IOS-FW - Block IPv6 Extension Headers
From DocWiki
Contents |
Introduction
IPv6 packets have the ability to use extension headers, these will be placed between the IPv6 portion and the next header (ex. ICMP). The following example is blocking the extension header 43 (dest-op), notice that there is three commands in the access-list block4 (the only one being used in this configuration) You can tell it is the only being used by looking at g0/1 and seeing the command ipv6 traffic-filter block4 in
deny 60 any any sequence 30 deny ipv6 any any dest-option permit ipv6 any any
The first command actually does nothing at this time to block this type of header (look at version, may change), the 2nd command blocks the dest-option extension headers that I am sending with the Spirent TestCenter and the third command is allowing all other ipv6 traffic because just like IPv4 access-list there is an implicit deny after the final statement in an access-list.
Design
The switch is just used so I can test other devices besides the 3845 by switching vlans around.
Version Information
barbrady#sh ver Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 15.1(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. Compiled Wed 11-Aug-10 15:10 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1) barbrady uptime is 6 minutes System returned to ROM by power-on System image file is "flash:c3845-adventerprisek9-mz.151-2.T1.bin" Last reload type: Normal Reload This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Cisco 3845 (revision 1.0) with 482304K/41984K bytes of memory. Processor board ID FTX1405AJSE 2 Gigabit Ethernet interfaces 1 terminal line 2 Virtual Private Network (VPN) Modules 1 cisco ips sensor(s), ips monitoring on slot 1 DRAM configuration is 64 bits wide with parity enabled. 479K bytes of NVRAM. 500472K bytes of ATA System CompactFlash (Read/Write) License Info: License UDI: ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO3845-MB FOC14023AUF Configuration register is 0x2102
Related show Commands
show ipv6 int br sh ipv6 neighbors sh ipv6 access-list
Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.
Show running-config
barbrady#sh run Building configuration... Current configuration : 1694 bytes ! ! Last configuration change at 17:43:30 UTC Thu Aug 12 2010 ! version 15.0 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname barbrady ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ! ! ! ! dot11 syslog ip source-route ! ! ip cef ! ! ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! ! ! ! voice-card 0 ! ! ! ! ! ! ! ! license udi pid CISCO3845-MB sn FOC14023AUF ! redundancy ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 no ip address duplex auto speed auto media-type rj45 ipv6 address 2000::1/64 ! ! interface GigabitEthernet0/1 no ip address duplex full speed 1000 media-type rj45 ipv6 address 3000::1/64 ipv6 enable ipv6 traffic-filter block4 in ! ! interface IDS-Sensor0/1 no ip address shutdown service-module fail-open ! hold-queue 60 out ! ip forward-protocol nd ! ! ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 172.18.153.1 ! ! ! ! ! ! ! ipv6 access-list block deny 0 any any log sequence 60 permit ipv6 any any ! ipv6 access-list block2 deny 43 any any sequence 30 deny 43 any any mobility sequence 50 deny ipv6 any any routing-type 2 permit ipv6 any any ! ipv6 access-list block3 sequence 60 deny 59 any any permit ipv6 any any ! ipv6 access-list block4 deny 60 any any sequence 30 deny ipv6 any any dest-option permit ipv6 any any ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line 386 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 speed 115200 line vty 0 4 login ! scheduler allocate 20000 1000 end barbrady#