User Tools

Site Tools


training:itu-ipv6:3-traffic-filters

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

training:itu-ipv6:3-traffic-filters [2016/05/22 08:58] (current)
Line 1: Line 1:
 +IPv6 Security Lab - Traffic Filters
 +===================================
 +
 +### Configuring IPv6 Traffic Filters
 +
 +We now configure a traffic filter to only allow traffic from just your address block out of your network (this is BCP38 requirement). Note this configuration goes on the **border** router, where your network connects to your transit provider.
 +
 +  ipv6 access-list ipv6-packetfilter
 +   ​permit ipv6 2001:​db8:​X0::/​48 any
 +   ​permit icmp any any
 +   deny ipv6 any any log
 +   exit
 +  interface fastethernet 0/0
 +   ipv6 traffic-filter ipv6-packetfilter out
 +
 +
 +What happens? Look in the router’s logs. Can you explain what you see? Why do your external BGP sessions go down?
 +
 +### Inbound packet filtering for IPv6 testing
 +
 +We will now create an access-list which can be used for initial IPv6 testing. It shows had to trap and test for various traffic types running on a router’s interface.
 +
 +
 +  ipv6 access-list v6starter
 +   ​permit icmp any 2001:​db8:​X0::/​32 echo-reply log-input
 +   ​permit icmp any 2001:​db8:​X0::/​32 echo-request log-input
 +   ​permit icmp any 2001:​db8:​X0::/​32 time-exceeded log-input
 +   ​permit icmp any 2001:​db8:​X0::/​32 packet-too-big log-input
 +   ​permit icmp any 2001:​db8:​X0::/​32 parameter-problem log-input
 +   ​permit ipv6 any host <​specific host> log-input
 +   deny ipv6 any any log-input
 +  !
 +  interface fastethernet 0/0
 +   ipv6 traffic-filter v6starter in
 +  !
 +
 +
 +Note that the ‘log-input’ has been included to check what ipv6 traffic is coming in from the outside.  Send some ipv6 pings and see if you can see traffic from a ‘show log’.
 +
 +Note: ‘log’ simply displays the source and destination addresses in the log messages. ‘log-input’ includes the input interface as well.
 +
 +### Disabling Router Advertisement on interfaces
 +
 +Interfaces on core infrastructure routers are generally manually configured. And the devices connected to these interfaces also are manually configured. We want to now disable support for auto-configuration of IPv6 addresses on our router’s ethernet interfaces and disable the announcement of a default route – this will prevent anyone connecting a device to that ethernet and it automatically getting an IPv6 configuration and this IPv6 connectivity. The following command shows what needs to be done for a FastEthernet interface.
 +
 +
 +  interface gigabit 1/0
 +   ipv6 nd prefix default no-advertise
 +   ipv6 nd ra suppress all
 +  !
 +
 +
 +Each group should do this for all active interfaces on the routers in their AS.
 +
 + 
  
training/itu-ipv6/3-traffic-filters.txt · Last modified: 2016/05/22 08:58 (external edit)