IPv6 Access Control Lists (ACL’s)

Lab 1

Name: ______

Rational: The purpose of this experiment is to examine the planning and application in a IPv6 environment. With the increased use of IPv6 traditional IPv4 ACL’s will have to be replaced with the adoption of an IPv6 environment.

Equipment:

1.  Packet Tracer ® 6.2 (Earlier versions will work)

2.  Three 2901 or equivalent routers that support IPv6

3.  One switch for connectivity

4.  One server that supports WWW and DNS to be used as the inside server

5.  One server that supports WWW to be used to simulate the Internet

6.  Two hosts, one to be used as a management console, and one to be used as a general user console

7.  Assorted cables

Construction Diagram:

Construction: (This lab will reference construction in Packet Tracer ®)

1.  Using Packet Tracer ®, deploy in the work area the following devices:

1.1.  Three Cisco 2901 routers or their equivalent

1.2.  One Cisco 2960 switch or its equivalent

1.3.  Two servers capable of WWW and DNS support

1.4.  Two desktop or laptop computers

2.  Install in each of the three Cisco 2901 (or equivalent) routers an HWIC-2T serial interface card in slot 0/0. This will make the two serial interfaces S0/0/0 and S0/0/1. (Remember to turn off the power to the router before installing the HWIC interface!)

3.  Place and wire components as shown in the “Construction Diagram”

Connect the S0/0/0 (DCE) connector of R1 to the S0/0/1 (DTE) connector of ISP

Connect the S0/0/0 (DCE) connector of ISP to the S0/0/1 (DTE) connector of R2

Use Ethernet crossover cables to attach the FastEthernet ports of the two servers directly to the GigabitEthernet ports routers ISP and R2

4.  Name each of the components as shown in the “Construction Diagram”

5.  On each router configure the initial “Housekeeping” using the passwords of “cisco” and “class”. Change the names to the names shown on the “Construction Diagram”. (Example below uses router R1)

Router>enable

Router#config t

Router(config)#host R1

R1(config)#enable secret cisco

R1(config)#service password-encryption

R1(config)#line con 0

R1(config-line)#password class

R1(config-line)#login

R1(config-line)#logging sync

R1(config-line)#line vty 0 4

R1(config-line)#password class

R1(config-line)#login

R1(config-line)#end

R1#

6.  Program the router interfaces using the IPv6 addressing scheme shown below:

(Remember to turn on ipv6 unicast-routing!) (Example router R1)

Host / G0/0 / S0/0/0 / S0/0/1
R1 / 2001:0:0:1::1/64 / 2001:0:0:2::1/64
ISP / 2001:0:0:3::1/64 / 2001:0:0:4::1/64 / 2001:0:0:2::2/64
R2 / 2001:0:0:5::1/64 / 2001:0:0:4::2/64

R1#config t

R1(config)#ipv6 unicast-routing

R1(config)#int g0/0

R1(config-if)#ipv6 address 2001:0:0:1::1/64

R1(config-if)#no shut

R1(config-if)#int s0/0/0

R1(config-if)#ipv6 address 2001:0:0:2::1/64

R1(config-if)#clock rate 2000000

R1(config-if)#no shut

R1(config-if)#end

R1#

7.  Program each host or server with the appropriate IPv6 address as shown in the chart below: (Example management host)

Host / Interface FastEthernet / Subnet Mask (/#) / Default-Gateway / DNS Server
Management / 2001:0:0:1::2 / /64 / 2001:0:0:1::1 / 2001:0:0:5::2
User / 2001:0:0:1::3 / /64 / 2001:0:0:1::1 / 2001:0:0:5::2
Internet / 2001:0:0:3::2 / /64 / 2001:0:0:3::1 / None
WWW/DNS / 2001:0:0:5::2 / /64 / 2001:0:0:5::1 / None

8.  To establish full connectivity, since a routing protocol is not in use, default and static routes will be entered.

On R1:

R1#config t

R1(config)#ipv6 route ::/0 s0/0/0

R1(config)#end

R1#

On ISP:

ISP#config t

ISP(config)#ipv6 route 2001:0:0:1::/64 s0/0/1

ISP(config)#ipv6 route 2001:0:0:5::/64 s0/0/0

ISP(config)#ipv6 route ::/0 g0/0

ISP(config)#end

ISP#

On R2:

R2#config t

R2(config)#ipv6 route ::/0 s0/0/1

R2(config)#end

R2#

9.  Ping from each host and server to every other host and server to verify full connectivity.

Example: From the command prompt in the User desktop:

ping 2001:0:0:3::2

If there is not full connectivity troubleshoot your configurations!

