[Originally posted Oct 21, 2012 10:53 AM by Antti Uitto]
So you got an IPv6 network up and running? Good!
If you have not done so, it is about the time to make sure only desired traffic from the Internet can get to your machines.
This example shows you how to set up a rather basic ACL (Access Control List) that is automated:
1) Allows all traffic from your network to Internet.
2) Keeps track of the connections opened from your network
3) Creates permit-rules to allow returning traffic
4) Removes those rules as they expire
5) Rejects all other traffic originating from the Internet
The technology used here is called Reflexive access-list, or IP Session Filtering.
We are going to monitor and evaluate the IPv6 traffic on the LAN interface, which in this case is Vlan1.
First create a list that checks inbound traffic on your interface and allows your own IPv6 net:
ipv6 access-list interior-in6 sequence 10 permit ipv6 2001:19:13:42::/64 any reflect my-net
When this traffic originating from your IPv6 network goes by, it is marked to a reflexive list called “my-net”
I also have this on interior-in6 list because I sometimes want to connect to my router by using the link-local address:
sequence 20 permit ipv6 FE80::/10 any
Then create another list that checks the outbound traffic on your LAN interface:
ipv6 access-list interior-out6 evaluate my-net sequence 1 deny ipv6 any any sequence 1000
This list applies to returning packets and new connections that opened from the Internet. Now in this example it just checks if this connection is to be found from reflexive list “my-net”. If it is, it will pass and if not, then it won’t. If you want to allow connections originating from the Internet to your own IPv6 net, ýou can add those rules to this list.
Last but not the least, assign these ACL’s to the LAN interface:
interface Vlan1 ipv6 traffic-filter interior-in6 in ipv6 traffic-filter interior-out6 out
Open some IPv6 sites and see how show ipv6 access-list looks like.