LF9/lf9
2
0
Fork 0
Code Issues 31 Pull requests Projects 1 Releases Packages Wiki Activity Actions
Page: Extension A
Pages
Configuration Commands Example Extension A Glossary IPAM-Structure IPv6 addressingscheme Tools
10 Extension A
Baran Schöneberg edited this page 2025-06-25 18:10:03 +02:00
Table of Contents

ACL Configuration (Access Control Lists)

SSH access only from Hamburg clients to infrastructure (e.g., router):

ipv6 access-list SSH_ONLY_FROM_HH
 permit tcp 2001:db8:1000:10::/64 any eq 22
 deny tcp any any eq 22
 permit ipv6 any any
interface GigabitEthernet0/0/0
 ipv6 traffic-filter SSH_ONLY_FROM_HH in

HTTP/HTTPS access for Hamburg clients to Webservers:

ipv6 access-list HH_WEB_ACCESS
 permit tcp 2001:db8:1000:10::/64 host 2001:db8:3000:50::10 eq 80
 permit tcp 2001:db8:1000:10::/64 host 2001:db8:3000:50::10 eq 443
interface GigabitEthernet0/0/0.10
 ipv6 traffic-filter HH_WEB_ACCESS in

Lübeck clients access Webservers only via HTTPS:

ipv6 access-list HL_HTTPS_ONLY
 permit tcp 2001:db8:2000:30::/64 host 2001:db8:3000:50::10 eq 443
 deny tcp 2001:db8:2000:30::/64 host 2001:db8:3000:50::10 eq 80
 permit ipv6 any any
interface GigabitEthernet0/0/0.30
 ipv6 traffic-filter HL_HTTPS_ONLY in

Deny ICMPv6 to Routers from all but management VLANs:

ipv6 access-list ICMP_PROTECT
 permit icmp 2001:db8:1000:fff0::/64 any
 deny icmp any any
 permit ipv6 any any
interface Vlan1
 ipv6 traffic-filter ICMP_PROTECT in

DHCPv6 Configuration

interface GigabitEthernet0/0/0.30
 ipv6 address 2001:db8:2000:30::1/64
 ipv6 nd other-config-flag
 ipv6 dhcp server VLAN30-DHCP

ipv6 dhcp pool VLAN30-DHCP
 dns-server 2001:db8:3000:50::10
 domain-name streamline.local

Hamburg is the only location using Stateful DHCPv6. All other cities (Lübeck, Berlin, München) rely on SLAAC or Stateless DHCPv6.

interface GigabitEthernet0/0/0.10
 ipv6 address 2001:db8:1000:10::1/64
 ipv6 dhcp server HH-STATEFUL
 ipv6 nd managed-config-flag

ipv6 dhcp pool HH-STATEFUL
 address prefix 2001:db8:1000:10::/64
 dns-server 2001:db8:3000:50::10
 domain-name hh.streamline.local

Place DHCPv6 server on Berlin server or core router.

On all edge routers, you would configure:

interface GigabitEthernet0/0
 ipv6 helper-address 2001:db8:3000:50::10

OSPFv3 Configuration (Replacing Static Routing)

ipv6 unicast-routing
ipv6 router ospf 42
 router-id 1.1.1.1
interface GigabitEthernet0/0/0
 ipv6 ospf 42 area 0
interface Serial0/1/0
 ipv6 ospf 42 area 0

Repeat with appropriate router-id (2.2.2.2, 3.3.3.3, etc.) on other routers.