IPv6 is extremely cool in all but it is not the holy grail of security and you must still use access-list to ensure infrastructure security. This lab will discuss and demonstrate the configuration and verification of IPv6 access control lists.
So if you’ve completed the previous 5 labs then you should have a knowledgeable understanding of IPv6 and IPv6 routing infrastructures. However one thing left to discuss remains of the utter most importance in any network; Security.
In the real world, the ability to prevent machines such as Student PC’s in a lab at a university from communicating to Enrollment Servers or Servers that host the database of the students grades is very important. There are some young students that have a knowledgeable understanding of SQL injection methods that could easily change their grades or even their finances. Of course the same could be applied to many companies such as a Hospital for example, you don’t want visitor PC’s to have the ability to access Servers that host protected health information about patients which could include identification information such as name, address, social security number and health information which should remain private. Regardless of the scenario there is ALWAYS a need for security in a network.
The first line of defense is Access Control List (ACL). When working with Access List keep in mind they are processed top down. So for example lets say you there is a teacher PC in a classroom that needs to access a server farm however other student PC’s are on the same network and they need to be denied access to the server farm. How can you achieve this desired policy?
Well on the first line of an ACL you can permit the teach PC that has the source address 2001:ABAD:BEEF:1001::5/64 access to nodes located in the the server farm located in the 2001::ABAD:BEEF:FADE::0/64 network however on the second line you can deny the network that the teacher PC and student PC’s are on which is 2001:ABAD:BEEF:1001::0/64 from accessing the server farm located at 2001:ABAD:BEEF:FADE::0/64. Since the ACL is processed top down this would permit the teacher PC to access the server farm network and deny student PC’s on the same source network from accessing servers located in the server farm because the teacher PC was processed first and permitted.
Configuring an IPv6 ACL is much like configuring an IPv4 ACL however you do not have numbered, standard or extended access-list. You have single type of IPv6 access list that can function like a standard or extended access-list. For example with a standard IPv4 ACL you can specified permit 10.0.0.0 any and an extended ACL can permit traffic from10.0.0.25 255.255.255.255 to access 10.20.5.81 255.255.255.25 equal to port 80.
With IPv6 ACL’s you have the same ability. You can use a standard broad statement that encompass all source traffic to any destination or you can get granular with the ACL statements and permit specific host to specific destinations based on source and destination port numbers.
To configure an IPv6 access list you’ll use the ipv6 access-list NAME command in global configuration. From there you’ll be placed into IPv6 access-list configuration mode where you have the ability to specify the ACL statements. an example is given below;
R1(config)#ipv6 access-list EXAMPLE_IPv6_ACL R1(config-ipv6-acl)#sequence 10 permit 2001:ABAD:BEEF:1221::/64 any R1(config-ipv6-acl)#sequence 20 deny tcp host 2001:ABAD:BEEF:2345::1 host 2001:ABAD:BEEF:1212::1 eq www R1(config-ipv6-acl)#
As with any ACL you have the ability to assign the ACL to a particular interface in a particular direction, ingress or egress. (incoming or outgoing). Assigning an IPv6 access list to an interface is different then its processor. When assigning an IPv4 access list to an interface you used the ip access-list ACL_NAME in|out command in interface configuration mode. To assign an IPv6 ACL to an interface you’ll use the ipv6 traffic-filter ACL_NAME in|out command in interface configuration mode.
You can view current ACL statistics by using the show ipv6 access-list command in user or privileged mode.
Familiarize yourself with the following new command(s);
|ipv6 access-list NAME||This command when executed in interface configuration mode enables OSPFv3 per specified process id and area id.|
|sequence seq#||This command is executed in IPv6 access-list configuration mode to insert a new sequence number in the list. You can delete or add ACL lines in specific spots of the ACL using sequence numbers.|
|ipv6 traffic-filter ACL_NAME in|out||This command when executed in interface configuration mode will apply an Access Control List on an interface in an ingress or egress direction of the interface.|
|show ipv6 access-list||This command can be executed in user or privileged mode to view current Access Control List entries and statistics.|
In this lab you will configure an Access-list on R2 to prevent traffic sourced from R1’s loopback interface destined to R3’s loopback0 interface be denied on port 80 and permit all other traffic.
The following logical topology will be used for this lab;
Objective 1. – Verify that you’re able to ping R3’s loopback0 interface from R1’s Loopback0 interface.
R1#ping 2001:ABAD:BEEF:3003::1 source Loopback0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:ABAD:BEEF:3003::1, timeout is 2 seconds: Packet sent with a source address of 2001:ABAD:BEEF:1001::1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/64 ms R1#
Objective 2. – Verify that you’re able to telnet from R1’s Loopback0 interface to R3’s Loopback0 interface via port 80 (WWW).
R1#telnet 2001:ABAD:BEEF:3003::1 www /source-interface loopback 0 Trying 2001:ABAD:BEEF:3003::1, 80 ... Open ^C HTTP/1.1 400 Bad Request Date: Sun, 19 Sep 2010 23:51:32 GMT Server: cisco-IOS Accept-Ranges: none 400 Bad Request [Connection to 2001:ABAD:BEEF:3003::1 closed by foreign host] R1#
Objective 3. – Configure an IPv6 ACL on R2 named TEST and deny R1’s Loopback0 interface access to R3’s Loopback interface Via port 80 then permit all other traffic.
R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ipv6 access-list TEST R2(config-ipv6-acl)#sequence 10 deny tcp 2001:ABAD:BEEF:1001::1/128 host 2001:ABAD:BEEF:3003::1 eq www R2(config-ipv6-acl)#sequence 20 permit any any R2(config-ipv6-acl)#exit R2(config)#
Objective 4. – Configure the newly created IPv6 ACL on R2 as an ingress traffic-filter on R2’s Serial0/0.221 sub-interface.
R2(config)#interface Serial0/0.221 R2(config-subif)#ipv6 traffic-filter TEST in R2(config-subif)#end R2# %SYS-5-CONFIG_I: Configured from console by console R2#
Objective 5. – Verify that R1’s Loopback0 interface can still ping R3’s Loopback0 interface.
R1#ping 2001:ABAD:BEEF:3003::1 source Loopback0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:ABAD:BEEF:3003::1, timeout is 2 seconds: Packet sent with a source address of 2001:ABAD:BEEF:1001::1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/72 ms R1#
Objective 6. – Verify that traffic sourced from R1’s Loopback0 is being denied access to R3’s Loopback0 interface via port 80 using the telnet.
R1#telnet 2001:ABAD:BEEF:3003::1 www /source-interface loopback 0 Trying 2001:ABAD:BEEF:3003::1, 80 ... % Destination unreachable; gateway or host down R1#
As shown above you can see that traffic from R1’s loopback0 destined to R3’s loopback0 interface via port 80 is now being dropped at R2. You can further verify this by viewing the Access List Statistics on R2 as shown below;
R2#show access-list TEST IPv6 access list TEST deny tcp host 2001:ABAD:BEEF:1001::1 host 2001:ABAD:BEEF:3003::1 eq www (1 match) sequence 10 permit ipv6 any any (32 matches) sequence 20 R2#