[[cisco:ipv6]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
cisco:ipv6 [2009/12/16 13:09]
a 		cisco:ipv6 [2010/11/11 08:49] (current)
greebo
Line 1: Line 1:
 ====== Cisco related stuff and IPv6 ====== ====== Cisco related stuff and IPv6 ======
 ===== Cisco IPv6 routing ===== ===== Cisco IPv6 routing =====
 +
 +Attempting our ping again from R1 elicits the following output from the debug on R2:
 +<code>
 +*Mar  1 00:14:14.575: IPV6: source 2001:DB8:0:12::1 (FastEthernet0/0)
 +*Mar  1 00:14:14.575:       dest 2001:DB8:0:23::3 (FastEthernet0/1)
 +*Mar  1 00:14:14.579:       traffic class 0, flow 0x0, len 100+14, prot 58, hops 64, not a router?
 +*Mar  1 00:14:16.591: IPV6: source 2001:DB8:0:12::1 (FastEthernet0/0)
 +*Mar  1 00:14:16.591:       dest 2001:DB8:0:23::3 (FastEthernet0/1)
 +*Mar  1 00:14:16.591:       traffic class 0, flow 0x0, len 100+14, prot 58, hops 64, not a router?
 +...
 +</code>
 +
 +<note important>**"Not a router?"** IPv6 routing does not yet come enabled out of the box. The administrator must enable it, which I forgot to do. \\ \\
 +**''R2(config)# ipv6 unicast-routing''**</note>
 +
 +
  
    ipv6 unicast-routing    ipv6 unicast-routing
Line 32: Line 48:
  
 **reload is needed** **reload is needed**
 +
 +=== IPv6 access lists ACL ===
 + by Jan Bervar from [[http://www6.nil.si|NIL]]
 +
 +<code>
 +! najbolj osnovni anti-spoofing, lahko bi dodali še kaj... 
 +deny ipv6 2001:67C:58::/48 any log-input 
 +! ICMP za ND-NS, treba je upoštevati kup kombinacij naslovov 
 +permit icmp FE80::/10 FE80::/10 nd-ns 
 +permit icmp FE80::/10 FE80::/10 nd-na 
 +permit icmp FE80::/10 host FF02::1:FF00:2 nd-ns 
 +permit icmp host 2A02:800:2:2000::1 FE80::/10 nd-na 
 +permit icmp host 2A02:800:2:2000::1 host FF02::1:FF00:2 nd-ns 
 +! dovolimo minimalen lokalni RA za morebitni troubleshooting, ni ga pa treba 
 +permit icmp FE80::/10 host FF02::1 router-advertisement 
 +! dovolimo PING na/iz lokalnih vmesnikov usmerjevalnika 
 +permit icmp any host 2A02:800:2:2000::2 echo-request 
 +permit icmp any host 2A02:800:2:2000::2 echo-reply 
 +permit icmp any host 2001:67C:58:D00::3 echo-reply 
 +permit icmp any host 2001:67C:58:D00::4 echo-reply 
 +! dovolimo BGP za naše BGP-sosede 
 +permit tcp host 2A02:800:1::10 gt 1023 host 2A02:800:2:2000::2 eq bgp 
 +permit tcp host 2A02:800:1::10 eq bgp host 2A02:800:2:2000::2 gt 1023 established 
 +! prepovemo ves promet na izpostavljene omrežne naprave 
 +deny ipv6 any host 2A02:800:2:2000::2 log-input 
 +deny ipv6 any host 2001:67C:58:D00::3 log-input 
 +deny ipv6 any host 2001:67C:58:D00::4 log-input 
 +deny ipv6 any host 2001:67C:58:D00::5 log-input 
 +! pustimo ves ostali promet naprej, da ga pregledajo bolj pametne škatle za usmerjevalnikom 
 +permit ipv6 any 2001:67C:58::/48 
 +! drugega pa seveda ne sme biti 
 +deny ipv6 any any log-input 
 +</code>
 +
 +
 +Če filtriraš na TCP in UDP za tranziten promet, se nič ne spremeni. Traceroute delajo UNIXi AFAIK še vedno preko UDP na visokih portih, Windowsi pa še vedno (ravnokar preverjeno) preko ICMP echo zahtev. 
 +
 +Pa naj še enkrat opomnim na tisti IOS-ov trik: če *nimaš* na koncu ACLja "deny ipv6 any any", ti bo IOS na začetku implicitno (in skrito) dodal "permit icmp any any nd-ns" ter "permit icmp any any nd-na"
 +
cisco/ipv6.1260965399.txt.gz · Last modified: 2009/12/16 13:10 (external edit)
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready