Professional Documents
Culture Documents
IPv6-Access List
IPv6-Access List
Part 3...........................................................................................................................................................4
In this video we're going to discuss IP version 6 access control lists or IPv6 ACLs.
on the same way as with IP version 4, IPv6 access control lists allow you to permit or
deny traffic in your network and are a component of a layered security model.
In the real world, you don't necessarily just want to use Access Control lists for your
security. You want to implement firewalls and other mechanisms such as protocol
analyzers, such as intrusion prevention systems or IPS.
But Access lists are typically a first line of defense in security implementations.
Now IPv6, Access lists share many of the same characteristics of IP version 4.
So, the knowledge that you've gained when working with IP version 4 access lists
can also be applied to IPv6 Access lists.
So, they very similar but there are differences between the two that you need to be
aware of.
Both of them as an example, filter an IP addresses of IP packets and upper layer
protocols. So as an example, you can filter on an IP version 4 address using an IP
version 4 access list.
IPv6 access lists can also filter on a source IPv6 IP address or IPv6 destination
address. But IPv6 access lists can also filter on ICMP or TCP or UDP.
You could also use IPv6 access lists to implement quality of service policies in your
network or to filter routing advertisements.
However, the CCNA course focuses on the use of IPv6 to filter IPv6 packets
arriving or
Being received or,
Being transmitted from router interfaces
Part 2
Part 3
IP version 6 access lists in a similar way to IP version 4 access lists are applied to
interfaces either in an inbound or outbound direction.
You could apply a IP version 6 access list to a router interface such as gigabit 0/0 or
serial 1/0 but.
They can also be applied to switch virtual interfaces on a switch such as interface
VLAN2
->Also remember, that because of ships in the night IP version 4 and IP version 6
are independent of each other.
So, you could have both an IP version for inbound and outbound access list as well
as an IP version 6 inbound and outbound access list on the same interface.
The IP version 4 access lists have no effect on IP version 6 packets and IP version 6
access lists have no effect on IP version 4 packets in the same way as IP version 4
In IP version 6. It makes sense to apply access lists on Ingress rather than Egress
interfaces to provide more security.
So, on an internet facing router you want an inbound access list. Denying traffic to
the network and to the router rather than a Egress interface where the router is
exposed to the Internet.
So rather deny before processing if required instead of processing packets and then
dropping them. It's less secure to use an outbound access list on the perimeter
routers internal interface.
Rather put it on the external interface and block traffic before it's processed by the
routers routing table.
->When traffic is leaving the internal or trusted network to go into the internet, apply
it on the outbound interface.
So, on the Internet facing interface on a router, traffic that arrives from internet is
processed Ingress or inbound.
Traffic leaving the internal network to go to the Internet is processed outbound on
that internet facing interface.
->As always with access lists. The hard part is determining how to filter traffic.
Same applies to IP version 4 and IP version 6. What are you going to permit and
what are you going to deny?
Generally, you want to permit only certain protocols or certain applications
and block everything else. So, in other words anything that is not permitted
will be blocked. And that's why by default on Cisco devices there's a denying
any any, at the end of an access list.
So, for both IP version 4 and IP version 6, there's an implied deny any any.
So, for IP version 6 we have denied IPv6 any any, as the last rule in an
access list. So, unless you explicitly permit something it's going to be denied.
Now you can't simply copy your IP version 4 access lists and apply them to IP
version 6. because you have different protocols and you perhaps have different
requirements for IP version 6 versus IP version 4.
It makes more sense to start with a brand-new IP version 6 policy and only permit
specific IP version 6 protocols rather than trying to copy your IP version 4 access list.
->So, you need to decide which IP version 6 packets and protocols are permitted
into your network, and which protocols and packets are permitted out of your
network.
Part 4
One protocol that you want to be especially careful with is ICMPv6.
Remember an IP version 4, we use ARP to determine the MAC address of a
neighbor. ARP is no longer used in IP version 6.
Neighbor discovery protocol or NDP is part of ICMP version 6. So, if you have
a blanket deny of IP version 6 inadvertently, it could affect the communication
of devices in your IP version 6 network.
ICMP is also used for path MTU discovery. So, don't just block ICMP version
6. Be careful blocking that protocol.
In IP version 4. In some cases, you don't want to block ICMP, but you can be a little
bit more Lassez blocking ICMP in IP version 4 versus IP version 6.
Be careful again, that some protocols required for discovery and basic IP version 6
functionality require ICMP version 6.
->Now IP version 6 access lists once again very similar to IP version 4.
You need to be careful again with protocols that you use to an IP version for
such a broadcast and ARP.
IP version 6 doesn't use broad costs. It uses multicast.
So, to discover neighbors, we use neighbor discovery protocol and multi-cast
rather than using ARPs and broadcast
IP version 6 also includes new fields such as a Flow label and Extension
headers, which are different to IP version 4.
IP version 6 access lists.
They allow you to match on traffic classes.
Flow labels,
IPv6 and next head a field
source and destination 128-bit IPv6 addresses.
Upper-layer headers, Higher layer protocol such as TCP and UDP
and their relevant port numbers as well as flags such as SYN and
ACK.
We also have ICMP version 6 types and codes that you could match
on.
as well as IP version 6 extension header Values and types. So be
careful. There are differences between IP version 6 access lists and
IP version 4 access lists.
->However, in IP version 6, you create IP version 6 access list using a prefix length
number, that indicates the number of contiguous prefix mask bits that's very
different to IP version 4.
In IP version 6 access lists, the Prefix length number represents the number of
contiguous bits that will be matched for that IP version 6 address Prefix.
So, we use a slash notation, where the number of the slash indicates the number of
bits of the Prefix length.
That means therefore that you can only match on an IP version 6 address Prefix
and cannot use discontiguous mask with IP version 6 access lists. In addition, it's
very common to have prefix lengths that are evenly divisible by four. So, you'd use
things such as /48, /52, /56, /64 as an example. And it's not a standard practice, to
have a prefix length that doesn't fall on a hex digit boundary. That's very different
again to IP version 4.
IP version 4 addresses, you may have /22, /23, /24. But then /25 or /26. So, unlike
an IP version 4 where you don't just use /8, or /16, or /24, or /32. That tends to be
the practice in IP version 6.
So as an example, you will match /64, you are matching on a hex digit
boundary. Remember hex digits are 4 binary bits in length. So, we use
/48, /52, /56, /60, /64 rather than something like /62.
It's important to remember that excessive logging can negatively impact Router
performance.
The router CPU is involved when a log entries is created, therefore be careful using
the logging keyword, just like with IP vision 4, IP version 6 access list don't deny
packets originating from a router.
So, an outbound access list on a route interface will not block router packets sent by
that router.