Scribd
Upload
91 views

Configuring Ipv6 Acls: Lab Topology

This document provides instructions for configuring and testing two IPv6 access control lists (ACLs) on a network topology. The first ACL blocks HTTP and HTTPS traffic to a server, while the second blocks all ICMP ping requests to the same server to prevent a DDoS attack. Key steps include creating the ACLs, applying them to interfaces, and verifying they work as intended by allowing and blocking the correct traffic.

Uploaded by

Aye Kyaw
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
91 views

Configuring Ipv6 Acls: Lab Topology

This document provides instructions for configuring and testing two IPv6 access control lists (ACLs) on a network topology. The first ACL blocks HTTP and HTTPS traffic to a server, while the second blocks all ICMP ping requests to the same server to prevent a DDoS attack. Key steps include creating the ACLs, applying them to interfaces, and verifying they work as intended by allowing and blocking the correct traffic.

Uploaded by

Aye Kyaw
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Download PNETLab Platform

PNETLAB Store
PNETLab.com

Configuring IPv6 ACLs

Lab Topology:
Please use the following topology to complete this lab exercise:

Objectives
Part 1: Configure, Apply, and Verify an IPv6 ACL
Part 2: Configure, Apply, and Verify a Second IPv6 ACL

Addressing Table

1
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Part 1: Configure, Apply, and Verify an IPv6 ACL

Step 1: Configure an ACL that will block HTTP and HTTPS access.
Configure an ACL named BLOCK_HTTP on R1 with the following statements.
Block HTTP and HTTPS traffic from reaching Server3 and allow all other IPv6 traffic to pass.

R1(config)#ipv6 access-list BLOCK_HTTP

R1(config-ipv6-acl)# deny tcp any host 2001:DB8:1:30::30 eq www

R1(config-ipv6-acl)# deny tcp any host 2001:DB8:1:30::30 eq 443

R1(config-ipv6-acl)# permit ipv6 any any

Step 2: Apply the ACL to the correct interface.


Apply the ACL on the interface closest to the source of the traffic to be blocked.

R1(config)# interface e0/0

R1(config-if)# ipv6 traffic-filter BLOCK_HTTP in

R1(config)# interface e0/2

R1(config-if)# ipv6 traffic-filter BLOCK_HTTP in

Step 3: Verify the ACL implementation.


Verify that the ACL is operating as intended by conducting the following tests:
• Open the PC1 ping port 80 to http://2001:DB8:1:30::30 or https://2001:DB8:1:30::30. The
website should appear.
• Open the PC2 ping port 443 to http://2001:DB8:1:30::30 or https://2001:DB8:1:30::30. The
website should be blocked.
• Ping from PC2 to 2001:DB8:1:30::30. The ping should be successful.

PC1#ping ipv6 2001:DB8:1:30::30

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:1:30::30, timeout is 2 seconds:!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

2
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Part 2: Configure, Apply, and Verify a Second IPv6 ACL

The logs now indicate that your server is receiving pings from many different IPv6 addresses in
a Distributed Denial of Service (DDoS) attack. You must filter ICMP ping requests to your server.
Step 1: Create an access list to block ICMP.
Configure an ACL named BLOCK_ICMP on R3 with the following statements:
Block all ICMP traffic from any hosts to any destination and allow all other IPv6 traffic to pass.
R3(config)#ipv6 access-list BLOCK_HTTP

R3(config-ipv6-acl)# deny icmp any any

R3(config-ipv6-acl)# permit ipv6 any any

Step 2: Apply the ACL to the correct interface.


In this case, ICMP traffic can come from any source. To ensure that ICMP traffic is blocked,
regardless of its source or any changes that occur to the network topology, apply the ACL
closest to the destination.

R3(config)# interface e0/1

R3(config-if)# ipv6 traffic-filter BLOCK_ICMP out

Step 3: Verify that the proper access list functions.


a. Ping from PC2 to 2001:DB8:1:30::30. The ping should fail.
b. Ping from PC1 to 2001:DB8:1:30::30. The ping should fail.
Open PC1 ping port to http://2001:DB8:1:30::30 or https://2001:DB8:1:30::30.

PC1#ping ipv6 2001:DB8:1:30::30

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:1:30::30, timeout is 2 seconds: !!!!!

Success rate is 0 percent (0/5)

You might also like