Configuring IPv6 Access Control Lists

IPv6 is extremely cool in all but it is not the holy grail of security and you must still use access-list to ensure infrastructure security. This lab will discuss and demonstrate the configuration and verification of IPv6 access control lists.

Real World Application & Core Knowledge

So if you’ve completed the previous 5 labs then you should have a knowledgeable understanding of IPv6 and IPv6 routing infrastructures. However one thing left to discuss remains of the utter most importance in any network; Security.

In the real world, the ability to prevent machines such as Student PC’s in a lab at a university from communicating to Enrollment Servers or Servers that host the database of the students grades is very important. There are some young students that have a knowledgeable understanding of SQL injection methods that could easily change their grades or even their finances. Of course the same could be applied to many companies such as a Hospital for example, you don’t want visitor PC’s to have the ability to access Servers that host protected health information about patients which could include identification information such as name, address, social security number and health information which should remain private. Regardless of the scenario there is ALWAYS a need for security in a network.

The first line of defense is Access Control List (ACL). When working with Access List keep in mind they are processed top down. So for example lets say you there is a teacher PC in a classroom that needs to access a server farm however other student PC’s are on the same network and they need to be denied access to the server farm. How can you achieve this desired policy?

Well on the first line of an ACL you can permit the teach PC that has the source address 2001:ABAD:BEEF:1001::5/64 access to nodes located in the the server farm located in the 2001::ABAD:BEEF:FADE::0/64 network however on the second line you can deny the network that the teacher PC and student PC’s are on which is 2001:ABAD:BEEF:1001::0/64 from accessing the server farm located at 2001:ABAD:BEEF:FADE::0/64. Since the ACL is processed top down this would permit the teacher PC to access the server farm network and deny student PC’s on the same source network from accessing servers located in the server farm because the teacher PC was processed first and permitted.

Configuring an IPv6 ACL is much like configuring an IPv4 ACL however you do not have numbered, standard or extended access-list. You have single type of IPv6 access list that can function like a standard or extended access-list. For example with a standard IPv4 ACL you can specified permit 10.0.0.0 any and an extended ACL can permit traffic from10.0.0.25 255.255.255.255 to access 10.20.5.81 255.255.255.25 equal to port 80.

With IPv6 ACL’s you have the same ability. You can use a standard broad statement that encompass all source traffic to any destination or you can get granular with the ACL statements and permit specific host to specific destinations based on source and destination port numbers.

To configure an IPv6 access list you’ll use the ipv6 access-list NAME command in global configuration. From there you’ll be placed into IPv6 access-list configuration mode where you have the ability to specify the ACL statements. an example is given below;

R1(config)#ipv6 access-list EXAMPLE_IPv6_ACL
R1(config-ipv6-acl)#sequence 10 permit 2001:ABAD:BEEF:1221::/64 any
R1(config-ipv6-acl)#sequence 20 deny tcp host 2001:ABAD:BEEF:2345::1 host
2001:ABAD:BEEF:1212::1 eq www
R1(config-ipv6-acl)#

As with any ACL you have the ability to assign the ACL to a particular interface in a particular direction, ingress or egress. (incoming or outgoing). Assigning an IPv6 access list to an interface is different then its processor. When assigning an IPv4 access list to an interface you used the ip access-list ACL_NAME in|out command in interface configuration mode. To assign an IPv6 ACL to an interface you’ll use the ipv6 traffic-filter ACL_NAME in|out command in interface configuration mode.

You can view current ACL statistics by using the show ipv6 access-list command in user or privileged mode.

Familiarize yourself with the following new command(s);

Command	Description
ipv6 access-list NAME	This command when executed in interface configuration mode enables OSPFv3 per specified process id and area id.
sequence seq#	This command is executed in IPv6 access-list configuration mode to insert a new sequence number in the list. You can delete or add ACL lines in specific spots of the ACL using sequence numbers.
ipv6 traffic-filter ACL_NAME in\|out	This command when executed in interface configuration mode will apply an Access Control List on an interface in an ingress or egress direction of the interface.
show ipv6 access-list	This command can be executed in user or privileged mode to view current Access Control List entries and statistics.

In this lab you will configure an Access-list on R2 to prevent traffic sourced from R1’s loopback interface destined to R3’s loopback0 interface be denied on port 80 and permit all other traffic.

The following logical topology will be used for this lab;

Lab Prerequisites

If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start device(s); R1, R2 and R3
Establish a console session with device(s) R1, R2 and R3 than load the initial configurations provided below by copying the config from the textbox and pasting it into the respected routers console.

