INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

IPv6 ISP with Cisco 1841 router

IPv6 ISP with Cisco 1841 router

(OP)
I use a Cisco 1841 router as my firewall. Mediacom my ISP just enabled IPv6 support. I have it working now, but trying to track down a good ACL for inbound traffic. I want to block pings but at the same time must allow for DHCP and PD to work correctly. Currently this is my working access list:

ipv6 access-list IPv6_In
permit udp FE80::/64 any eq 546
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any router-advertisement
permit icmp any any nd-ns
permit icmp any any nd-na
deny ipv6 any any log

Should all of my entries be sourced by FE80::/64 and not "any"?

CCNA, A+, HP Certified Professional

RE: IPv6 ISP with Cisco 1841 router

(OP)
To lock down the router more I have made the following changes and decided on the following configuration. But now I am having problems with fragmented packets. Adding ipv6 virtual-reassembly in on both FA0/0 and FA0/1 fixes the problem but my speed tests drop in half. But by doing this I pass both tests at http://netalyzr.icsi.berkeley.edu/index.html and http://test-ipv6.com/ (using ubuntu). But when I test with the config below and adding permit icmp any any unreachable, permit icmp any any packet-too-big to my access-list I then pass http://test-ipv6.com/ on my ubuntu box, but still fail the netalyzr test. Now if I strictly use the config below. I then fail both tests on ubuntu with fragmented packets. Yet I pass test-ipv6.com on windows but fail netalyzr on windows.

How does someone get fragmentation working, yet lock down the router at the same time? But not effect performance?

===========================
no ipv6 source-route
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name IPv6 icmp timeout 60
ipv6 inspect name IPv6 ftp timeout 60
ipv6 inspect name IPv6 tcp timeout 60
ipv6 inspect name IPv6 udp timeout 60



interface FastEthernet0/0
ipv6 address dhcp
ipv6 address autoconfig default
ipv6 enable
no ipv6 redirects
no ipv6 unreachables
ipv6 verify unicast reverse-path
ipv6 dhcp client pd mediacom
ipv6 inspect IPv6 out
ipv6 traffic-filter IPv6_In in

interface FastEthernet0/1
ipv6 address mediacom ::1/64
ipv6 enable


ipv6 access-list IPv6_In
permit udp FE80::/64 any eq 546
permit icmp FE80::/64 any router-advertisement
permit icmp FE80::/64 any nd-ns
permit icmp FE80::/64 any nd-na
permit icmp FE80::/64 any mld-report
deny ipv6 any any log

CCNA, A+, HP Certified Professional

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close