THE SCHOOL OF CISCO NETWORKING (SCN): CISCO - IPv6 ACCESS CONTROL LISTS:
Contact No:   ### / ###/ ###
Welcome To The IT Knowledge Base Sharing Freeway "Study With The Zero Fees / Zero Money" Web - If We Believe, That If We Have Knowledge, Let Others Light Their Candles With It. - Our Motivation Has Brought Us Together To Offer Our Helping Hands To The Needy Ones Please. "Student Expectations And Satisfaction Is Always Our Highest Priority")

'Love All, Serve All, Help Ever Hurt Never'

Please Welcome To The "Zero Fees And Zero Money SCN Community Study Page"

We Like To Share Our Stuff With Everyone And Hope You Will Find Something Useful Here. Enjoy Our Collection And Come Back Again And Again, We'll Do Our Best To Make It Always Interesting For You. All Our Stuff Always Available May Be 100% Totally Freely. Use Only For Non-Commercial Purposes Only!

THE SCHOOL OF CISCO NETWORKING (SCN) Is A IT Support Community – Based, Non - Profit Volunteer Organizations, Offering Our Assistance And Support To Developmental Our Services Dedicated To All.

Because Large Section Of Our Students In This World, Especially In Villages, Who Are Under Privileged Expecting For Equal Opportunity In Terms Of Money And Education. We Feel The Sufferings Of Talented Students Losing Their Opportunity To Shine Because Of Their Poor Financial Status. So We Thought That Professional Education Will Be Providing Them Freely.

Our Web Site Is To Give An Easy Way To Understand Each And Every Student Who Are Going To Start CISCO Lab Practice Without Any Doubts And Our ARTICLES STUFF Are Always 100% Totally Free For Everyone, Which Is Belongings To THE SCHOOL OF CISCO NETWORKING (SCN).

Also This Guide Provides Technical Guidance Intended To Help All Network Students, Network Administrators And Security Officers Improve Of Their Demonstrated Ability To Achieve Specific objectives Within Set Timeframes.

Hands - On Experience Is An Invaluable Part Of Preparing For The Lab Exam And Never Pass Up An Opportunity To Configure Or Troubleshoot A Router ( If You Have Access To Lab Facilities, Take Full Advantage Of Them) There Is No Replacement For The Experience You Can Gain From Working In A Lab, Where You Can Configure Whatever You Want To Configure And Introduce Whatever Problems You Want To Introduce, Without Risk Of Disrupting A Production Network.

For Better View Of Our Web Page - Please Use Any Latest Web Browser, Such As (Mozilla Firefox, Google Chrome, Opera, Safari, Internet Explorer, Torch, Maxthon, Sea Monkey, Avant Browser, Deepnet Explorer, And Etc ), Because Some Elements Or Scripts Are Not Work In The Old Web Browser (It Might Not Be Displayed Properly Or Are Not Appearing properly!). Thank You For Your Time And Best Of Luck!

Your Sincerely – Premakumar Thevathasan.
"Our Motivation Has Brought Us Together To Offer Our Helping Hands To The Needy Once Please,Thank You."

CISCO - IPv6 ACCESS CONTROL LISTS:


ACLs are simple rulesets, they can be used to filter network traffic, routing updates, matching packets and a lot of different uses. The most common and basic usage must be to restrict network traffic to your router by applying it on the vty lines.

In this lab you will learn how to configure an IPv6 Access Control List to prevent IPv6 traffic from a specified source address or network to a specified destination host or network.

INTRODUCTION
:

Filtering incoming and outgoing connections to and from the router based on an IPv6 ACL is performed using the ipv6 access-class command in line configuration mode. The ipv6 access-class command is similar to the access-class command, except the IPv6 ACL’s are defined by a name.

UNDERSTANDING IPV6 ACLS:-


IF THE IPV6 ACL IS APPLIED TO INBOUND TRAFFIC, the source address in the ACL is matched against the incoming connection source address and the destination address in the ACL is matched against the local router address on the interface.

IF THE IPV6 ACL IS APPLIED TO OUTBOUND TRAFFIC, the source address in the ACL is matched against the local router address on the interface and the destination address in the ACL is matched against the outgoing connection source address. We recommend that identical restrictions are set on all the virtual terminal lines because a user can attempt to connect to any of them.

We can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. We can also create and apply input router ACLs to filter Layer 3 management traffic.

Note: To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch. You select the template by entering the sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} global configuration command.

A SWITCH RUNNING THE METRO IP ACCESS IMAGE SUPPORTS TWO TYPES OF IPV6 ACLS:


                    • IPv6 router ACLs are supported on outbound or inbound traffic on Layer 3 interfaces,
                      which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels.
                      IPv6 router ACLs apply only to routed IPv6 packets.

                     • IPv6 port ACLs are supported only on inbound traffic on Layer 2 interfaces. IPv6 port
                        ACLs are applied to all IPv6 packets entering the interface.

IPV6 ACL LIMITATIONS:-

With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.

THE SWITCH SUPPORTS MOST CISCO IOS-SUPPORTED IPV6 ACLS WITH SOME EXCEPTIONS:
• The switch does not support matching on these keywords: flowlabel, routing header, and
Undetermined-transport.

• The switch does not support reflexive ACLs (the reflect keyword).

• This release supports only port ACLs and router ACLs for IPv6; it does not support VLAN ACLs
(VLAN maps).

• The switch does not apply MAC-based ACLs on IPv6 frames.

• You cannot apply IPv6 port ACLs to Layer 2 EtherChannels.

• The switch does not support output port ACLs.

• When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of
whether or not they are supported on the platform. When you apply the ACL to an interface that
requires hardware forwarding (physical ports or SVIs), the switch determines whether or not the
ACL can be supported on the interface. If not, the ACL attachment is rejected.

• If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an
unsupported keyword, the switch does not allow the ACE to be added to the attached ACL.

AN EXAMPLE FOR AN IPV6 ACCESS LIST:
In     -  Is the keyword that means filtering will occur on incoming IPv6 connections.
Out   -  Is the keyword that means filtering will occur on outgoing IPv6 connections.


Router>enable
Router#configure terminal

Router(config)#ipv6 access-list ittechtips
Router(config-ipv6-acl)#permit ipv6 host 2001:0DC8:0:4::2/128 any
Router(config-ipv6-acl)#exit

Router(config)#line vty 0 4
Router(config-line)#ipv6 access-class ittechtips in

Router(config-line)#end
Router#copy run start

In the ABOVE Example notice that the router's prompt is in "Line configuration" mode when the "ipv6 access-class" command is being used; and filtering is occurring on incoming connections on virtual terminal lines 0 to 4 of the router based on the IPv6 access list named ittechtips.

EXAMPLE:


Router#conf t
Router(config)#ipv6 access-list myfirewall
Router(config-ipv6-acl)#permit 3ffe:200::/32 any
Router(config-ipv6-acl)#permit 3ffe:100::/32 any

To verify the access-lists just look at this
Router#show access-lists myfirewall
IPv6 access list myfirewall
permit ipv6 3FFE:200::/32 any sequence 10
permit ipv6 3FFE:201::/32 any sequence 20
Router#

To apply this IPv6 Access Control List to an interface, just do as follows
Router#conf t
Router(config)#int te 1/1
Router(config-if)#ipv6 traffic-filter myfirewall in

To apply this IPv6 access control list to a line

Router#conf t
Router(config)#line vty 1
Router(config-line)#ipv6 access-class myfirewall in

CONFIGURING IPV6 ACL:-

Before configuring IPv6 ACLs, you must select one of the dual IPv4 and IPv6 SDM templates.
To filter IPv6 traffic, you perform these steps:

Step 1 Create an IPv6 ACL, and enter IPv6 access list configuration mode.
Step 2 Configure the IPv6 ACL to block (deny) or pass (permit) traffic.
Step 3 Apply the IPv6 ACL to an interface. For router ACLs, you must also configure an IPv6 address on the Layer 3 interface on which the ACL is applied.

Interaction with Other Features and Switches:-

Configuring IPv6 ACLs has these interactions with other features or switch characteristics:


• If an IPv6 router ACL is configured to deny a packet, the packet is not routed. A copy of the packet
is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable
message for the frame.

• If a bridged frame is to be dropped due to a port ACL, the frame is not bridged.

• You can create both IPv4 and IPv6 ACLs on a switch, and you can apply both IPv4 and IPv6 ACLs
to the same interface. Each ACL must have a unique name; an error message appears if you try to
use a name that is already configured.

You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the
same Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example,
an IPv4 command to attach an IPv6 ACL), you receive an error message.

• You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames.

• If the hardware memory is full, for any additional configured ACLs, packets are forwarded to the
CPU, and the ACLs are applied in software.

CREATING IPV6 ACCESS CONTROL LIST:
Use the no {deny | permit} IPv6 access-list configuration commands with keywords to remove the deny
or permit conditions from the specified access list.

This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all
packets that have a destination TCP port number greater than 5000. The second deny entry denies
packets that have a source UDP port number less than 5000.

The second deny also logs all matches to the console. The first permit entry in the list permits all ICMP
packets. The second permit entry in the list permits all other traffic. The second permit entry is necessary
because an implicit deny -all condition is at the end of each IPv6 access list.

Switch(config)# ipv6 access-list CISCO
Switch(config-ipv6-acl)# deny tcp any any gt 5000
Switch config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log
Switch(config-ipv6-acl)# permit icmp any any
Switch(config-ipv6-acl)# permit any any

APPLYING AN IPV6 ACL TO AN INTERFACE:-

This section describes how to apply IPv6 ACLs to network interfaces. You can apply an ACL to
outbound or inbound traffic on Layer 3 interfaces, or to inbound traffic on Layer 2 interfaces.

