From e4ba1fd578e7eccf70867f77b32ab6f5cd7f10f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Baran=20Sch=C3=B6neberg?= Date: Thu, 19 Jun 2025 09:34:00 +0200 Subject: [PATCH] Extension A aktualisiert --- Extension-A.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/Extension-A.md b/Extension-A.md index 1a7e1ab..d6396a5 100644 --- a/Extension-A.md +++ b/Extension-A.md @@ -4,6 +4,7 @@ SSH access only from Hamburg clients to infrastructure (e.g., router): +``` ipv6 access-list SSH_ONLY_FROM_HH permit tcp 2001:db8:1000:10::/64 any eq 22 deny tcp any any eq 22 @@ -11,38 +12,46 @@ ipv6 access-list SSH_ONLY_FROM_HH interface GigabitEthernet0/0 ipv6 traffic-filter SSH_ONLY_FROM_HH in +``` HTTP/HTTPS access for Hamburg clients to Webservers: +``` ipv6 access-list HH_WEB_ACCESS permit tcp 2001:db8:1000:10::/64 host 2001:db8:3000:50::10 eq 80 permit tcp 2001:db8:1000:10::/64 host 2001:db8:3000:50::10 eq 443 interface GigabitEthernet0/0/0.10 ipv6 traffic-filter HH_WEB_ACCESS in +``` Lübeck clients access Webservers only via HTTPS: +``` ipv6 access-list HL_HTTPS_ONLY permit tcp 2001:db8:2000:30::/64 host 2001:db8:3000:50::10 eq 443 deny tcp 2001:db8:2000:30::/64 host 2001:db8:3000:50::10 eq 80 permit ipv6 any any interface GigabitEthernet0/0/0.30 ipv6 traffic-filter HL_HTTPS_ONLY in +``` 🔸 Should-Have Security Rule Deny ICMPv6 to Routers from all but management VLANs: +``` ipv6 access-list ICMP_PROTECT permit icmp 2001:db8:1000:fff0::/64 any deny icmp any any permit ipv6 any any interface Vlan1 ipv6 traffic-filter ICMP_PROTECT in +``` ### DHCPv6 Configuration 🔹 Must-Have: SLAAC with DHCPv6 (Stateless) – General Setup +``` interface GigabitEthernet0/0/0.30 ipv6 address 2001:db8:2000:30::1/64 ipv6 nd other-config-flag @@ -52,8 +61,10 @@ ipv6 dhcp pool VLAN30-DHCP dns-server 2001:4860:4860::8888 domain-name example.local +``` 🔸 Should-Have: Stateful DHCPv6 on Hamburg Router +``` interface GigabitEthernet0/0/0.10 ipv6 address 2001:db8:1000:10::1/64 ipv6 dhcp server HH-STATEFUL @@ -64,21 +75,25 @@ ipv6 dhcp pool HH-STATEFUL dns-server 2001:4860:4860::8888 domain-name hh.example.local +``` ⚙️ Could-Have: Centralized DHCPv6 Setup (Documented) Place DHCPv6 server on Berlin server or core router. On all edge routers, you would configure: +``` interface GigabitEthernet0/0 ipv6 helper-address 2001:db8:3000:50::10 +``` (Note: Not implemented in PT, but conceptually shown for transition presentation.) ### OSPFv3 Configuration (Replacing Static Routing) 🔹 Must-Have: Full OSPFv3 Setup with Process 42 and Area 0 +``` ipv6 unicast-routing ipv6 router ospf 42 router-id 1.1.1.1 @@ -86,6 +101,7 @@ interface GigabitEthernet0/0/0 ipv6 ospf 42 area 0 interface Serial0/1/0 ipv6 ospf 42 area 0 +``` Repeat with appropriate router-id (2.2.2.2, 3.3.3.3, etc.) on other routers.