Contents

Part 3...........................................................................................................................................................4

In this video we're going to discuss IP version 6 access control lists or IPv6 ACLs.
 on the same way as with IP version 4, IPv6 access control lists allow you to permit or
deny traffic in your network and are a component of a layered security model.
 In the real world, you don't necessarily just want to use Access Control lists for your
security. You want to implement firewalls and other mechanisms such as protocol
analyzers, such as intrusion prevention systems or IPS.
 But Access lists are typically a first line of defense in security implementations.

 Now IPv6, Access lists share many of the same characteristics of IP version 4.
 So, the knowledge that you've gained when working with IP version 4 access lists
can also be applied to IPv6 Access lists.
 So, they very similar but there are differences between the two that you need to be
aware of.
 Both of them as an example, filter an IP addresses of IP packets and upper layer
protocols. So as an example, you can filter on an IP version 4 address using an IP
version 4 access list.
 IPv6 access lists can also filter on a source IPv6 IP address or IPv6 destination
address. But IPv6 access lists can also filter on ICMP or TCP or UDP.
 You could also use IPv6 access lists to implement quality of service policies in your
network or to filter routing advertisements.
  However, the CCNA course focuses on the use of IPv6 to filter IPv6 packets
arriving or
 Being received or,
 Being transmitted from router interfaces

Part 2

 Now IPv6 Access lists are similar to IP version 4 access lists.

 Here are some examples.
 Both can match the source IP address or destination IP address in the
protocol header.
 IPv6 ACL on IPv6 IP addresses, IP version 4 access lists on IP version 4
addresses.
 Both can match individual hosts addresses or subnets or prefixes. In other
which you can match an individual host in an IPv6 and permit or deny that
host or you could permit or deny an IP version 6 Subnet.
 Both IP version 4 and IP version 6 are applied in an inbound or outbound
direction on a layer 3 interface such as a router's interface or switch virtual
interface on a switch.
 Both IP version 4 and IP version 6 can match on transport layer protocol
information such as TCP or UDP, source port number or destination port
number.
  Both can also match ICMP message types and codes. Be careful they aren
differences between the types and codes in IP version 6 versus IP version 4.
 Both have an implicit deny statement at the end, that matches all remaining
packets. So, a deny any any at the end of both IP version 4 and IP version 6.
 Both also support time-based access lists.

 ->Now there are some differences between IP version 4 and IP version 6.

 IP version 4 access lists only match IP version 4 packets and not IP version
6.
 and also, only match fields in IP version 4 headers. We have this concept of
ships in the night, IP version 6 is totally independent and separate to IP
version 4. So what IP version 4 is doing has nothing to do with IP version 6
and what IP version 6 is doing has nothing to do with IP version 4,
 IP version 6 could be permitted. But IP version 4 could be denied as an
example.
 IP version 6 access lists match on IP version 6 addresses only. So matches
on source destination IP version 6 address as well as other fields unique to
an IP version 6 header.

 Here are some examples of the differences between IP version 4 an IP version 6.

 IP version 4 access lists once again only match IP version 4 packets.
 IP version 6 access lists only match IP version 6 packets
 IP version 4 access lists identified by a name or a number.
 But IP version 6 access lists only use names.
  IP version 4 access lists identify whether an access list is extended or
standard
 by using either numbers such as 1 to 99 being standard access lists
 or 100 to 199 being extended access lists or
 they use keywords such as standard or extended
 IP version 6 access lists use a similar convention of Standard and Extended
access lists, but they're only differentiated by the use of a word rather than a
number. Because numbers are not used in IP version 6.

 IP version 4 access lists can match on specific values, unique to IP version 4

 such as precedence type of service (ToS), TTL and fragments
 Whereas IP version 6 access lists match on specific values unique to an IP
version 6 header
 such as a flow label or DSCP Value
 as well as extensions and option head of values.
 IP version 6 access lists have some implicit permit statements at the end of each
access list. Just above for the implicit deny all at the end of the access list
 whereas IP version 4 access list do not have implicit permit statements.

Part 3

IP version 6 access lists in a similar way to IP version 4 access lists are applied to
interfaces either in an inbound or outbound direction.
 You could apply a IP version 6 access list to a router interface such as gigabit 0/0 or
serial 1/0 but.
 They can also be applied to switch virtual interfaces on a switch such as interface
VLAN2
 ->Also remember, that because of ships in the night IP version 4 and IP version 6
are independent of each other.
 So, you could have both an IP version for inbound and outbound access list as well
as an IP version 6 inbound and outbound access list on the same interface.
 The IP version 4 access lists have no effect on IP version 6 packets and IP version 6
access lists have no effect on IP version 4 packets in the same way as IP version 4
 In IP version 6. It makes sense to apply access lists on Ingress rather than Egress
interfaces to provide more security.
 So, on an internet facing router you want an inbound access list. Denying traffic to
the network and to the router rather than a Egress interface where the router is
exposed to the Internet.
 So rather deny before processing if required instead of processing packets and then
dropping them. It's less secure to use an outbound access list on the perimeter
routers internal interface.
 Rather put it on the external interface and block traffic before it's processed by the
routers routing table.

