Topology
Addressing Table
Device
|
Interface
|
IP Address
|
Default Gateway
|
R1
|
G0/0
|
2001:DB8:ACAD:B::1/64
|
N/A
|
|
G0/1
|
2001:DB8:ACAD:A::1/64
|
N/A
|
|
S0/0/0 (DCE)
|
2001:DB8:AAAA:1::1/64
|
N/A
|
R2
|
S0/0/0
|
2001:DB8:AAAA:1::2/64
|
N/A
|
|
S0/0/1 (DCE)
|
2001:DB8:AAAA:2::2/64
|
N/A
|
R3
|
G0/1
|
2001:DB8:CAFE:C::1/64
|
N/A
|
|
S0/0/1
|
2001:DB8:AAAA:2::1/64
|
N/A
|
S1
|
VLAN1
|
2001:DB8:ACAD:A::A/64
|
N/A
|
S2
|
VLAN1
|
2001:DB8:ACAD:B::A/64
|
N/A
|
S3
|
VLAN1
|
2001:DB8:CAFE:C::A/64
|
N/A
|
PC-A
|
NIC
|
2001:DB8:ACAD:A::3/64
|
FE80::1
|
PC-B
|
NIC
|
2001:DB8:ACAD:B::3/64
|
FE80::1
|
PC-C
|
NIC
|
2001:DB8:CAFE:C::3/64
|
FE80::1
|
Objectives
Part 1: Set Up the Topology and
Initialize Devices
Part 2: Configure Devices and Verify
Connectivity
Part 3: Configure and Verify IPv6
ACLs
Part 4: Edit IPv6 ACLs
Background / Scenario
You can filter IPv6 traffic by creating
IPv6 access control lists (ACLs) and applying them to interfaces similarly to
the way that you create IPv4 named ACLs. IPv6 ACL types are extended and named.
Standard and numbered ACLs are no longer used with IPv6. To apply an IPv6 ACL
to a vty interface, you use the new ipv6
traffic-filter command. The ipv6 access-class
command is still used to apply an IPv6 ACL to interfaces.
In this lab, you will apply IPv6 filtering
rules and then verify that they are restricting access as expected. You will
also edit an IPv6 ACL and clear the match counters.
Note: The routers used with CCNA hands-on labs
are Cisco 1941 Integrated Services Routers (ISRs) with Cisco IOS Release 15.2(4)M3
(universalk9 image). The switches used are Cisco Catalyst 2960s with Cisco IOS Release
15.0(2) (lanbasek9 image). Other routers, switches and Cisco IOS versions can
be used. Depending on the model and Cisco IOS version, the commands available
and output produced might vary from what is shown in the labs. Refer to the
Router Interface Summary Table at the end of the lab for the correct interface
identifiers.
Note: Make sure that the routers and switches have been erased and have
no startup configurations. If you are unsure, contact your instructor.
Required Resources
3 Routers (Cisco 1941 with
Cisco IOS Release 15.2(4)M3 universal image or comparable)
3 Switches (Cisco 2960 with
Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
3 PCs (Windows 7, Vista, or XP
with terminal emulation program, such as Tera Term)
Console cables to configure the
Cisco IOS devices via the console ports
Ethernet and serial cables as
shown in the topology
Part 1:
Set Up the Topology and
Initialize Devices
In Part 1, you set up the network
topology and clear any configurations if necessary.
Step 1:
Cable the network as shown in
the topology.
Step 2:
Initialize and reload the
routers and switches.
Part 2:
Configure Devices and Verify
Connectivity
In Part 2, you configure basic settings
on the routers, switches and PCs. Refer to the Topology and Addressing Table at
the beginning of this lab for device names and address information.
Step 1:
Configure IPv6 addresses on all
PCs.
Configure IPv6 global unicast addresses
according to the Addressing Table. Use the link-local address of FE80::1 for the default-gateway on all
PCs.
Step 2:
Configure the switches.
a.
Disable DNS lookup.
b.
Assign the hostname.
c.
