User Tools

Site Tools


training:cnnic:4-traffic-filters

IPv6 Infrastructure Lab - Traffic Filters

Configuring Outbound IPv6 Traffic Filters

We now configure a traffic filter to only allow traffic from just your address block out of your network (this is BCP38 requirement). Note this configuration goes on the border router, where your network connects to your transit provider.

ipv6 access-list ipv6-packetfilter
 permit ipv6 2001:db8:X0::/48 any
 permit icmp any any
 deny ipv6 any any log

interface fastethernet 0/0
 ipv6 traffic-filter ipv6-packetfilter out

What happens? Look in the router’s logs. Can you explain what you see? Why do your external BGP sessions go down?

We now need to fix the outbound packet filter so that we also allow the point-to-point link address towards the upstream provider to be also permitted in the packet filter. The revised packet filter (for Group 4) would look like this:

ipv6 access-list ipv6-packetfilter
 permit ipv6 2001:19:0:10::/127 any
 permit ipv6 2001:db8:40::/48 any
 permit icmp any any
 deny ipv6 any any log

Your BGP session with the upstream provider should now re-establish itself.

Inbound packet filtering for IPv6 testing

We will now create an access-list which can be used for initial IPv6 testing. It shows had to trap and test for various traffic types running on a router’s interface.

ipv6 access-list v6starter
 permit icmp any 2001:db8:X0::/32 echo-reply log-input
 permit icmp any 2001:db8:X0::/32 echo-request log-input
 permit icmp any 2001:db8:X0::/32 time-exceeded log-input
 permit icmp any 2001:db8:X0::/32 packet-too-big log-input
 permit icmp any 2001:db8:X0::/32 parameter-problem log-input
 permit ipv6 any host <specific host> log-input
 deny ipv6 any any log-input
!
interface fastethernet 0/0
 ipv6 traffic-filter v6starter in
!

Note that the ‘log-input’ has been included to check what ipv6 traffic is coming in from the outside. Send some ipv6 pings and see if you can see traffic from a ‘show log’.

Note: ‘log’ simply displays the source and destination addresses in the log messages. ‘log-input’ includes the input interface as well.

Disabling Router Advertisement on interfaces

Interfaces on core infrastructure routers are generally manually configured. And the devices connected to these interfaces also are manually configured. We want to now disable support for auto-configuration of IPv6 addresses on our router’s ethernet interfaces and disable the announcement of a default route – this will prevent anyone connecting a device to that ethernet and it automatically getting an IPv6 configuration and this IPv6 connectivity. The following command shows what needs to be done for a FastEthernet interface.

interface fastethernet 1/0
 ipv6 nd prefix default no-advertise
 ipv6 nd ra suppress all
!

Each group should do this for all active interfaces on the routers in their AS.

training/cnnic/4-traffic-filters.txt · Last modified: 2016/10/23 16:53 by philip