- Start Here Cisco IOS Software Release Specifics for IPv6 Features
- Implementing IPv6 Addressing and Basic Connectivity
- Implementing DHCP for IPv6
- Implementing EIGRP for IPv6
- Configuring First Hop Redundancy Protocols in IPv6
- Implementing First Hop Security in IPv6
- Implementing IS-IS for IPv6
- Implementing IPv6 for Network Management
- Implementing Mobile IPv6
- Implementing IPv6 Multicast
- Implementing Multiprotocol BGP for IPv6
- Implementing NetFlow for IPv6
- Implementing OSPFv3
- Implementing IPv6 over MPLS
- Implementing IPv6 VPN over MPLS
- Implementing Policy-Based Routing for IPv6
- Implementing QoS for IPv6
- Implementing RIP for IPv6
- Implementing Static Routes for IPv6
- Implementing Traffic Filters and Firewalls for IPv6 Security
- Implementing Tunneling for IPv6
- Finding Feature Information
- Restrictions for Implementing Traffic Filters and Firewalls for IPv6 Security
- Information About Implementing Traffic Filters and Firewalls for IPv6 Security
- How to Implement Traffic Filters and Firewalls for IPv6 Security
- Configuring Zone-Based Firewall in IPv6
- Configuring ACL Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
- Verifying IPv6 Security Configuration and Operation
- Troubleshooting IPv6 Security Configuration and Operation
Implementing Traffic Filters and Firewalls for IPv6 Security
This module describes how to configure Cisco IOS IPv6 traffic filter and firewall features for your Cisco networking devices. These security features can protect your network from degradation or failure and also from data loss or compromised security resulting from intentional attacks and from unintended but damaging mistakes by well-meaning network users.
- Finding Feature Information
- Restrictions for Implementing Traffic Filters and Firewalls for IPv6 Security
- Information About Implementing Traffic Filters and Firewalls for IPv6 Security
- How to Implement Traffic Filters and Firewalls for IPv6 Security
- Configuration Examples for Implementing Traffic Filters and Firewalls for IPv6 Security
- Additional References
- Feature Information for Implementing Traffic Filters and Firewalls for IPv6 Security
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Implementing Traffic Filters and Firewalls for IPv6 Security
Cisco IOS Release 12.2(2)T through Cisco IOS Release 12.2(13)T and Cisco IOS Release 12.0(22)S and later releases support only standard IPv6 access control list (ACL) functionality. In Cisco IOS Release 12.0(23)S and 12.2(13)T or later releases, the standard IPv6 ACL functionality is extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4).
Information About Implementing Traffic Filters and Firewalls for IPv6 Security
- Access Control Lists for IPv6 Traffic Filtering
- Cisco IOS Firewall for IPv6
- Cisco IOS Zone-Based Firewall for IPv6
- ACL--Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
Access Control Lists for IPv6 Traffic Filtering
The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface. Each access list has an implicit deny statement at the end. IPv6 ACLs are defined and their deny and permit conditions are set using the ipv6 access-listcommand with the deny and permit keywords in global configuration mode.
In Cisco IOS Release 12.0(23)S and 12.2(13)T or later releases, the standard IPv6 ACL functionality is extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4).
- IPv6 ACL Extensions for IPsec Authentication Header
- Access Class Filtering in IPv6
- Tunneling Support
- Virtual Fragment Reassembly
IPv6 ACL Extensions for IPsec Authentication Header
This feature provides the ability to match on the upper layer protocol (ULP) (for example, TCP, User Datagram Protocol [UDP], ICMP, SCTP) regardless of whether an authentication header (AH) is present or absent.
TCP or UDP traffic can be matched to the upper-layer protocol (ULP) (for example, TCP, UDP, ICMP, SCTP) if an AH is present or absent. Before this feature was introduced, this function was only available if an AH was absent.
This feature introduces the keyword auth to the permitand denycommands. The auth keyword allows matching traffic against the presence of the authentication header in combination with the specified protocol; that is, TCP or UDP.
IPv6 traffic can be matched to a ULP when an AH header is present. To perform this function, enter the ahp option for the protocol argument when using the permit or deny command.
Access Class Filtering in IPv6
Filtering incoming and outgoing connections to and from the router based on an IPv6 ACL is performed using the ipv6 access-class command in line configuration mode. The ipv6 access-class command is similar to the access-class command, except the IPv6 ACLs are defined by a name. If the IPv6 ACL is applied to inbound traffic, the source address in the ACL is matched against the incoming connection source address and the destination address in the ACL is matched against the local router address on the interface. If the IPv6 ACL is applied to outbound traffic, the source address in the ACL is matched against the local router address on the interface and the destination address in the ACL is matched against the outgoing connection source address. We recommend that identical restrictions are set on all the virtual terminal lines because a user can attempt to connect to any of them.
Tunneling Support
IPv6 packets tunneled in IPv4 are not inspected. If a tunnel terminates on a router, and IPv6 traffic exiting the tunnel is nonterminating, then the traffic is inspected.
Virtual Fragment Reassembly
When VFR is enabled, VFR processing begins after ACL input lists are checked against incoming packets. The incoming packets are tagged with the appropriate VFR information.
Cisco IOS Firewall for IPv6
The Cisco IOS Firewall feature provides advanced traffic filtering functionality as an integral part of a network's firewall. Cisco IOS Firewall for IPv6 enables you to implement Cisco IOS Firewall in IPv6 networks. Cisco IOS Firewall coexists with Cisco IOS Firewall for IPv4 networks and is supported on all dual-stack routers.
Cisco IOS Firewall for IPv6 features are as follows:
- Fragmented packet inspection--The fragment header is used to trigger fragment processing. Cisco IOS Firewall virtual fragment reassembly (VFR) examines out-of-sequence fragments and switches the packets into correct order, examines the number of fragments from a single IP given a unique identifier (Denial of Service [DoS] attack), and performs virtual reassembly to move packets to upper-layer protocols.
- IPv6 DoS attack mitigation--Mitigation mechanisms have been implemented in the same fashion as for IPv4 implementation, including SYN half-open connections.
- Tunneled packet inspection--Tunneled IPv6 packets terminated at a Cisco IOS firewall router can be inspected by the Cisco IOS Firewall for IPv6.
- Stateful packet inspection--The feature provides stateful packet inspection of TCP, UDP, Internet Control Message Protocol version 6 (ICMPv6), and FTP sessions.
- Stateful inspection of packets originating from the IPv4 network and terminating in an IPv6 environment--This feature uses IPv4-to-IPv6 translation services.
- Interpretation or recognition of most IPv6 extension header information--The feature provides IPv6 extension header information including routing header, hop-by-hop options header, and fragment header is interpreted or recognized.
- Port-to-application mapping (PAM)--Cisco IOS Firewall for IPv6 includes PAM.
- PAM in Cisco IOS Firewall for IPv6
- Cisco IOS Firewall Alerts Audit Trails and System Logging
- IPv6 Packet Inspection
- Cisco IOS Firewall Restrictions
PAM in Cisco IOS Firewall for IPv6
PAM allows you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application.
Using the port information, PAM establishes a table of default port-to-application mapping information at the firewall. The information in the PAM table enables Context-based Access Control (CBAC) supported services to run on nonstandard ports. CBAC is limited to inspecting traffic using only the well-known or registered ports associated with an application, whereas PAM allows network administrators to customize network access control for specific applications and services.
PAM also supports host- or subnet-specific port mapping, which allows you to apply PAM to a single host or subnet using standard ACLs. Host- or subnet-specific port mapping is done using standard ACLs.
Cisco IOS Firewall Alerts Audit Trails and System Logging
Cisco IOS Firewall generates real-time alerts and audit trails based on events tracked by the firewall. Enhanced audit trail features use system logging to track all network transactions; to record time stamps, source host, destination host, and ports used; and to record the total number of transmitted bytes for advanced, session-based reporting. Real-time alerts send system logging error messages to central management consoles when the system detects suspicious activity. Using Cisco IOS Firewall inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. For example, if you want to generate audit trail information for TCP traffic, you can specify the generation of this information in the Cisco IOS Firewall rule that defines TCP inspection.
The Cisco IOS Firewall provides audit trail messages to record details about inspected sessions. Audit trail information is configurable on a per-application basis using the CBAC inspection rules. To determine which protocol was inspected, use the port number associated with the responder. The port number appears immediately after the address.
IPv6 Packet Inspection
The following header fields are all used for IPv6 inspection--traffic class, flow label, payload length, next header, hop limit, and source or destination address. For further information on and descriptions of the IPv6 header fields, see RFC 2474.
Cisco IOS Firewall Restrictions
Cisco IOS Intrusion Detection System (IDS) is not supported for IPv6.
Cisco IOS Zone-Based Firewall for IPv6
Cisco IOS Zone-Based Firewall for IPv6 coexists with Cisco IOS Zone-Based Firewall for IPv4 in order to support IPv6 traffic. The feature provides MIB support for TCP, UDP, ICMPv6, and FTP sessions.
For further information about Zone-Based Firewall, see " Zone-Based Policy Firewall " in Cisco IOS Security Configuration Guide: Securing the Data Plane .
ACL--Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
Each IPv6 and IPv4 ACL entry maintains a global counter per entry for the number of matches applied to the ACL entry. The counters reflect all matches applied to the ACL, regardless of where the match was applied (such as on the platform or in the software feature path). This feature allows both IPv4 and IPv6 ACLs on the Cisco Catalyst 6500 platform to update the ACL entry statistics with a platform entry count.
How to Implement Traffic Filters and Firewalls for IPv6 Security
- Configuring IPv6 Traffic Filtering
- Controlling Access to a vty
- Configuring TCP or UDP Matching
- Creating an IPv6 ACL for Traffic Filtering in Cisco IOS Release 12.2(11)T 12.0(22)S or Earlier Releases
- Configuring the Cisco IOS Firewall for IPv6
- Configuring Zone-Based Firewall in IPv6
- Configuring ACL Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
- Verifying IPv6 Security Configuration and Operation
- Troubleshooting IPv6 Security Configuration and Operation
Configuring IPv6 Traffic Filtering
If you are running Cisco IOS Release 12.2(13)T, 12.0(23)S, or later releases, proceed to the Creating and Configuring an IPv6 ACL for Traffic Filtering section. If you are running Cisco IOS Release 12.2(11)T, 12.0(22)S, or earlier releases, proceed to the Creating an IPv6 ACL for Traffic Filtering in Cisco IOS Release 12.2(11)T 12.0(22)S or Earlier Releases section.
Creating and Configuring an IPv6 ACL for Traffic Filtering
This section describes how to configure your networking devices to filter traffic, function as a firewall, or detect potential viruses. Perform this task to create an IPv6 ACL and configure the IPv6 ACL to filter traffic in Cisco IOS Release 12.2(13)T and 12.0(23)S or later releases.
In Cisco IOS Release 12.2(13)T and 12.0(23)S or later releases, for backward compatibility, the ipv6 access-listcommand with the deny and permit keywords in global configuration mode is still supported; however, an IPv6 ACL defined with deny and permit conditions in global configuration mode is translated to IPv6 access list configuration mode. See the Examples Creating and Applying IPv6 ACLs section for an example of a translated IPv6 ACL configuration.
- permit protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix / prefix-length| any | host destination-ipv6-address| auth} [operator [port-number]] [dest-option-type [doh-number| doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
- deny protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]
DETAILED STEPS
Applying the IPv6 ACL to an Interface
Perform this task to apply the IPv6 ACL to an interface in Cisco IOS Release 12.2(13)T and 12.0(23)S or later releases.
DETAILED STEPS
Controlling Access to a vty
- Creating an IPv6 ACL to Provide Access Class Filtering
- Applying an IPv6 ACL to the Virtual Terminal Line
Creating an IPv6 ACL to Provide Access Class Filtering
Perform this task to control access to a vty on a router by creating an IPv6 ACL to provide access class filtering.
- permit protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix / prefix-length| any | host destination-ipv6-address| auth} [operator [port-number]] [dest-option-type [doh-number| doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
- deny protocol {source-ipv6-prefix / prefix-length | any| host source-ipv6-address | auth} [operator[port-number]] {destination-ipv6-prefix/prefix-length | any| host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]
DETAILED STEPS
Applying an IPv6 ACL to the Virtual Terminal Line
DETAILED STEPS
Configuring TCP or UDP Matching
TCP or UDP traffic can be matched to the ULP (for example, TCP, UDP, ICMP, SCTP) if an AH is present or absent. Before this feature was introduced, this function was only available if an AH was absent.
Use of the keyword auth with the permit icmp and deny icmp commands allows TCP or UDP traffic to be matched to the ULP if an AH is present. TCP or UDP traffic without an AH will not be matched.
IPv6 traffic can be matched to a ULP when an AH header is present. To perform this function, enter the ahp option for the protocol argument when using the permit or deny command.
Perform this task to allow TCP or UDP traffic to be matched to the ULP if an AH is present.
DETAILED STEPS
Creating an IPv6 ACL for Traffic Filtering in Cisco IOS Release 12.2(11)T 12.0(22)S or Earlier Releases
Perform the following tasks to create and apply ACLs in Cisco IOS Release 12.2(11)T, 12.0(22)S, or earlier releases.
- Creating an IPv6 ACL in Cisco IOS Release 12.2(11)T 12.0(22)S or Earlier Releases
- Applying the IPv6 ACL to an Interface in Cisco IOS Release 12.2(11)T 12.0(22)S or Earlier Releases
Creating an IPv6 ACL in Cisco IOS Release 12.2(11)T 12.0(22)S or Earlier Releases
Perform this task to create an IPv6 ACL and configure the IPv6 ACL to pass or block traffic in Cisco IOS Release 12.2(11)T, 12.0(22)S, or earlier releases.
DETAILED STEPS
Applying the IPv6 ACL to an Interface in Cisco IOS Release 12.2(11)T 12.0(22)S or Earlier Releases
Perform this task to apply the IPv6 ACL to an interface in Cisco IOS Release 12.2(11)T, 12.0(22)S, or earlier releases.
DETAILED STEPS
Configuring the Cisco IOS Firewall for IPv6
This configuration scenario uses both packet inspection and ACLs.
- permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix / prefix-length| any | host destination-ipv6-address| auth} [operator [port-number]] [dest-option-type [doh-number| doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
- deny protocol {source-ipv6-prefix / prefix-length | any| host source-ipv6-address | auth} [operator[port-number]] {destination-ipv6-prefix/prefix-length | any host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name ] [undetermined-transport]
DETAILED STEPS
Configuring PAM for IPv6
Creating an IPv6 Access Class Filter for PAM
- permit protocol {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix /prefix-length | any | hostdestination-ipv6-address | auth} [operator [port-number ]] [dest-option-type [doh-number | doh-type ]] [dscpvalue ] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
- deny protocol source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator port-number]] destination-ipv6-prefix/prefix-length any host destination-ipv6-address | auth} [operator port-number]] dest-option-type [doh-number | doh-type]] [dscp value flow-label value fragments log log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name undetermined-transport
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
|
Example: Router(config)# ipv6 access-list outbound |
Defines an IPv6 ACL and enters IPv6 access list configuration mode. |
|
|
Example: Router(config-ipv6-acl)# permit tcp 2001:DB8:0300:0201::/32 any reflect reflectout Example:
Example: Router(config-ipv6-acl)# deny tcp fec0:0:0:0201::/64 any |
Specifies permit or deny conditions for an IPv6 ACL. |
Applying the IPv6 Access Class Filter to PAM
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
|
Example: Router(config)# ipv6 port-map ftp port 8090 list PAMACL |
Establishes PAM for the system. |
Configuring Zone-Based Firewall in IPv6
- Configuring an Inspect-Type Parameter Map
- Creating and Using an Inspect-Type Class Map
- Creating and Using an Inspect-Type Policy Map
- Creating Security Zones and Zone Pairs
Configuring an Inspect-Type Parameter Map
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
|
Example: Router(config)# parameter-map type inspect v6-param-map |
Configures an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action, and places the router in parameter map configuration mode. |
|
|
Example: Router(config-profile)# sessions maximum 10000 |
Sets the maximum number of allowed sessions that can exist on a zone pair. |
|
|
Example: Router(config-profile)# ipv6 routing-enforcement-header loose |
Provides backward compatibility with legacy IPv6 inspection. |
Creating and Using an Inspect-Type Class Map
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
|
Example: Router(config-profile)# class-map type inspect match-any v6-class |
Create an inspect type class map, and places the router in lass-map configuration mode. |
|
|
Example: Router(config-cmap)# match protocol tcp |
Configures the match criterion for a class map based on TCP. |
|
|
Example: Router(config-cmap)# match protocol udp |
Configures the match criterion for a class map based on UDP. |
|
|
Example: Router(config-cmap)# match protocol icmp |
Configures the match criterion for a class map based on ICMP. |
|
|
Example: Router(config-cmap)# match protocol ftp |
Configures the match criterion for a class map based on FTP. |
Creating and Using an Inspect-Type Policy Map
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
|
Example: Router(config)# policy-map type inspect v6-policy |
Creates an inspect-type policy map, and places the router in policy-map configuration mode. |
|
|
Example: Router(config-pmap)# class type inspect v6-class |
Specifies the traffic (class) on which an action is to be performed. |
|
|
Example: Router(config-pmap)# inspect |
Enables Cisco IOS stateful packet inspection. |
Creating Security Zones and Zone Pairs
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
|
Example: Router(config)# zone security 1 |
Creates a security zone.
|
|
|
Example: Router(config)# zone security 2 |
Creates a security zone.
|
|
|
Example: Router(config)# zone-pair security zp source z1 destination z2 |
Creates a zone pair, and places the router in zone-pair configuration mode. |
|
|
Example: Router(config-sec-zone-pair)# service-policy type inspect v6-policy |
Attaches a firewall policy map to a zone pair. |
Configuring ACL Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
|
Example: Router(config)# ipv6 access-list outbound |
Defines an IPv6 ACL and enters IPv6 access list configuration mode. |
|
|
Example: Router(config-ipv6-acl)# hardware statistics |
Enables the collection of hardware statistics. |
Verifying IPv6 Security Configuration and Operation
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router# show crypto ipsec sa ipv6 |
Displays the settings used by current SAs. |
|
|
Example: Router# show crypto isakmp peer |
Displays peer descriptions. |
|
|
Example: Router# show crypto isakmp profile |
Lists all the ISAKMP profiles that are defined on a router. |
|
|
Example: Router# show crypto isakmp sa |
Displays current IKE SAs. |
|
|
Example: Router# show ipv6 access-list |
Displays the contents of all current IPv6 access lists. |
|
|
Example: Router# show ipv6 inspect interfaces |
Displays CBAC configuration and session information. |
|
|
Example: Router# show ipv6 port-map ftp |
Displays PAM configuration. |
|
|
Example: Router# show ipv6 prefix-list |
Displays information about an IPv6 prefix list or IPv6 prefix list entries. |
|
|
Example: Router# show ipv6 virtual-reassembly interface e1/1 |
Displays configuration and statistical information of VFR. |
|
|
Example: Router# show logging |
Displays the state of system logging (syslog) and the contents of the standard system logging buffer.
|
Troubleshooting IPv6 Security Configuration and Operation
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
|
Example: Router# enable |
Enables privileged EXEC mode.
