Extension A hinzugefügt
parent
ed05b90542
commit
2de9e1e6d9
1 changed files with 95 additions and 0 deletions
95
Extension-A.md
Normal file
95
Extension-A.md
Normal file
|
|
@ -0,0 +1,95 @@
|
||||||
|
ACL Configuration (Access Control Lists)
|
||||||
|
|
||||||
|
🔹 Must-Have ACL Rules
|
||||||
|
|
||||||
|
SSH access only from Hamburg clients to infrastructure (e.g., router):
|
||||||
|
|
||||||
|
ipv6 access-list SSH_ONLY_FROM_HH
|
||||||
|
permit tcp 2001:db8:1000:10::/64 any eq 22
|
||||||
|
deny tcp any any eq 22
|
||||||
|
permit ipv6 any any
|
||||||
|
interface GigabitEthernet0/0
|
||||||
|
ipv6 traffic-filter SSH_ONLY_FROM_HH in
|
||||||
|
|
||||||
|
HTTP/HTTPS access for Hamburg clients to Webservers:
|
||||||
|
|
||||||
|
ipv6 access-list HH_WEB_ACCESS
|
||||||
|
permit tcp 2001:db8:1000:10::/64 host 2001:db8:3000:50::10 eq 80
|
||||||
|
permit tcp 2001:db8:1000:10::/64 host 2001:db8:3000:50::10 eq 443
|
||||||
|
interface GigabitEthernet0/0/0.10
|
||||||
|
ipv6 traffic-filter HH_WEB_ACCESS in
|
||||||
|
|
||||||
|
Lübeck clients access Webservers only via HTTPS:
|
||||||
|
|
||||||
|
ipv6 access-list HL_HTTPS_ONLY
|
||||||
|
permit tcp 2001:db8:2000:30::/64 host 2001:db8:3000:50::10 eq 443
|
||||||
|
deny tcp 2001:db8:2000:30::/64 host 2001:db8:3000:50::10 eq 80
|
||||||
|
permit ipv6 any any
|
||||||
|
interface GigabitEthernet0/0/0.30
|
||||||
|
ipv6 traffic-filter HL_HTTPS_ONLY in
|
||||||
|
|
||||||
|
🔸 Should-Have Security Rule
|
||||||
|
|
||||||
|
Deny ICMPv6 to Routers from all but management VLANs:
|
||||||
|
|
||||||
|
ipv6 access-list ICMP_PROTECT
|
||||||
|
permit icmp 2001:db8:1000:fff0::/64 any
|
||||||
|
deny icmp any any
|
||||||
|
permit ipv6 any any
|
||||||
|
interface Vlan1
|
||||||
|
ipv6 traffic-filter ICMP_PROTECT in
|
||||||
|
|
||||||
|
DHCPv6 Configuration
|
||||||
|
|
||||||
|
🔹 Must-Have: SLAAC with DHCPv6 (Stateless) – General Setup
|
||||||
|
|
||||||
|
interface GigabitEthernet0/0/0.30
|
||||||
|
ipv6 address 2001:db8:2000:30::1/64
|
||||||
|
ipv6 nd other-config-flag
|
||||||
|
ipv6 dhcp server VLAN30-DHCP
|
||||||
|
|
||||||
|
ipv6 dhcp pool VLAN30-DHCP
|
||||||
|
dns-server 2001:4860:4860::8888
|
||||||
|
domain-name example.local
|
||||||
|
|
||||||
|
🔸 Should-Have: Stateful DHCPv6 on Hamburg Router
|
||||||
|
|
||||||
|
interface GigabitEthernet0/0/0.10
|
||||||
|
ipv6 address 2001:db8:1000:10::1/64
|
||||||
|
ipv6 dhcp server HH-STATEFUL
|
||||||
|
ipv6 nd managed-config-flag
|
||||||
|
|
||||||
|
ipv6 dhcp pool HH-STATEFUL
|
||||||
|
address prefix 2001:db8:1000:10::/64
|
||||||
|
dns-server 2001:4860:4860::8888
|
||||||
|
domain-name hh.example.local
|
||||||
|
|
||||||
|
⚙️ Could-Have: Centralized DHCPv6 Setup (Documented)
|
||||||
|
|
||||||
|
Place DHCPv6 server on Berlin server or core router.
|
||||||
|
|
||||||
|
On all edge routers, you would configure:
|
||||||
|
|
||||||
|
interface GigabitEthernet0/0
|
||||||
|
ipv6 helper-address 2001:db8:3000:50::10
|
||||||
|
|
||||||
|
(Note: Not implemented in PT, but conceptually shown for transition presentation.)
|
||||||
|
|
||||||
|
✅ OSPFv3 Configuration (Replacing Static Routing)
|
||||||
|
|
||||||
|
🔹 Must-Have: Full OSPFv3 Setup with Process 42 and Area 0
|
||||||
|
|
||||||
|
ipv6 unicast-routing
|
||||||
|
ipv6 router ospf 42
|
||||||
|
router-id 1.1.1.1
|
||||||
|
interface GigabitEthernet0/0/0
|
||||||
|
ipv6 ospf 42 area 0
|
||||||
|
interface Serial0/1/0
|
||||||
|
ipv6 ospf 42 area 0
|
||||||
|
|
||||||
|
Repeat with appropriate router-id (2.2.2.2, 3.3.3.3, etc.) on other routers.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue