IPv6 Standard ACL 1

certskills
By certskills September 7, 2016 09:05

IPv6 ACLs – new to #CCNA with the 2016 exam revisions – include both standard and extended ACLs. However, IPv6 standard and extended ACLs have only subtle configuration differences. This lab helps you notice those differences with a lab that happens to use requirements that can be implemented with a standard IPv6 ACL, namely, the matching of the source and destination IPv6 addresses alone.

Requirements

This lab gives you a set of relatively straightforward IPv6 standard ACL requirements for matching the source and destination IPv6 address ranges. At the same time, the lab gives you enough space to think beyond the configuration. You must work through an existing configuration, get your bearings, choose where to put the ACL, and in which direction to place the ACL.

The specific rules for this lab are:

  • Create a standard IPv6 named ACL named “StdACL01” which performs the following functions:
    • Block all traffic from the 2001:0:0:10::/64 subnet, destined to both subnet 2001:0:0:30::/64 and subnet 2001:0:0:40::/64.
    • Block all traffic from the 2001:0:0:20::100 host, destined to both subnet 2001:0:0:30::/64 and 2001:0:0:40::/64.
    • Permit all other traffic
  • You may use one ACL only, enabled on one of the routers only
  • You choose the device on which to enable the ACL, the interface(s), and the direction(s)
  • As seen in the initial configurations:
    • Assume all router interfaces shown in the lab are up, working and have correct IPv6 addresses assigned
    • Assume routing between all devices is configured and operational, that is, before adding the IPv6 ACLs, all existing IPv6 addresses are pingable
    • Assume that at least one device exists on each VLAN with an IP address ending in :100 with correct gateways configured.

 

Figure 1: Two Router ROAS Topology for IPv6 Standard ACLs

 

Initial Configuration

Examples 1, 2, 3 and 4 show the beginning configuration state of R1, R2, SW1 and SW2.

 

Example 1: R1 Config

hostname R1
!
ipv6 unicast-routing
!
ipv6 router eigrp 1
 eigrp router-id 1.1.1.1
!
interface GigabitEthernet0/1
 ipv6 address 2001:0:0:1::1/64
 ipv6 eigrp 1
 no shutdown
!
interface GigabitEthernet0/2
 no shutdown
!
interface GigabitEthernet0/2.1
 encapsulation dot1q 10
 ipv6 address 2001:0:0:10::1/64
 ipv6 eigrp 1
!
interface GigabitEthernet0/2.2
 encapsulation dot1q 20
 ipv6 address 2001:0:0:20::1/64
 ipv6 eigrp 1

 

Example 2: R2 Config

hostname R2
!
ipv6 unicast-routing
!
ipv6 router eigrp 1
 eigrp router-id 2.2.2.2
!
interface GigabitEthernet0/1
 ipv6 address 2001:0:0:1::2/64
 ipv6 eigrp 1
 no shutdown
!
interface GigabitEthernet0/2
 no shutdown
!
interface GigabitEthernet0/2.1
 encapsulation dot1q 30
 ipv6 address 2001:0:0:30::2/64
 ipv6 eigrp 1
!
interface GigabitEthernet0/2.2
 encapsulation dot1q 40
 ipv6 address 2001:0:0:40::2/64
 ipv6 eigrp 1

 

Example 3: SW1 Config

hostname SW1
!
vlan 10,20
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no shutdown
!
interface GigabitEthernet0/2
 switchport access vlan 10
!
interface GigabitEthernet0/3
 switchport access vlan 20

 

Example 4: SW2 Config

hostname SW2
!
vlan 30,40
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no shutdown
!
interface GigabitEthernet0/2
 switchport access vlan 30
!
interface GigabitEthernet0/3
 switchport access vlan 40

 

 

Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution if you happen to try it with VIRL or real gear, you can check by verifying it with the show ipv6 access-lists and show ipv6 interfaces commands. If possible you could also configure additional hosts to the topology to ensure the access-list is working as expected.

 

Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

The virl topology matches this lab topology exactly. The host info does as well.

 

Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device IP Address User/password
Host-A 2001:0:0:10::100 cisco/cisco
Host-B 2001:0:0:20::100 cisco/cisco
Host-C 2001:0:0:30::100 cisco/cisco
Host-D 2001:0:0:40::100 cisco/cisco

 

Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping6 -c4 2001:0:0:10::100

Trace example: tracepath6 2001:0:0:10::1

Answers: Local SPAN 1
Answers: IPv6 Standard ACL 1
certskills
By certskills September 7, 2016 09:05
TAGS: ACLIPv6
Subscribe
Notify of

Your e-mail address will not be published.
Required fields are marked*

guest

0 Comments
Inline Feedbacks
View all comments

Search

Categories

Tag Cloud

100-105 200-105 200-125 Acing2018-01 ACL ARP CCENT CCNA CCNP Config Lab DevNet DHCP EIGRP Encapsulation Ethernet Frame relay GRE ICND1 ICND2 IP Address IPv6 IPv6 address Lab Gear MAC Table OSPF OSPFv3 Packet Tracer password port security PPP RIPv2 Root Switch RSTP SNMP SSH static route STP Study Tips subnet summary route switching Telnet VLAN VLSM VPN