Assign a domain-name of ccna-lab.com.
d.
Encrypt plain text passwords.
e.
Create a MOTD banner warning
users that unauthorized access is prohibited.
f.
Create a local user database
with a username of admin and
password as classadm.
g.
Assign class as the privileged EXEC encrypted password.
h.
Assign cisco as the console password and enable login.
i.
Enable login on the VTY lines
using the local database.
j.
Generate a crypto rsa key for
ssh using a modulus size of 1024 bits.
k.
Change the transport input VTY
lines to all for SSH and Telnet only.
l.
Assign an IPv6 address to VLAN 1
according to the Addressing Table.
m.
Administratively disable all inactive
interfaces.
Step 3:
Configure basic settings on all
routers.
a.
Disable DNS lookup.
b.
Assign the hostname.
c.
Assign a domain-name of ccna-lab.com.
d.
Encrypt plain text passwords.
e.
Create a MOTD banner warning
users that unauthorized access is prohibited.
f.
Create a local user database
with a username of admin and
password as classadm.
g.
Assign class as the privileged EXEC encrypted password.
h.
Assign cisco as the console password and enable login.
i.
Enable login on the VTY lines
using the local database.
j.
Generate a crypto rsa key for
ssh using a modulus size of 1024 bits.
k.
Change the transport input VTY
lines to all for SSH and Telnet only.
Step 4:
Configure IPv6 settings on R1.
a.
Configure the IPv6 unicast
address on interface G0/0, G0/1, and S0/0/0.
b.
Configure the IPv6 link-local
address on interface G0/0, G0/1, and S0/0/0. Use FE80::1 for the link-local address on all three interfaces.
c.
Set the clock rate on S0/0/0 to
128000.
d.
Enable the interfaces.
e.
Enable IPv6 unicast routing.
f.
Configure an IPv6 default route
to use interface S0/0/0.
R1(config)# ipv6
route ::/0 s0/0/0
Step 5:
Configure IPv6 settings on R2.
a.
Configure the IPv6 unicast
address on interface S0/0/0 and S0/0/1.
b.
Configure the IPv6 link-local
address on interface S0/0/0 and S0/0/1. Use FE80::2 for the link-local address on both interfaces.
c.
Set the clock rate on S0/0/1 to
128000.
d.
Enable the interfaces.
e.
Enable IPv6 unicast routing.
f.
Configure static IPv6 routes
for traffic handling of R1 and R3 LAN subnets.
R2(config)# ipv6
route 2001:db8:acad::/48 s0/0/0
R2(config)# ipv6
route 2001:db8:cafe:c::/64 s0/0/1
Step 6:
Configure IPv6 settings on R3.
a.
Configure the IPv6 unicast
address on interface G0/1 and S0/0/1.
b.
Configure the IPv6 link-local
address on interface G0/1 and S0/0/1. Use FE80::1
for the link-local address on both interfaces.
c.
Enable the interfaces.
d.
Enable IPv6 unicast routing.
e.
Configure an IPv6 default route
to use interface S0/0/1.
R3(config)# ipv6
route ::/0 s0/0/1
Step 7:
Verify connectivity.
a.
Each PC should be able to ping
the other PCs in the topology.
b.
Telnet to R1 from all PCs in
the Topology.
c.
SSH to R1 from all PCs in the
Topology.
d.
Telnet to S1 from all PCs in
the Topology.
e.
SSH to S1 from all PCs in the
Topology.
f.
Troubleshoot connectivity
issues now because the ACLs that you create in Part 3 of this lab will restrict
access to some areas of the network.
Note: Tera Term requires the target IPv6 address to be enclosed in
brackets. Enter the IPv6 address as shown, click OK and then click Continue
to accept the security warning and connect to the router.
Input the user credentials configured
(username admin and password classadm) and select the Use plain password to log in in the SSH
Authentication dialogue box. Click OK
to continue.
Part 3:
Configure and Verify IPv6 ACLs
Step 1:
Configure and verify VTY
restrictions on R1.
a.
