IOS-FW - Block IPv6 Extension Headers

From DocWiki

Revision as of 17:01, 3 November 2010 by Scavanau (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Introduction

IPv6 packets have the ability to use extension headers, these will be placed between the IPv6 portion and the next header (ex. ICMP). The following example is blocking the extension header 43 (dest-op), notice that there is three commands in the access-list block4 (the only one being used in this configuration) You can tell it is the only being used by looking at g0/1 and seeing the command ipv6 traffic-filter block4 in 

deny 60 any any
sequence 30 deny ipv6 any any dest-option
permit ipv6 any any

The first command actually does nothing at this time to block this type of header (look at version, may change), the 2nd command blocks the dest-option extension headers that I am sending with the Spirent TestCenter and the third command is allowing all other ipv6 traffic because just like IPv4 access-list there is an implicit deny after the final statement in an access-list.

Design

The switch is just used so I can test other devices besides the 3845 by switching vlans around.

3845-setup.jpg

Version Information

barbrady#sh ver
Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 15.1(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 11-Aug-10 15:10 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

barbrady uptime is 6 minutes
System returned to ROM by power-on
System image file is "flash:c3845-adventerprisek9-mz.151-2.T1.bin"
Last reload type: Normal Reload


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3845 (revision 1.0) with 482304K/41984K bytes of memory.
Processor board ID FTX1405AJSE
2 Gigabit Ethernet interfaces
1 terminal line
2 Virtual Private Network (VPN) Modules
1 cisco ips sensor(s), ips monitoring on slot 1
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
500472K bytes of ATA System CompactFlash (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO3845-MB          FOC14023AUF



Configuration register is 0x2102


Related show Commands

show ipv6 int br
sh ipv6 neighbors
sh ipv6 access-list

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.


Show running-config

barbrady#sh run
Building configuration...


Current configuration : 1694 bytes
!
! Last configuration change at 17:43:30 UTC Thu Aug 12 2010
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname barbrady
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO3845-MB sn FOC14023AUF
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type rj45
 ipv6 address 2000::1/64
 !
!
interface GigabitEthernet0/1
 no ip address
 duplex full
 speed 1000
 media-type rj45
 ipv6 address 3000::1/64
 ipv6 enable
 ipv6 traffic-filter block4 in
 !
!
interface IDS-Sensor0/1
 no ip address
 shutdown
 service-module fail-open
 !
 hold-queue 60 out
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.18.153.1
!
!
!
!
!
!
!
ipv6 access-list block
 deny 0 any any log
 sequence 60 permit ipv6 any any
!
ipv6 access-list block2
 deny 43 any any
 sequence 30 deny 43 any any mobility
 sequence 50 deny ipv6 any any routing-type 2
 permit ipv6 any any
!
ipv6 access-list block3
 sequence 60 deny 59 any any
 permit ipv6 any any
!
ipv6 access-list block4
 deny 60 any any
 sequence 30 deny ipv6 any any dest-option
 permit ipv6 any any
!
control-plane
 !
!
!
!
!
!
!
!
!
line con 0
line aux 0
line 386
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
 speed 115200
line vty 0 4
 login
!
scheduler allocate 20000 1000
end

barbrady#

Related Information

IOS-FW - Configuration Examples - Cisco Systems

Rating: 0.0/5 (0 votes cast)

Retrieved from "http://docwiki.cisco.com/wiki/IOS-FW_-_Block_IPv6_Extension_Headers"
Personal tools