Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPv6 ISP with Cisco 1841 router

Status
Not open for further replies.

StaplesMan

Technical User
Mar 8, 2006
123
US
I use a Cisco 1841 router as my firewall. Mediacom my ISP just enabled IPv6 support. I have it working now, but trying to track down a good ACL for inbound traffic. I want to block pings but at the same time must allow for DHCP and PD to work correctly. Currently this is my working access list:

ipv6 access-list IPv6_In
permit udp FE80::/64 any eq 546
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any router-advertisement
permit icmp any any nd-ns
permit icmp any any nd-na
deny ipv6 any any log

Should all of my entries be sourced by FE80::/64 and not "any"?

CCNA, A+, HP Certified Professional
 
To lock down the router more I have made the following changes and decided on the following configuration. But now I am having problems with fragmented packets. Adding ipv6 virtual-reassembly in on both FA0/0 and FA0/1 fixes the problem but my speed tests drop in half. But by doing this I pass both tests at and (using ubuntu). But when I test with the config below and adding permit icmp any any unreachable, permit icmp any any packet-too-big to my access-list I then pass on my ubuntu box, but still fail the netalyzr test. Now if I strictly use the config below. I then fail both tests on ubuntu with fragmented packets. Yet I pass test-ipv6.com on windows but fail netalyzr on windows.

How does someone get fragmentation working, yet lock down the router at the same time? But not effect performance?

===========================
no ipv6 source-route
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name IPv6 icmp timeout 60
ipv6 inspect name IPv6 ftp timeout 60
ipv6 inspect name IPv6 tcp timeout 60
ipv6 inspect name IPv6 udp timeout 60



interface FastEthernet0/0
ipv6 address dhcp
ipv6 address autoconfig default
ipv6 enable
no ipv6 redirects
no ipv6 unreachables
ipv6 verify unicast reverse-path
ipv6 dhcp client pd mediacom
ipv6 inspect IPv6 out
ipv6 traffic-filter IPv6_In in

interface FastEthernet0/1
ipv6 address mediacom ::1/64
ipv6 enable


ipv6 access-list IPv6_In
permit udp FE80::/64 any eq 546
permit icmp FE80::/64 any router-advertisement
permit icmp FE80::/64 any nd-ns
permit icmp FE80::/64 any nd-na
permit icmp FE80::/64 any mld-report
deny ipv6 any any log


CCNA, A+, HP Certified Professional
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top