Create an ACL to only allow
hosts from the 2001:db8:acad:a::/64 network to telnet to R1. All hosts should
only be able to ssh to R1.
R1(config)# ipv6
access-list RESTRICT-VTY
R1(config-ipv6-acl)# permit tcp 2001:db8:acad:a::/64 any
R1(config-ipv6-acl)# permit tcp any any eq 22
b.
Apply the RESTRICT-VTY ACL to
R1’s VTY lines.
R1(config-ipv6-acl)# line vty 0 4
R1(config-line)# ipv6 access-class RESTRICT-VTY in
R1(config-line)# end
R1#
c.
Show the new ACL.
R1# show
access-lists
IPv6 access list RESTRICT-VTY
permit tcp 2001:DB8:ACAD:A::/64 any sequence 10
permit tcp any any eq 22 sequence 20
d.
Verify that the RESTRICT-VTY
ACL is only allowing Telnet traffic from the 2001:db8:acad:a::/64 network.
How does the RESTRICT-VTY ACL only allow
hosts from the 2001:db8:acad:a::/64 network to telnet to R1?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
What does the second permit statement in
the RESTRICT-VTY ACL do?
____________________________________________________________________________________
Step 2:
Restrict Telnet access to the
2001:db8:acad:a::/64 network.
a.
Create an ACL called
RESTRICTED-LAN that will block Telnet access to the 2001:db8:acad:a::/64
network.
R1(config)# ipv6
access-list RESTRICTED-LAN
R1(config-ipv6-acl)# remark Block Telnet from outside
R1(config-ipv6-acl)# deny tcp any 2001:db8:acad:a::/64 eq telnet
R1(config-ipv6-acl)# permit ipv6 any any
b.
Apply the RESTRICTED-LAN ACL to
interface G0/1 for all outbound traffic.
R1(config-ipv6-acl)# int g0/1
R1(config-if)# ipv6 traffic-filter RESTRICTED-LAN out
R1(config-if)# end
c.
Telnet to S1 from PC-B and PC-C
to verify that Telnet has been restricted. SSH to S1 from PC-B to verify that
it can still be reached using SSH. Troubleshoot if necessary.
d.
Use the show ipv6 access-list command to view the RESTRICTED-LAN ACL.
R1# show ipv6
access-lists RESTRICTED-LAN
IPv6 access list RESTRICTED-LAN
deny tcp any 2001:DB8:ACAD:A::/64 eq telnet (6 matches) sequence 20
permit ipv6 any any (45 matches) sequence 30
Notice that each statement identifies the
number of hits or matches that have occurred since the ACL was applied to the
interface.
e.
Use the clear ipv6 access-list to reset the match counters for the
RESRICTED-LAN ACL.
R1# clear
ipv6 access-list RESTRICTED-LAN
f.
Redisplay the ACL with the show access-lists command to confirm
that the counters were cleared.
R1# show
access-lists RESTRICTED-LAN
IPv6 access list RESTRICTED-LAN
deny tcp any 2001:DB8:ACAD:A::/64 eq telnet sequence 20
permit ipv6 any any sequence 30
Part 4:
Edit IPv6 ACLs
In Part 4, you will edit the
RESTRICTED-LAN ACL that you created in Part 3. It is always a good idea to
remove the ACL from the interface to which it is applied before editing it. After
you complete your edits, then reapply the ACL to the interface.
Note: Many network administrators will make a copy of the ACL and edit
the copy. When editing is complete, the administrator will remove the old ACL
and apply the newly edited ACL to the interface. This method keeps the ACL in place
until you are ready to apply the edited copy of the ACL.
Step 1:
Remove the ACL from the
interface.
R1(config)# int
g0/1
R1(config-if)# no ipv6 traffic-filter RESTRICTED-LAN out
R1(config-if)# end
Step 2:
Use the show access-lists
command to view the ACL.
