1 / 17

Managing IPv6 Traffic using Access Control Lists

Managing IPv6 Traffic using Access Control Lists. Serges Nanfack. Technical Marketing Team. August 2013. Agenda. Type of IPv6 ACLs. Comparing IPv4 and IPv6 ACLs. Configuring IPv6 ACLs. Verifying IPv6 ACLs. Summary. Type of IPv6 ACLs. Named Only

lyn
Download Presentation

Managing IPv6 Traffic using Access Control Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing IPv6 Traffic using Access Control Lists Serges Nanfack Technical Marketing Team August 2013

  2. Agenda Type of IPv6 ACLs Comparing IPv4 and IPv6 ACLs Configuring IPv6 ACLs Verifying IPv6 ACLs Summary

  3. Type of IPv6 ACLs • Named Only • Similar in functionality to IPv4 Extended ACL

  4. Comparing IPv4 and IPv6 ACLs

  5. IPv6 Neighbor Discovery • Permit icmp any anynd-na • Permit icmp any anynd-ns

  6. Configuring IPv6 ACLs

  7. Scenario 1 : Deny Subnet A to reach Subnet B

  8. Denying Subnet IPv4 Ip access-list standard Deny_Subnet_A_Ipv4 Deny 192.168.12.0 0.0.0.0.255 Permit any ! Interface FastEthernet0/1 Ip access-group Deny_Subnet_A_Ipv4 out Router(config)# ipv6 access list ? WORD User selected string identifying this access list Log-update Control access list log updates ipv6 access-list Deny_Subnet_A_IPv6 deny ipv6 2001:DB8:0:12::/64 any permit ipv6 any any ! interface FastEthernet0/1 ipv6 traffic-filter Deny_Subnet_A_IPv6 out Denying Subnet IPv6

  9. Scenario 2 : Deny PC_A to reach PC_B

  10. Denying Specific hosts IPv4 ip access-list extended Deny_Host_A_to_B_IPv4 deny ip host 192.168.12.77 host 192.168.23.203 permit ip any any ! Interface FastEthernet0/0 Ip access-group Deny_Subnet_A_Ipv4 in ipv6 access-list Deny_Host_A_to_B_IPv6 deny ipv6 host 2001:DB8:0:12::4D host 2001:DB8:0:23::CB permit ipv6 any any ! interface FastEthernet0/0 ipv6 traffic-filter Deny_Subnet_A_IPv6 in Denying Specific hosts IPv6

  11. Scenario 3 : Deny HTTP traffic from Subnet A

  12. Matching Upper Layer ProtocolsIPv4 ipaccess-list extended Deny_TCP_80_IPv4 deny tcp any anyeq www permit ip any any ! Interface FastEthernet0/0 Ip access-group Deny_Subnet_A_Ipv4 in ipv6 access-list Deny_TCP_80_IPv6 deny tcp any anyeq www permit ipv6 any any ! interface FastEthernet0/0 ipv6 traffic-filter Deny_Subnet_A_IPv6 in Matching Upper Layer Protocols IPv6

  13. Scenario 4 : Limit Access to VTY Lines

  14. Limiting Access to VTY LinesIPv4 line vty 0 15 access-class Authorized_IPv4_Hosts in line vty 0 15 ipv6 access-class Authorized_IPv6_Hosts in Limiting Access to VTY Lines IPv6

  15. Verifying IPv6 ACLs • show ipv6 interface • show access-lists • show running-config

  16. Summary • IPv6 ACLs support only named, extended access lists • IPv6 ACLs addresses CIDR notation instead of wildcard masks • IPv6 ACLs are applied to interface using the command ipv6 traffic-filter • IPv6 ACLs are applied to lines using the command ipv6 access-class • An IPv4 ACL and an IPv6 ACL cannot share the same name • IPv6 ACLs do no support re-sequencing on IOS • IPv6 ACLs cannot start with a numeral l

More Related