Pzimmerm: Added metadata template

2011-06-14T23:41:40Z

Added metadata template

← Older revision		Revision as of 23:41, 14 June 2011
Line 1:		Line 1:
	{{Template:Required Metadata}}		{{Template:Required Metadata}}
		+	{{Template:Metadata IPv6 Config Example}}

	==Introduction==		==Introduction==

Scavanau: adding more details

2010-11-03T17:01:10Z

adding more details

New page

{{Template:Required Metadata}}

==Introduction==

IPv6 packets have the ability to use extension headers, these will be placed between the IPv6 portion and the next header (ex. ICMP). The following example is blocking the extension header 43 (dest-op), notice that there is three commands in the access-list ''block4'' (the only one being used in this configuration) You can tell it is the only being used by looking at ''g0/1'' and seeing the command ''ipv6 traffic-filter block4 in''
<pre>deny 60 any any
sequence 30 deny ipv6 any any dest-option
permit ipv6 any any</pre>
The first command actually does nothing at this time to block this type of header (look at version, may change), the 2nd command blocks the dest-option extension headers that I am sending with the Spirent TestCenter and the third command is allowing all other ipv6 traffic because just like IPv4 access-list there is an implicit deny after the final statement in an access-list.

==Design==


The switch is just used so I can test other devices besides the 3845 by switching vlans around.

[[Image:3845-setup.jpg]]

==Version Information==


<pre>barbrady#sh ver
Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 15.1(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 11-Aug-10 15:10 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

barbrady uptime is 6 minutes
System returned to ROM by power-on
System image file is "flash:c3845-adventerprisek9-mz.151-2.T1.bin"
Last reload type: Normal Reload

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3845 (revision 1.0) with 482304K/41984K bytes of memory.
Processor board ID FTX1405AJSE
2 Gigabit Ethernet interfaces
1 terminal line
2 Virtual Private Network (VPN) Modules
1 cisco ips sensor(s), ips monitoring on slot 1
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
500472K bytes of ATA System CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO3845-MB FOC14023AUF

Configuration register is 0x2102
</pre>

==Related show Commands==
<pre>
show ipv6 int br
sh ipv6 neighbors
sh ipv6 access-list
</pre>

Certain show commands are supported by the [https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl Output Interpreter Tool (registered customers only)], which allows you to view an analysis of show command output.



==Show running-config==

<pre>barbrady#sh run
Building configuration...

Current configuration : 1694 bytes
!
! Last configuration change at 17:43:30 UTC Thu Aug 12 2010
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname barbrady
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO3845-MB sn FOC14023AUF
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
media-type rj45
ipv6 address 2000::1/64
!
!
interface GigabitEthernet0/1
no ip address
duplex full
speed 1000
media-type rj45
ipv6 address 3000::1/64
ipv6 enable
ipv6 traffic-filter block4 in
!
!
interface IDS-Sensor0/1
no ip address
shutdown
service-module fail-open
!
hold-queue 60 out
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.18.153.1
!
!
!
!
!
!
!
ipv6 access-list block
deny 0 any any log
sequence 60 permit ipv6 any any
!
ipv6 access-list block2
deny 43 any any
sequence 30 deny 43 any any mobility
sequence 50 deny ipv6 any any routing-type 2
permit ipv6 any any
!
ipv6 access-list block3
sequence 60 deny 59 any any
permit ipv6 any any
!
ipv6 access-list block4
deny 60 any any
sequence 30 deny ipv6 any any dest-option
permit ipv6 any any
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line 386
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
speed 115200
line vty 0 4
login
!
scheduler allocate 20000 1000
end

barbrady#
</pre>

==Related Information==
[http://www.cisco.com/en/US/products/sw/secursw/ps1018/tsd_products_support_configure.html IOS-FW - Configuration Examples - Cisco Systems]




[[Category:IPv6 Configuration Examples]]

IOS-FW - Block IPv6 Extension Headers - Revision history

Pzimmerm: Added metadata template

Scavanau: adding more details