 ->When traffic is leaving the internal or trusted network to go into the internet, apply
it on the outbound interface.
 So, on the Internet facing interface on a router, traffic that arrives from internet is
processed Ingress or inbound.
 Traffic leaving the internal network to go to the Internet is processed outbound on
that internet facing interface.
  ->As always with access lists. The hard part is determining how to filter traffic.
 Same applies to IP version 4 and IP version 6. What are you going to permit and
what are you going to deny?
 Generally, you want to permit only certain protocols or certain applications
and block everything else. So, in other words anything that is not permitted
will be blocked. And that's why by default on Cisco devices there's a denying
any any, at the end of an access list.
 So, for both IP version 4 and IP version 6, there's an implied deny any any.
 So, for IP version 6 we have denied IPv6 any any, as the last rule in an
access list. So, unless you explicitly permit something it's going to be denied.

 Now you can't simply copy your IP version 4 access lists and apply them to IP
version 6. because you have different protocols and you perhaps have different
requirements for IP version 6 versus IP version 4.
 It makes more sense to start with a brand-new IP version 6 policy and only permit
specific IP version 6 protocols rather than trying to copy your IP version 4 access list.

 ->So, you need to decide which IP version 6 packets and protocols are permitted
into your network, and which protocols and packets are permitted out of your
network.

Part 4
 One protocol that you want to be especially careful with is ICMPv6.
 Remember an IP version 4, we use ARP to determine the MAC address of a
neighbor. ARP is no longer used in IP version 6.
 Neighbor discovery protocol or NDP is part of ICMP version 6. So, if you have
a blanket deny of IP version 6 inadvertently, it could affect the communication
of devices in your IP version 6 network.
 ICMP is also used for path MTU discovery. So, don't just block ICMP version
6. Be careful blocking that protocol.

 In IP version 4. In some cases, you don't want to block ICMP, but you can be a little
bit more Lassez blocking ICMP in IP version 4 versus IP version 6.

 Be careful again, that some protocols required for discovery and basic IP version 6
functionality require ICMP version 6.
 ->Now IP version 6 access lists once again very similar to IP version 4.
 You need to be careful again with protocols that you use to an IP version for
such a broadcast and ARP.
 IP version 6 doesn't use broad costs. It uses multicast.
 So, to discover neighbors, we use neighbor discovery protocol and multi-cast
rather than using ARPs and broadcast
 IP version 6 also includes new fields such as a Flow label and Extension
headers, which are different to IP version 4.
 IP version 6 access lists.
 They allow you to match on traffic classes.
 Flow labels,
 IPv6 and next head a field
 source and destination 128-bit IPv6 addresses.
 Upper-layer headers, Higher layer protocol such as TCP and UDP
 and their relevant port numbers as well as flags such as SYN and
ACK.
 We also have ICMP version 6 types and codes that you could match
on.
 as well as IP version 6 extension header Values and types. So be
careful. There are differences between IP version 6 access lists and
IP version 4 access lists.

 ->that also limitations with IP version 6 access lists. IP version 6 tends

to have more tunnels than IP version 4.
 So as an example, you may have IP version 6 packets transported
over an IP version 4 network using GRE tunnels.
 So be careful if you try to block IP version 6 packets using an IP
version 6 access list and that's tunneled within an IP version 4 GRE
tunnel your access list won't work,
 In IP version 4 access lists, wildcard mask doesn’t have to be contiguous. In other
words, it doesn't have to looked like this (10.1.1.0.0.0.0.255). You could match all
odd IP addresses or even IP addresses, by manipulating the inverse mask of an IP
version 4 access list.

 ->However, in IP version 6, you create IP version 6 access list using a prefix length
number, that indicates the number of contiguous prefix mask bits that's very
different to IP version 4.
 In IP version 6 access lists, the Prefix length number represents the number of
contiguous bits that will be matched for that IP version 6 address Prefix.
 So, we use a slash notation, where the number of the slash indicates the number of
bits of the Prefix length.
 That means therefore that you can only match on an IP version 6 address Prefix
and cannot use discontiguous mask with IP version 6 access lists. In addition, it's
very common to have prefix lengths that are evenly divisible by four. So, you'd use
things such as /48, /52, /56, /64 as an example. And it's not a standard practice, to
have a prefix length that doesn't fall on a hex digit boundary. That's very different
again to IP version 4.
 IP version 4 addresses, you may have /22, /23, /24. But then /25 or /26. So, unlike
an IP version 4 where you don't just use /8, or /16, or /24, or /32. That tends to be
the practice in IP version 6.
 So as an example, you will match /64, you are matching on a hex digit
boundary. Remember hex digits are 4 binary bits in length. So, we use
/48, /52, /56, /60, /64 rather than something like /62.

 It's important to remember that excessive logging can negatively impact Router
performance.
 The router CPU is involved when a log entries is created, therefore be careful using
the logging keyword, just like with IP vision 4, IP version 6 access list don't deny
packets originating from a router.
 So, an outbound access list on a route interface will not block router packets sent by
that router.