CCNP (Cisco Certified Network Professional) Route Certification Exam Cram Notes

5. Infrastructure Security

5.5 Configure and verify router security features

5.5.b IPv6 traffic filter

The syntax for configuring ipv6 ACL is as given below:

deny | permit <protocol>
{ source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] {destination-ipv6-prefix/ prefix-length | any |
host destination-ipv6-address } [ operator [ port-number ]]
[ dscp value ] [ fragments ] [ log ] [ log-input ] [ sequence value ] [ time-range name ]

Example 1: The command "deny tcp any any eq telnet" command restricts any host telnetting to any destination host

ipv6 access-list <access-list-name>

the command defines IPv6 access list name, and enter IPv6 access-list configuration mode.

Example 2: deny ipv6 host 2001:db8:100::18 2001:db8:100::1/64

The statement deny ipv6 host 2001:db8:100::18 2001:db8:100::1/64 denies any ipv6 traffic with a source IP Address of - 2001:db8:100::18 that is destined for 2001:db8:100::1/64, That is the IP Address must match exactly

Example3:

Step 1 : Create an IPv6 ACL, and enter IPv6 access list configuration mode.

Switch#configure terminal
Switch(config)#ipv6 access-list <list-name>

Ex:

Switch(config)#ipv6 access-list myipv6list
myipv6list is the list name.
Switch(config-ipv6-acl)#

Step 2 : Configure the IPv6 ACL to block (deny) or pass (permit) traffic, use the command:

Switch(config-ipv6-acl)#deny | permit protocol

Ex.: Switch(config-ipv6-acl)#permit icmp any any

Step 3 : Apply the IPv6 ACL to an interface. For router ACLs, you must also configure an IPv6 address on the Layer 3 interface to which the ACL is applied.

Step: 3.1
Switch# configure terminal
Switch(config)# interface
interface-id

Ex: Switch(config)# interface gigabitethernet1/0/2

Switch(config-if)#no switchport ; this command enables switch interface for layer-3 operation.

Step 3.2 : ipv6 address <ipv6-address>

Ex: Switch(config-if)# ipv6 address 2001::/64 eui-64 

Here you assigned an ipv6 address to the interface.

Step 3.3 : ipv6 traffic-filter <access-list-name> { in | out }

Switch(config-if)# ipv6 traffic-filter myipv6list out 

here you applied the access-list to an out going interface.

images/pin-icon.png

IPV6 uses traffic-filter command to filter traffic that is forwarded, not originated by router.

To filter incoming or outgoing IPv6 traffic on an interface, use ipv6 traffic filter command in interface configuration mode.

Syntax: R1 (config-if)#ipv6 traffic-filter <access-list-name> { in | out }

The commands are typically given while configuring router connectivity with an ISP.

images/pin-icon.png

IPv6 ACLs cannot be numbered they can only be configured as named access list

The command "permit tcp any host 2001:DB8:10:10::100 eq 25" command permits traffic from any host to an SMTP server on network 2001:DB8:10:10::/64

Some of the widely used port numbers are given below:

Port Number Description
21 FTP
22 SSH
23 Telnet
25 Simple mail Transfer Protocol

The command "show ipv6 access-lists" is given in the privileged EXEC mode. Given below is an example of the output and it shows IPv6 access lists configured on the switch.

Switch#show ipv6 access-list

IPv6 access list inbound
permit tcp any any eq eigrp (12 matches) sequence 10
permit tcp any any eq telnet (5 matches) sequence 20
permit udp any any sequence 30
IPv6 access list outbound
deny udp any any sequence 10
deny tcp any any eq telnet sequence 20

Previous   Contents   Next


CCNP Route Cram Notes Contents certexams.com ad