10.  Telnet from the “Management” computer to router R2

telnet 2001:0:0:4::2

There should be connectivity and you should be able to access the router.

11.  Since only the “Management” computer should have remote access to router R2, an ACL needs to be created and applied to the VTY lines of R2. Since IPv6 only has named extended ACL’s, an ACL named VTY_ACCESS will be created. This access list will only allow the “Management” host to remotely access router R2.

ipv6 access-list VTY_ACCESS

permit tcp host 2001:0:0:1::2 any eq telnet

Remember that the ACL created must be applied to the VTY remote access lines.

On R2:

R2#config t

R2(config)#ipv6 access-list VTY_ACCESS

R2(config-ipv6-acl)#permit tcp host 2001:0:0:1::2 any eq telnet

R2(config-ipv6-acl)#exit

R2(config)#line vty 0 4

R2(config-line)#ipv6 access-class VTY_ACCESS in

R2(config-line)#end

R2#

12.  Experiment and test your ACL by using telnet from both the “Management” and “User” host computers to access router R2. Only The “Management” host should be able to access router R2 via telnet. If it was necessary to also allow SSH offering a secure connection to R2, the access list would need to be modified.

13.  Using the web browser from either host (Management or User) enter the IPv6 address of the WWW/DNS web server. A web page should be shown.

14.  The company only wants to allow only WWW and DNS traffic to the web server. An IPv6 ACL must be created to allow this traffic. Create a IPv6 ACL to allow web traffic to the server at address 2001:0:0:5::2 named ALLOWED_TRAFFIC.

ipv6 access-list ALLOWED_TRAFFIC

permit tcp any host 2001:0:05::2 eq www

On R2:

R2#config t

R2(config)#ipv6 access-list ALLOWED_TRAFFIC

R2(config-ipv6-acl)#permit tcp any host 2001:0:0:5::2 eq www

R2(config-ipv6-acl)#exit

R2(config)#int g0/0

R2(config-if)#ipv6 traffic-filter ALLOWED_TRAFFIC out

R2(config-if)#end

R2#

15.  Test connectivity to the web server at address 2001:0:0:5::2 again to verify that you can still access the web server.

16.  Experiment that only web traffic is allowed by pinging from either host computer to the web server.

ping 2001:0:0:5::2

17.  Since the company want to additionally use the WWW/DNS server for DNS functions, the server must be configured to reply to a DNS query.

Add DNS services to the server so that both cisco.com and www.cisco.com will be directed to the Internet web server at address 2001:0:0:3::2

18.  Try to access the www.cisco.com server by entering into either host the URL instead of the IPv6 address.

Since DNS services were not allowed to the WWW/DNS server, the host was unable to contact the cisco.com server.

19.  An entry to the ALLOWED_TRAFFIC ACL to allow DNS requests must be added.

ipv6 access-list ALLOWED_TRAFFIC

permit udp any host 2001:0:0:5::2 eq domain

On R2:

R2#config t

R2(config)#ipv6 access-list ALLOWED_TRAFFIC

R2(config-ipv6-acl)#permit udp any host 2001:0:0:5::2 eq domain

R2(config-ipv6-acl)#end

R2#

Since the ACL ALLOWED_TRAFFIC has been previously applied, it is not necessary to apply it again.

20. Try to access the www.cisco.com server again by entering into either host the URL instead of the IPv6 address.

Reflection:

IPv6 Access Lists can be configured and applied to physical or logical interfaces to either permit or deny traffic based on source, destination, or protocol. Since IPv6 only allows a named extended access list, the most appropriate place to apply the list is at the destination. This can be modified dependent upon the configuration and security practices in use.

© John Mowry June 2015