Cisco related stuff and IPv6

Cisco IPv6 routing

Attempting our ping again from R1 elicits the following output from the debug on R2:

*Mar  1 00:14:14.575: IPV6: source 2001:DB8:0:12::1 (FastEthernet0/0)
*Mar  1 00:14:14.575:       dest 2001:DB8:0:23::3 (FastEthernet0/1)
*Mar  1 00:14:14.579:       traffic class 0, flow 0x0, len 100+14, prot 58, hops 64, not a router?
*Mar  1 00:14:16.591: IPV6: source 2001:DB8:0:12::1 (FastEthernet0/0)
*Mar  1 00:14:16.591:       dest 2001:DB8:0:23::3 (FastEthernet0/1)
*Mar  1 00:14:16.591:       traffic class 0, flow 0x0, len 100+14, prot 58, hops 64, not a router?
...
“Not a router?” IPv6 routing does not yet come enabled out of the box. The administrator must enable it, which I forgot to do.

R2(config)# ipv6 unicast-routing
 ipv6 unicast-routing
 ipv6 cef
 interface FastEthernet0/0
    ipv6 enable
    ipv6 address xx:xx:xx:xx:xx::x/yy

Catalyst enabling IPv6 stack

 (config)#sdm prefer dual-ipv4-and-ipv6 default
 # sh sdm prefer
 The current template is "desktop default" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs. 

  number of unicast mac addresses:                  6K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    8K
    number of directly-connected IPv4 hosts:        6K
    number of indirect IPv4 routes:                 2K
  number of IPv4 policy based routing aces:         0
  number of IPv4/MAC qos aces:                      512
  number of IPv4/MAC security aces:                 1K
 
 On next reload, template will be "desktop IPv4 and IPv6 default" template.

reload is needed

IPv6 access lists ACL

by Jan Bervar from NIL

! najbolj osnovni anti-spoofing, lahko bi dodali še kaj... 
deny ipv6 2001:67C:58::/48 any log-input 
! ICMP za ND-NS, treba je upoštevati kup kombinacij naslovov 
permit icmp FE80::/10 FE80::/10 nd-ns 
permit icmp FE80::/10 FE80::/10 nd-na 
permit icmp FE80::/10 host FF02::1:FF00:2 nd-ns 
permit icmp host 2A02:800:2:2000::1 FE80::/10 nd-na 
permit icmp host 2A02:800:2:2000::1 host FF02::1:FF00:2 nd-ns 
! dovolimo minimalen lokalni RA za morebitni troubleshooting, ni ga pa treba 
permit icmp FE80::/10 host FF02::1 router-advertisement 
! dovolimo PING na/iz lokalnih vmesnikov usmerjevalnika 
permit icmp any host 2A02:800:2:2000::2 echo-request 
permit icmp any host 2A02:800:2:2000::2 echo-reply 
permit icmp any host 2001:67C:58:D00::3 echo-reply 
permit icmp any host 2001:67C:58:D00::4 echo-reply 
! dovolimo BGP za naše BGP-sosede 
permit tcp host 2A02:800:1::10 gt 1023 host 2A02:800:2:2000::2 eq bgp 
permit tcp host 2A02:800:1::10 eq bgp host 2A02:800:2:2000::2 gt 1023 established 
! prepovemo ves promet na izpostavljene omrežne naprave 
deny ipv6 any host 2A02:800:2:2000::2 log-input 
deny ipv6 any host 2001:67C:58:D00::3 log-input 
deny ipv6 any host 2001:67C:58:D00::4 log-input 
deny ipv6 any host 2001:67C:58:D00::5 log-input 
! pustimo ves ostali promet naprej, da ga pregledajo bolj pametne škatle za usmerjevalnikom 
permit ipv6 any 2001:67C:58::/48 
! drugega pa seveda ne sme biti 
deny ipv6 any any log-input 

Če filtriraš na TCP in UDP za tranziten promet, se nič ne spremeni. Traceroute delajo UNIXi AFAIK še vedno preko UDP na visokih portih, Windowsi pa še vedno (ravnokar preverjeno) preko ICMP echo zahtev.

Pa naj še enkrat opomnim na tisti IOS-ov trik: če *nimaš* na koncu ACLja “deny ipv6 any any”, ti bo IOS na začetku implicitno (in skrito) dodal “permit icmp any any nd-ns” ter “permit icmp any any nd-na”.

cisco/ipv6.txt · Last modified: 2010/11/11 08:49 by greebo
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready