Differences

This shows you the differences between two versions of the page.

--- training:apnic-ipv6-nc:2-securing-router [2018/03/19 18:06] – philip
+++ training:apnic-ipv6-nc:2-securing-router [2018/03/19 18:09] (current) – [Login Banner] philip
@@ Line 54: / Line 54: @@
   IPv6 Workshop Lab
   ^
-And here is a more complex example, but typical of one used on Internet backbones:
 The above banner is not very sophisticated, or helpful, or informative. It is better to have one which makes very clear that access is only for authorised personnel, something like this:
-   This system is the property of PFS Internet Development Pty Ltd
+  banner login ^
+  This system is the property of PFS Internet Development Pty Ltd
-               Access is for authorised persons only.
+              Access is for authorised persons only.
-      Unauthorised access is forbidden and subject to criminal
-   and civil penalties.  By accessing this system you acknowledge
+     Unauthorised access is forbidden and subject to criminal
-               that your actions will be monitored.
+  and civil penalties.  By accessing this system you acknowledge
+              that your actions will be monitored.
-           For assistance, please contact +61 1 2345 6789
+          For assistance, please contact +61 1 2345 6789
+  ^
 ==== Logging ====
@@ Line 83: / Line 82: @@
-This command set will set the log source interface to the Loopback 0 interface, trap level to debug (i.e. most detailed), create a 16K buffer on the router and store the most detailed logs there, and any logs sent to the 192.168.1.4 loghost should be sent using syslog facility local4.
+This command set will set the log source interface to the Loopback 0 interface, trap level to debug (i.e. most detailed), create a 16K buffer on the router and store the most detailed logs there, and any logs sent to any loghost should be sent using syslog facility local4.
 It is highly desirable (if not best practice) to disable logging to the router console. If you still haven’t done this then the command to do so is no logging console. Console logging is on by default in IOS.
@@ Line 102: / Line 101: @@
 Replace //ipv6-address// with the IPv6 address of the **host** you would like to have access. Test this with routers in the same AS; which means that routers in the same AS should permit telnet access from the others. Take the IPv6 address of the physical interface of the adjacent router connecting to your router, and add that into the access-list you have configured.
-Now try and include the loopback addresses, as we should normally be telnetting from router to router sourced from the loopback interface. From the address plan, you can see that the loopbacks for the routers in our AS come from 2001:DB8:X0:0::/64 - the first /64 in the IPv6 address block. Update the configuration as per this example:
+Now try and include the loopback addresses, as we should normally be telnetting from router to router sourced from the loopback interface. From the address plan, you can see that the loopbacks for the routers in our AS come from 2001:DB8:X:0::/64 - the first /64 in the IPv6 address block. Update the configuration as per this example:
   ipv6 access-list v6-vty-filter
-   permit 2001:DB8:X0:0::/64 any
+   permit 2001:DB8:X:0::/64 any
@@ Line 111: / Line 110: @@
 ==== Applying the filter to the VTY ports ====
-Once the filter is set up, apply it to the vty ports on the router, as in the following example for the Core router on AS101:
+Once the filter is set up, apply it to the vty ports on the router, as in the following example for the Core router on AS10:
@@ Line 161: / Line 160: @@
-  C1# ssh 2001:db8:10::1
+  C1# ssh 2001:db8:1::1
   Password: