As explained in my first tutorial that introduces access-lists, we can use access-lists for filtering (blocking packets) or selecting traffic (for VPNs, NAT, etc).
This also applies to IPv6 access-lists which are very similar to IPv4 access-lists. There are two important differences however:
- IPv4 access-lists can be standard or extended, numbered or named. IPv6 only has named extended access-lists.
- IPv4 access-lists have an invisible implicit deny any at the bottom of every access-list. IPv6 access-lists have three invisible statements at the bottom:
- permit icmp any any nd-na
- permit icmp any any nd-ns
- deny ipv6 any any
The two permit statements are required for neighbor discovery which is an important protocol in IPv6, it’s the replacement for ARP.
When you use a deny ipv6 any any at the bottom of your access-list, make sure you also add the two permit statements for neighbor discovery just before the final statement or this traffic will be dropped.
Having said that, let’s take a look at the configuration.
Configuration
For this demonstration we only need two routers:
I’ll use subnet 2001:DB8:0:12::/64 in between R1 and R2. To demonstrate the access-list, I’ll create one inbound on R2 and we will try to filter some packets from R1. Let’s take a look at the access-list:
R2(config)#ipv6 access-list ?
WORD User selected string identifying this access list
log-update Control access list log updates
As you can see above the only option is the named access-list. There’s also no option for standard or extended access-list. Let’s create that access-list:
R2(config)#ipv6 access-list R1_TRAFFIC
I’ll call it “R1_TRAFFIC”. Here are our options when we create a statement:
R2(config-ipv6-acl)#permit ?
<0-255> An IPv6 protocol number
X:X:X:X::X/<0-128> IPv6 source prefix x:x::y/<z>
ahp Authentication Header Protocol
any Any source prefix
esp Encapsulation Security Payload
host A single source host
icmp Internet Control Message Protocol
ipv6 Any IPv6
pcp Payload Compression Protocol
sctp Streams Control Transmission Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
This is similar to IPv4 access-lists. You can pick any protocol you like. Let’s see if we can permit telnet traffic from R1 and deny everything else:
R2(config-ipv6-acl)#permit tcp ?
X:X:X:X::X/<0-128> IPv6 source prefix x:x::y/<z>
any Any source prefix
host A single source host
Let’s permit telnet traffic from R1:
R2(config-ipv6-acl)#permit tcp host 2001:db8:0:12::1 ?
X:X:X:X::X/ IPv6 destination prefix x:x::y/
any Any destination prefix
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
After specifying the source IP I also have to select the destination IP, let’s do that:
R2(config-ipv6-acl)#permit tcp host 2001:db8:0:12::1 any eq 23
This should permit telnet traffic from R1. Let’s take a look at our access-list:
R2#show access-lists
IPv6 access list R1_TRAFFIC
permit tcp host 2001:DB8:0:12::1 any eq telnet sequence 10
Above you see our statement. One cosmetic difference with IPv4 access-lists is that the sequence number is behind the statement. Let’s apply this access-list on the interface:
R2(config)#interface FastEthernet 0/0
R2(config-if)#ipv6 traffic-filter R1_TRAFFIC in
Instead of using the access-group command you have to use the ipv6 traffic-filter command. Let’s see if it works:
R1#telnet 2001:db8:0:12::2
Trying 2001:DB8:0:12::2 ... Open
R1 is able to telnet to R2. Let’s see if we find any matches on our access-list:
R2#show access-lists
IPv6 access list R1_TRAFFIC
permit tcp host 2001:DB8:0:12::1 any eq telnet (10 matches) sequence 10
There we go, we see it matches the access-list. Anything else should be dropped…let’s try a simple ping:
R1#ping 2001:db8:0:12::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:0:12::2, timeout is 2 seconds:
AAAAA
Success rate is 0 percent (0/5)
The AAAAAs that you see above indicate that the destination is administratively unreachable, it means that an access-list is dropping our packets.
Usually, this output indicates that an access list is blocking traffic. For security reasons it might be a bad idea to tell someone that traffic has been dropped. If you want you can disable this:
R2(config)#interface FastEthernet 0/0
R2(config-if)#no ipv6 unreachables
Use the no ipv6 unreachables command to disable this. When we send another ping now you will see this:
R1#ping 2001:db8:0:12::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:0:12::2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2 is no longer informing R1 that the packets have been dropped. That’s all I have for now, have fun configuring IPv6 access-lists.
hostname R1
!
ipv6 unicast-routing
!
interface FastEthernet0/0
no ip address
ipv6 address 2001:DB8:0:12::1/64
!
endhostname R2
!
ipv6 unicast-routing
!
interface FastEthernet0/0
no ip address
ipv6 address 2001:DB8:0:12::2/64
no ipv6 unreachables
ipv6 traffic-filter R1_TRAFFIC in
!
ipv6 access-list R1_TRAFFIC
permit tcp host 2001:DB8:0:12::1 any eq telnet
!
end
You can also add an IPv6 access-list on a switchport (L2) interface with the PACL.
If you have any questions just leave a comment.
No comments:
Post a Comment