LF9/lf9
2
0
Fork 0
Code Issues 31 Pull requests Projects 1 Releases Packages Wiki Activity Actions

Extension A aktualisiert

Baran Schöneberg 2025-06-19 09:34:00 +02:00
parent d9a7a402cf
commit e4ba1fd578
1 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
Extension-A.md

@ -4,6 +4,7 @@
SSH access only from Hamburg clients to infrastructure (e.g., router):
```
ipv6 access-list SSH_ONLY_FROM_HH
permit tcp 2001:db8:1000:10::/64 any eq 22
deny tcp any any eq 22
@ -11,38 +12,46 @@ ipv6 access-list SSH_ONLY_FROM_HH
interface GigabitEthernet0/0
ipv6 traffic-filter SSH_ONLY_FROM_HH in
```
HTTP/HTTPS access for Hamburg clients to Webservers:
```
ipv6 access-list HH_WEB_ACCESS
permit tcp 2001:db8:1000:10::/64 host 2001:db8:3000:50::10 eq 80
permit tcp 2001:db8:1000:10::/64 host 2001:db8:3000:50::10 eq 443
interface GigabitEthernet0/0/0.10
ipv6 traffic-filter HH_WEB_ACCESS in
```
Lübeck clients access Webservers only via HTTPS:
```
ipv6 access-list HL_HTTPS_ONLY
permit tcp 2001:db8:2000:30::/64 host 2001:db8:3000:50::10 eq 443
deny tcp 2001:db8:2000:30::/64 host 2001:db8:3000:50::10 eq 80
permit ipv6 any any
interface GigabitEthernet0/0/0.30
ipv6 traffic-filter HL_HTTPS_ONLY in
```
🔸 Should-Have Security Rule
Deny ICMPv6 to Routers from all but management VLANs:
```
ipv6 access-list ICMP_PROTECT
permit icmp 2001:db8:1000:fff0::/64 any
deny icmp any any
permit ipv6 any any
interface Vlan1
ipv6 traffic-filter ICMP_PROTECT in
```
### DHCPv6 Configuration
🔹 Must-Have: SLAAC with DHCPv6 (Stateless) General Setup
```
interface GigabitEthernet0/0/0.30
ipv6 address 2001:db8:2000:30::1/64
ipv6 nd other-config-flag
@ -52,8 +61,10 @@ ipv6 dhcp pool VLAN30-DHCP
dns-server 2001:4860:4860::8888
domain-name example.local
```
🔸 Should-Have: Stateful DHCPv6 on Hamburg Router
```
interface GigabitEthernet0/0/0.10
ipv6 address 2001:db8:1000:10::1/64
ipv6 dhcp server HH-STATEFUL
@ -64,21 +75,25 @@ ipv6 dhcp pool HH-STATEFUL
dns-server 2001:4860:4860::8888
domain-name hh.example.local
```
⚙️ Could-Have: Centralized DHCPv6 Setup (Documented)
Place DHCPv6 server on Berlin server or core router.
On all edge routers, you would configure:
```
interface GigabitEthernet0/0
ipv6 helper-address 2001:db8:3000:50::10
```
(Note: Not implemented in PT, but conceptually shown for transition presentation.)
### OSPFv3 Configuration (Replacing Static Routing)
🔹 Must-Have: Full OSPFv3 Setup with Process 42 and Area 0
```
ipv6 unicast-routing
ipv6 router ospf 42
router-id 1.1.1.1
@ -86,6 +101,7 @@ interface GigabitEthernet0/0/0
ipv6 ospf 42 area 0
interface Serial0/1/0
ipv6 ospf 42 area 0
```
Repeat with appropriate router-id (2.2.2.2, 3.3.3.3, etc.) on other routers.