|
||
|
|
Example: Router# clear ipv6 access-list tin |
Resets the IPv6 access list match counters. |
||
|
|
Example: Router# clear ipv6 inspect all |
Removes a specific IPv6 session or all IPv6 inspection sessions. |
||
|
|
Example: Router# clear ipv6 prefix-list |
Resets the hit count of the IPv6 prefix list entries. |
||
|
|
Example: Router# debug crypto ipsec |
Displays IPsec network events. |
||
|
|
Example: Router# debug crypto engine packet |
Displays the contents of IPv6 packets.
|
||
|
|
Example: Router# debug ipv6 inspect timers |
Displays messages about Cisco IOS Firewall events. |
||
|
|
Example: Router# debug ipv6 packet access-list PAK-ACL |
Displays debugging messages for IPv6 packets. |
Examples
Sample Output from the show crypto ipsec sa ipv6 Command
The following is sample output from the show crypto ipsec sa ipv6 command:
Router# show crypto ipsec sa ipv6
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 3FFE:2002::A8BB:CCFF:FE01:9002
protected vrf: (none)
local ident (addr/mask/prot/port): (::/0/0/0)
remote ident (addr/mask/prot/port): (::/0/0/0)
current_peer 3FFE:2002::A8BB:CCFF:FE01:2C02 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 133, #pkts encrypt: 133, #pkts digest: 133
#pkts decaps: 133, #pkts decrypt: 133, #pkts verify: 133
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 60, #recv errors 0
local crypto endpt.: 3FFE:2002::A8BB:CCFF:FE01:9002,
remote crypto endpt.: 3FFE:2002::A8BB:CCFF:FE01:2C02
path mtu 1514, ip mtu 1514
current outbound spi: 0x28551D9A(676666778)
inbound esp sas:
spi: 0x2104850C(553944332)
transform: esp-des ,
in use settings ={Tunnel, }
conn id: 93, flow_id: SW:93, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4397507/148)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
spi: 0x967698CB(2524354763)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 93, flow_id: SW:93, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4397507/147)
replay detection support: Y
Status: ACTIVE
inbound pcp sas:
outbound esp sas:
spi: 0x28551D9A(676666778)
transform: esp-des ,
in use settings ={Tunnel, }
conn id: 94, flow_id: SW:94, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4397508/147)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
spi: 0xA83E05B5(2822636981)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 94, flow_id: SW:94, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4397508/147)
replay detection support: Y
Status: ACTIVE
outbound pcp sas:
Sample Output from the show crypto isakmp peer Command
The following sample output shows peer descriptions on an IPv6 router:
Router# show crypto isakmp peer detail
Peer: 2001:DB8:0:1::1 Port: 500 Local: 2001:DB8:0:2::1
Phase1 id: 2001:DB8:0:1::1
flags:
NAS Port: 0 (Normal)
IKE SAs: 1 IPsec SA bundles: 1
last_locker: 0x141A188, last_last_locker: 0x0
last_unlocker: 0x0, last_last_unlocker: 0x0
Sample Output from the show crypto isakmp profile Command
The following sample output shows the ISAKMP profiles that are defined on an IPv6 router:
Router# show crypto isakmp profile
ISAKMP PROFILE tom
Identities matched are:
ipv6-address 2001:DB8:0:1::1/32
Certificate maps matched are:
Identity presented is: ipv6-address fqdn
keyring(s): <none>
trustpoint(s): <all>
Sample Output from the show crypto isakmp sa Command
The following sample output shows the SAs of an active IPv6 device. The IPv4 device is inactive:
Router# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH
Lifetime Cap.