!################################################## !# Free CCNA Workbook Lab 12-5 R1 Initial Config # !################################################## ! enable configure terminal ! hostname R1 no ip domain-lookup ipv6 unicast-routing ! interface Loopback0 description ### IPv6 SIMULATED NETWORK ### ipv6 address 2001:ABAD:BEEF:1001::1/64 ipv6 ospf network point-to-point ipv6 ospf 1 area 1 ! interface Serial0/0 description ### LINK TO FRAME RELAY SWITCH ### encapsulation frame-relay no frame-relay inverse-arp exit ! interface Serial0/0.122 point-to-point description ### LINK TO R2 ### ipv6 address 2001:ABAD:BEEF:1221::1/64 frame-relay interface-dlci 122 ipv6 ospf 1 area 0 exit ! ipv6 router ospf 1 router-id 1.1.1.1 log-adjacency-changes ! interface Serial0/0 no shutdown exit ! line con 0 logging sync no exec-timeout ! end !################################################## !# Free CCNA Workbook Lab 12-5 R2 Initial Config # !################################################## ! enable configure terminal ! hostname R2 no ip domain-lookup ipv6 unicast-routing ! interface Loopback0 description ### IPv6 SIMULATED NETWORK ### ipv6 address 2001:ABAD:BEEF:2002::1/64 ipv6 ospf network point-to-point ipv6 ospf 1 area 2 ! interface Serial0/0 description ### LINK TO FRAME RELAY SWITCH ### no ip address encapsulation frame-relay no frame-relay inverse-arp exit ! interface Serial0/0.221 point-to-point description ### LINK TO R1 ### ipv6 address 2001:ABAD:BEEF:1221::2/64 frame-relay interface-dlci 221 ipv6 ospf 1 area 0 exit ! interface Serial0/0.223 point-to-point description ### LINK TO R3 ### ipv6 address 2001:ABAD:BEEF:2332::2/64 frame-relay interface-dlci 223 ipv6 ospf 1 area 0 exit ! ipv6 router ospf 1 router-id 2.2.2.2 log-adjacency-changes ! interface Serial0/0 no shutdown exit ! line con 0 logging sync no exec-timeout ! end !################################################## !# Free CCNA Workbook Lab 12-5 R3 Initial Config # !################################################## ! enable configure terminal ! hostname R3 no ip domain-lookup ipv6 unicast-routing ! interface Loopback0 description ### IPv6 SIMULATED NETWORK ### ipv6 address 2001:ABAD:BEEF:3003::1/64 ipv6 ospf network point-to-point ipv6 ospf 1 area 3 ! interface Serial0/0 description ### LINK TO FRAME RELAY SWITCH ### encapsulation frame-relay no frame-relay inverse-arp exit ! interface Serial0/0.322 point-to-point description ### LINK TO R2 ### ipv6 address 2001:ABAD:BEEF:2332::3/64 frame-relay interface-dlci 322 ipv6 ospf 1 area 0 exit ! ipv6 router ospf 1 router-id 3.3.3.3 log-adjacency-changes ! interface Serial0/0 no shutdown exit ! ip http server ! line con 0 logging sync no exec-timeout ! end

Lab Objectives

Verify that you’re able to ping R3’s loopback0 interface from R1’s Loopback0 interface.
Verify that you’re able to telnet from R1’s Loopback0 interface to R3’s Loopback0 interface via port 80 (WWW).
Configure an IPv6 ACL on R2 named TEST and deny R1’s Loopback0 interface access to R3’s Loopback interface Via port 80 then permit all other traffic.
Configure the newly created IPv6 ACL on R2 as an ingress traffic-filter on R2’s Serial0/0.221 sub-interface.
Verify that R1’s Loopback0 interface can still ping R3’s Loopback0 interface.
Verify that traffic sourced from R1’s Loopback0 is being denied access to R3’s Loopback0 interface via port 80 using the telnet.

Lab Instruction

Objective 1. – Verify that you’re able to ping R3’s loopback0 interface from R1’s Loopback0 interface.

R1#ping 2001:ABAD:BEEF:3003::1 source Loopback0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:ABAD:BEEF:3003::1, timeout
is 2 seconds:
Packet sent with a source address of 2001:ABAD:BEEF:1001::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/64 ms
R1#

Objective 2. – Verify that you’re able to telnet from R1’s Loopback0 interface to R3’s Loopback0 interface via port 80 (WWW).

Read Me

After establishing a connection, to exit press CTRL + C and enter then it should terminate the connection giving you an HTTP 400 error as shown below;

R1#telnet 2001:ABAD:BEEF:3003::1 www /source-interface loopback 0
Trying 2001:ABAD:BEEF:3003::1, 80 ... Open


^C
HTTP/1.1 400 Bad Request
Date: Sun, 19 Sep 2010 23:51:32 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 2001:ABAD:BEEF:3003::1 closed by foreign host]
R1#

Objective 3. – Configure an IPv6 ACL on R2 named TEST and deny R1’s Loopback0 interface access to R3’s Loopback interface Via port 80 then permit all other traffic.

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ipv6 access-list TEST
R2(config-ipv6-acl)#sequence 10 deny tcp 2001:ABAD:BEEF:1001::1/128 host
2001:ABAD:BEEF:3003::1 eq www   
R2(config-ipv6-acl)#sequence 20 permit any any
R2(config-ipv6-acl)#exit
R2(config)#

Objective 4. – Configure the newly created IPv6 ACL on R2 as an ingress traffic-filter on R2’s Serial0/0.221 sub-interface.

R2(config)#interface Serial0/0.221
R2(config-subif)#ipv6 traffic-filter TEST in
R2(config-subif)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#

Objective 5. – Verify that R1’s Loopback0 interface can still ping R3’s Loopback0 interface.

R1#ping 2001:ABAD:BEEF:3003::1 source Loopback0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:ABAD:BEEF:3003::1, timeout
is 2 seconds:
Packet sent with a source address of 2001:ABAD:BEEF:1001::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/72 ms
R1#

Objective 6. – Verify that traffic sourced from R1’s Loopback0 is being denied access to R3’s Loopback0 interface via port 80 using the telnet.

R1#telnet 2001:ABAD:BEEF:3003::1 www /source-interface loopback 0
Trying 2001:ABAD:BEEF:3003::1, 80 ... 
% Destination unreachable; gateway or host down

R1#

As shown above you can see that traffic from R1’s loopback0 destined to R3’s loopback0 interface via port 80 is now being dropped at R2. You can further verify this by viewing the Access List Statistics on R2 as shown below;

R2#show access-list TEST
IPv6 access list TEST
    deny tcp host 2001:ABAD:BEEF:1001::1 host 2001:ABAD:BEEF:3003::1
eq www (1 match) sequence 10
    permit ipv6 any any (32 matches) sequence 20
R2#

◄ Previous Lab