Beginning in privileged EXEC mode, follow these steps to control access to an interface:

Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface.

THIS EXAMPLE SHOWS HOW TO APPLY THE ACCESS LIST CISCO TO OUTBOUND TRAFFIC ON A LAYER 3 INTERFACES:

Switch(config)# interface gigabitethernet 0/3
Switch(config-if)# no switchport
Switch(config-if)# ipv6 address 2001::/64 eui-64
Switch(config-if)# ipv6 traffic-filter CISCO out

DISPLAYING IPV6 ACL:

This is an example of the output from the show access-lists privileged EXEC command. The output
shows all access lists that are configured on the switch or switch stack.

Switch #show access-lists

Extended IP access list hello
10 permit ip any any
IPv6 access list ipv6
permit ipv6 any any sequence 10

This is an example of the output from the show ipv6 access-lists privileged EXEC command. The output shows only IPv6 access lists configured on the switch or switch stack.

Switch# show ipv6 access-list

IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30

IPv6 access list outbound
deny udp any any sequence 10
deny tcp any any eq telnet sequence 20

EXAMPLE:

Understand IPv6 subnetting by now so I will just get right on to the configuration, an example for an IPv6 access list in Cisco IOS follows

Router#conf t
Router(config)#ipv6 access-list myfirewall
Router(config-ipv6-acl)#permit 3ffe:200::/32 any
Router(config-ipv6-acl)#permit 3ffe:100::/32 any

To verify the access-lists just look at this


Router#show access-lists myfirewall

IPv6 access list myfirewall
permit ipv6 3FFE:200::/32 any sequence 10
permit ipv6 3FFE:201::/32 any sequence 20
Router#

To apply this IPv6 Access Control List to an interface, just do as follows

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ipv6 traffic-filter myfirewall in

To apply this IPv6 access control list to a line

Router#conf t
Router(config)#line vty 1
Router(config-line)#ipv6 access-class myfirewall in

SIMPLE LAB EXAMPLE:


To configure an IPv6 access list you’ll use the ipv6 access-list NAME command in global configuration.an example is given below;
R1(config)#ipv6 access-list EXAMPLE_IPv6_ACL
R1(config-ipv6-acl)#sequence 10 permit 2001:ABAD:BEEF:1221::/64 any
R1(config-ipv6-acl)#sequence 20 deny tcp host 2001:ABAD:BEEF:2345::1 host
2001:ABAD:BEEF:1212::1 eq www
R1(config-ipv6-acl)#

As with any ACL you have the ability to assign the ACL to a particular interface in a particular direction, ingress or egress. (incoming or outgoing).


Configure an IPv6 ACL on R2 named TEST and deny R1′s Loopback0 interface access to R3′s Loopback interface Via port 80 then permit all other traffic.
 


R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#ipv6 access-list TEST
R2(config-ipv6-acl)#sequence 10 deny tcp 2001:ABAD:BEEF:1001::1/128 host
2001:ABAD:BEEF:3003::1 eq www
R2(config-ipv6-acl)#sequence 20 permit any any
R2(config-ipv6-acl)#exit
R2(config)#   


Configure the newly created IPv6 ACL on R2 as an ingress traffic-filter on R2′s Serial1/0.221 sub-interface.
 


R2(config)#interface Serial1/0.221
R2(config-subif)#ipv6 traffic-filter TEST in
R2(config-subif)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#   
Verify that R1′s Loopback0 interface can still ping R3′s Loopback0 interface.

R1#ping 2001:ABAD:BEEF:3003::1 source Loopback0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:ABAD:BEEF:3003::1, timeout
is 2 seconds:
Packet sent with a source address of 2001:ABAD:BEEF:1001::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/72 ms
R1#   


Verify that traffic sourced from R1′s Loopback0 is being denied access to R3′s Loopback0 interface via port 80 using the telnet.


R1#telnet 2001:ABAD:BEEF:3003::1 www /source-interface loopback 0
Trying 2001:ABAD:BEEF:3003::1, 80 ...
% Destination unreachable; gateway or host down

R1#   


As shown above you can see that traffic from R1′s loopback0 destined to R3′s loopback0 interface via port 80 is now being dropped at R2. You can further verify this by viewing the Access List Statistics on R2 as shown below;

R2#show access-list TEST
IPv6 access list TEST
deny tcp host 2001:ABAD:BEEF:1001::1 host 2001:ABAD:BEEF:3003::1
eq www (1 match) sequence 10
permit ipv6 any any (32 matches) sequence 20
R2#
 
CONCLUSIONS:

 
Hope
This Article, It May Make The IPv6 ACL SECURITY Process Easy !

This Article Written Author By:Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSA, MCSE, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.

No comments: