Cisco related stuff and IPv6
Cisco IPv6 routing
Attempting our ping again from R1 elicits the following output from the debug on R2:
*Mar 1 00:14:14.575: IPV6: source 2001:DB8:0:12::1 (FastEthernet0/0) *Mar 1 00:14:14.575: dest 2001:DB8:0:23::3 (FastEthernet0/1) *Mar 1 00:14:14.579: traffic class 0, flow 0x0, len 100+14, prot 58, hops 64, not a router? *Mar 1 00:14:16.591: IPV6: source 2001:DB8:0:12::1 (FastEthernet0/0) *Mar 1 00:14:16.591: dest 2001:DB8:0:23::3 (FastEthernet0/1) *Mar 1 00:14:16.591: traffic class 0, flow 0x0, len 100+14, prot 58, hops 64, not a router? ...
“Not a router?” IPv6 routing does not yet come enabled out of the box. The administrator must enable it, which I forgot to do.
R2(config)# ipv6 unicast-routing
ipv6 unicast-routing ipv6 cef
interface FastEthernet0/0
ipv6 enable
ipv6 address xx:xx:xx:xx:xx::x/yy
Catalyst enabling IPv6 stack
(config)#sdm prefer dual-ipv4-and-ipv6 default # sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 512
number of IPv4/MAC security aces: 1K
On next reload, template will be "desktop IPv4 and IPv6 default" template.
reload is needed
IPv6 access lists ACL
by Jan Bervar from NIL
! najbolj osnovni anti-spoofing, lahko bi dodali še kaj... deny ipv6 2001:67C:58::/48 any log-input ! ICMP za ND-NS, treba je upoštevati kup kombinacij naslovov permit icmp FE80::/10 FE80::/10 nd-ns permit icmp FE80::/10 FE80::/10 nd-na permit icmp FE80::/10 host FF02::1:FF00:2 nd-ns permit icmp host 2A02:800:2:2000::1 FE80::/10 nd-na permit icmp host 2A02:800:2:2000::1 host FF02::1:FF00:2 nd-ns ! dovolimo minimalen lokalni RA za morebitni troubleshooting, ni ga pa treba permit icmp FE80::/10 host FF02::1 router-advertisement ! dovolimo PING na/iz lokalnih vmesnikov usmerjevalnika permit icmp any host 2A02:800:2:2000::2 echo-request permit icmp any host 2A02:800:2:2000::2 echo-reply permit icmp any host 2001:67C:58:D00::3 echo-reply permit icmp any host 2001:67C:58:D00::4 echo-reply ! dovolimo BGP za naše BGP-sosede permit tcp host 2A02:800:1::10 gt 1023 host 2A02:800:2:2000::2 eq bgp permit tcp host 2A02:800:1::10 eq bgp host 2A02:800:2:2000::2 gt 1023 established ! prepovemo ves promet na izpostavljene omrežne naprave deny ipv6 any host 2A02:800:2:2000::2 log-input deny ipv6 any host 2001:67C:58:D00::3 log-input deny ipv6 any host 2001:67C:58:D00::4 log-input deny ipv6 any host 2001:67C:58:D00::5 log-input ! pustimo ves ostali promet naprej, da ga pregledajo bolj pametne škatle za usmerjevalnikom permit ipv6 any 2001:67C:58::/48 ! drugega pa seveda ne sme biti deny ipv6 any any log-input
Če filtriraš na TCP in UDP za tranziten promet, se nič ne spremeni. Traceroute delajo UNIXi AFAIK še vedno preko UDP na visokih portih, Windowsi pa še vedno (ravnokar preverjeno) preko ICMP echo zahtev.
Pa naj še enkrat opomnim na tisti IOS-ov trik: če *nimaš* na koncu ACLja “deny ipv6 any any”, ti bo IOS na začetku implicitno (in skrito) dodal “permit icmp any any nd-ns” ter “permit icmp any any nd-na”.