R1# show access-lists
IPv6 access list RESTRICT-VTY
permit tcp 2001:DB8:ACAD:A::/64 any (4 matches) sequence 10
permit tcp any any eq 22 (6 matches) sequence 20
IPv6 access list RESTRICTED-LAN
deny tcp any 2001:DB8:ACAD:A::/64 eq telnet sequence 20
permit ipv6 any any (36 matches) sequence 30
Step 3:
Insert a new ACL statement
using sequence numbering.
R1(config)# ipv6
access-list RESTRICTED-LAN
R1(config-ipv6-acl)# permit tcp 2001:db8:acad:b::/64 host 2001:db8:acad:a::a eq 23 sequence
15
What does this new permit statement do?
_______________________________________________________________________________________
Step 4:
Insert a new ACL statement at
the end of the ACL.
R1(config-ipv6-acl)# permit tcp any host 2001:db8:acad:a::3 eq www
Note: This permit statement is only used to show how to add a statement
to the end of an ACL. This ACL line would never be matched because the previous
permit statement is matching on everything.
Step 5:
Use the do show access-lists command
to view the ACL change.
R1(config-ipv6-acl)# do show access-list
IPv6 access list RESTRICT-VTY
permit tcp 2001:DB8:ACAD:A::/64 any (2 matches) sequence 10
permit tcp any any eq 22 (6 matches) sequence 20
IPv6 access list RESTRICTED-LAN
permit tcp 2001:DB8:ACAD:B::/64
host 2001:DB8:ACAD:A::A eq telnet sequence 15
deny
tcp any 2001:DB8:ACAD:A::/64 eq telnet sequence 20
permit
ipv6 any any (124 matches) sequence 30
permit tcp any host 2001:DB8:ACAD:A::3
eq www sequence 40
Note: The do command can be
used to execute any privileged EXEC command while in global configuration mode
or a submode.
Step 6:
Delete an ACL statement.
Use the no command to delete the permit statement that you just added.
R1(config-ipv6-acl)# no permit tcp any host 2001:DB8:ACAD:A::3 eq www
Step 7:
Use the do show access-list
RESTRICTED-LAN command to view the ACL.
R1(config-ipv6-acl)# do show access-list RESTRICTED-LAN
IPv6 access list RESTRICTED-LAN
permit tcp 2001:DB8:ACAD:B::/64 host 2001:DB8:ACAD:A::A eq telnet sequence
15
deny tcp any 2001:DB8:ACAD:A::/64 eq telnet sequence 20
permit ipv6 any any (214 matches) sequence 30
Step 8:
Re-apply the RESTRICTED-LAN ACL
to the interface G0/1.
R1(config-ipv6-acl)# int g0/1
R1(config-if)# ipv6 traffic-filter RESTRICTED-LAN out
R1(config-if)# end
Step 9:
Test ACL changes.
Telnet to S1 from PC-B. Troubleshoot if
necessary.
Reflection
1.
What is causing the match count
on the RESTRICTED-LAN permit ipv6 any
any statement to continue to increase?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
2.
What command would you use to
reset the counters for the ACL on the VTY lines?
_______________________________________________________________________________________
Router Interface Summary Table
Router Interface Summary
|
||||
Router Model
|
Ethernet Interface #1
|
Ethernet Interface #2
|
Serial Interface #1
|
Serial Interface #2
|
1800
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
1900
|
Gigabit Ethernet 0/0 (G0/0)
|
Gigabit Ethernet 0/1 (G0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
2801
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/1/0 (S0/1/0)
|
Serial 0/1/1 (S0/1/1)
|
2811
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
2900
|
Gigabit Ethernet 0/0 (G0/0)
|
Gigabit Ethernet 0/1 (G0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
Note: To find out how the router is configured, look at the interfaces
to identify the type of router and how many interfaces the router has. There
is no way to effectively list all the combinations of configurations for each
router class. This table includes identifiers for the possible combinations
of Ethernet and Serial interfaces in the device. The table does not include
any other type of interface, even though a specific router may contain one.
An example of this might be an ISDN BRI interface. The string in parenthesis
is the legal abbreviation that can be used in Cisco IOS commands to represent
the interface.
|
No comments:
Post a Comment