training:itu-ipv6:3-traffic-filters
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | training:itu-ipv6:3-traffic-filters [2016/05/22 18:58] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | IPv6 Security Lab - Traffic Filters | ||
+ | =================================== | ||
+ | |||
+ | ### Configuring IPv6 Traffic Filters | ||
+ | |||
+ | We now configure a traffic filter to only allow traffic from just your address block out of your network (this is BCP38 requirement). Note this configuration goes on the **border** router, where your network connects to your transit provider. | ||
+ | |||
+ | ipv6 access-list ipv6-packetfilter | ||
+ | | ||
+ | | ||
+ | deny ipv6 any any log | ||
+ | exit | ||
+ | interface fastethernet 0/0 | ||
+ | ipv6 traffic-filter ipv6-packetfilter out | ||
+ | |||
+ | |||
+ | What happens? Look in the router’s logs. Can you explain what you see? Why do your external BGP sessions go down? | ||
+ | |||
+ | ### Inbound packet filtering for IPv6 testing | ||
+ | |||
+ | We will now create an access-list which can be used for initial IPv6 testing. It shows had to trap and test for various traffic types running on a router’s interface. | ||
+ | |||
+ | |||
+ | ipv6 access-list v6starter | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | deny ipv6 any any log-input | ||
+ | ! | ||
+ | interface fastethernet 0/0 | ||
+ | ipv6 traffic-filter v6starter in | ||
+ | ! | ||
+ | |||
+ | |||
+ | Note that the ‘log-input’ has been included to check what ipv6 traffic is coming in from the outside. Send some ipv6 pings and see if you can see traffic from a ‘show log’. | ||
+ | |||
+ | Note: ‘log’ simply displays the source and destination addresses in the log messages. ‘log-input’ includes the input interface as well. | ||
+ | |||
+ | ### Disabling Router Advertisement on interfaces | ||
+ | |||
+ | Interfaces on core infrastructure routers are generally manually configured. And the devices connected to these interfaces also are manually configured. We want to now disable support for auto-configuration of IPv6 addresses on our router’s ethernet interfaces and disable the announcement of a default route – this will prevent anyone connecting a device to that ethernet and it automatically getting an IPv6 configuration and this IPv6 connectivity. The following command shows what needs to be done for a FastEthernet interface. | ||
+ | |||
+ | |||
+ | interface gigabit 1/0 | ||
+ | ipv6 nd prefix default no-advertise | ||
+ | ipv6 nd ra suppress all | ||
+ | ! | ||
+ | |||
+ | |||
+ | Each group should do this for all active interfaces on the routers in their AS. | ||
+ | |||
+ | |||
training/itu-ipv6/3-traffic-filters.txt · Last modified: 2016/05/22 18:58 by 127.0.0.1