a good understanding of IPv4 ACLs.

Transcription

1 PREREQUISITE: You should have a knowledgeable understanding of IPv6 and IPv6 routing infrastructures. And a good understanding of IPv4 ACLs. IPv6 ACLs 1

2 Are you ready to get a better understanding of IPv6 ACLs and learn to use them? Build on your existing IPv6 knowledge to understand IPv6 ACLs and how to configure them on the router. After this session you'll feel more confident teaching your students about IPv6 ACLs. 2

3 ACLs in IPv6 are similar to the IPv4 ones that you already know and love Actually they are even easier to understand: They are all named (no number ranges to remember) Only Extended lists, no standard lists Still just a list of PERMIT, DENY, and REMARK statements No wildcard masking, just use CIDR notation 3

4 Scenario: Let s say we have an IPv6 segment on Gi0/0 with a server at 2001:DB8::10/64 that we want to restrict to only allow SSH connections from outside the LAN. ipv6 access-list EXAMPLE-LIST remark restrict server to SSH connections permit tcp any host 2001:DB8::10 neq 22 permit ipv6 any any 4

5 Interface gigabit 0/0 ipv6 traffic filter EXAMPLE-LIST out Now the server is protected from any and all outside connections other then SSH. We can look at our list: show ipv6 access-list EXAMPLE-LIST 5

6 Using sequence numbers helps make it easier for later inserting new ACL statements into a list. By default all ACL statements are sequenced in increments of 10. permit tcp any any eq 22 sequence 15 IPv6 sequence numbers are not supported in Packet Tracer In show commands, IPv6 sequence numbers appear at the end of each ACL statement, unlike IPv4 ACLs where they appear at the beginning. 6

7 Just like with IPv4 ACLs you can use IPv6 ACLs to filter remote connections to the router. line vty 0 4 ipv6 access-class EXAMPLE_LIST in 7

8 Enables logging to a SYSLOG server of the packet's source and destination IP addresses: deny tcp any any eq www log Enables logging to a SYSLOG server of the ingress interface and source MAC address in addition to the packet's source and destination IP addresses: permit ipv6 any any log-input 8

9 Adding a time window to an ACL. time-range EXAMPLE-TIME periodic daily 10:00 to 13:00 ipv6 access-list EXAMPLE-LIST deny tcp any any eq www time-range EXAMPLE-TIME permit ipv6 any any 9

10 A reflexive ACL is created dynamically, when traffic matches a permit statement Reflexive ACEs contain the reflect keyword. The reflexive ACL mirrors the permit entry and times out (by default after 3 mins), unless further traffic matches the entry. The implicit deny any any rule does not apply at the end of a reflexive ACL. ipv6 access-list EXAMPLE-IN permit tcp host 2001:db8:1::1 eq www any reflect MYWEB ipv6 access-list EXAMPLE-OUT evaluate MYWEB 10

11 Adding an explicit deny ipv6 any any can block important messages used by IPv6 devices. remark Neighbor discovery acknowledgments permit icmp any any nd-na remark Neighbor discovery solicitations permit icmp any any nd-ns These rules are already implicitly permitted if you leave the implicit deny ipv6 any any 11

12 remark Router Advertisement (RA) messages permit icmp any any router-advertisement remark Router Solicitation (RS) messages permit icmp any any router-solicitation 12

13 Referencing an empty IPv6 ACL will permit all traffic ACL names cannot begin with a numeric Non-consecutive bit match patterns are not allowed 13

14 Thank you! 14