IPv6 Crypto ISAKMP SA
dst: 3FFE:2002::A8BB:CCFF:FE01:2C02
src: 3FFE:2002::A8BB:CCFF:FE01:9002
conn-id: 1001 I-VRF: Status: ACTIVE Encr: des Hash: sha Auth:
psk
DH: 1 Lifetime: 23:45:00 Cap: D Engine-id:Conn-id = SW:1
dst: 3FFE:2002::A8BB:CCFF:FE01:2C02
src: 3FFE:2002::A8BB:CCFF:FE01:9002
conn-id: 1002 I-VRF: Status: ACTIVE Encr: des Hash: sha Auth:
psk
DH: 1 Lifetime: 23:45:01 Cap: D Engine-id:Conn-id = SW:2
Sample Output from the show ipv6 access-list Command
In the following example, the show ipv6 access-listcommand is used to verify that IPv6 ACLs are configured correctly:
Router> show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp reflect tcptraffic (8 matches) sequence 10
permit tcp any any eq telnet reflect tcptraffic (15 matches) sequence 20
permit udp any any reflect udptraffic sequence 30
IPv6 access list tcptraffic (reflexive) (per-user)
permit tcp host 2001:DB8:1::32 eq bgp host 2001:DB8:2::32 eq 11000 timeout 300 (time left 243) sequence 1
permit tcp host 2001:DB8:1::32 eq telnet host 2001:DB8:2::32 eq 11001 timeout 300 (time left 296) sequence 2
IPv6 access list outbound
evaluate udptraffic
evaluate tcptraffic
Sample Output from the show ipv6 prefix-list Command
The following example shows the output of the show ipv6 prefix-list command with the detail keyword:
Router# show ipv6 prefix-list detail
Prefix-list with the last deletion/insertion: bgp-in
ipv6 prefix-list 6to4:
count: 1, range entries: 0, sequences: 5 - 5, refcount: 2
seq 5 permit 2001:DB8::/32 (hit count: 313, refcount: 1)
ipv6 prefix-list aggregate:
count: 2, range entries: 2, sequences: 5 - 10, refcount: 30
seq 5 deny 3FFE:C00::/24 ge 25 (hit count: 568, refcount: 1)
seq 10 permit ::/0 le 48 (hit count: 31310, refcount: 1)
ipv6 prefix-list bgp-in:
count: 6, range entries: 3, sequences: 5 - 30, refcount: 31
seq 5 deny 5F00::/8 le 128 (hit count: 0, refcount: 1)
seq 10 deny ::/0 (hit count: 0, refcount: 1)
seq 15 deny ::/1 (hit count: 0, refcount: 1)
seq 20 deny ::/2 (hit count: 0, refcount: 1)
seq 25 deny ::/3 ge 4 (hit count: 0, refcount: 1)
seq 30 permit ::/0 le 128 (hit count: 240664, refcount: 0)
Sample Output from the show ipv6 virtual-reassembly Command
The following example shows the output of the show ipv6 virtual-reassemblycommand with the interfacekeyword:
Router# show ipv6 virtual-reassembly interface e1/1
Configuration Information:
---------------------------------
Virtual Fragment Reassembly (VFR) is ENABLED...
Maximum number of datagram that can be reassembled at a time: 64
Maximum number of fragments per datagram: 8
Timeout value of a datagram: 3 seconds
Statistical Information:
----------------------------
Number of datagram being reassembled:12
Number of fragments being processed:48
Total number of datagram reassembled:6950
Total number of datagram failed: 9
Sample Output from the show logging Command
In the following example, the show loggingcommand is used to display logging entries that match the first line (sequence 10) of the access list named list1:
Router> show logging
00:00:36: %IPV6-6-ACCESSLOGP: list list1/10 permitted tcp 2001:DB8:1::1(11001) (Ethernet0/0) -> 2001:DB8:1::2(179), 1 packet
Sample Output from the clear ipv6 access-list Command
In the following example, the show ipv6 access-listcommand is used to display some match counters for the access list named list1. The clear ipv6 access-listcommand is issued to reset the match counters for the access list named list1. The show ipv6 access-listcommand is used again to show that the match counters have been reset.
Router> show ipv6 access-list list1 IPv6 access list list1 permit tcp any any log-input (6 matches) sequence 10 permit icmp any any echo-request log-input sequence 20 permit icmp any any echo-reply log-input sequence 30 Router# clear ipv6 access-list list1 Router# show ipv6 access-list list1 IPv6 access list list1 permit tcp any any log-input sequence 10 permit icmp any any echo-request log-input sequence 20 permit icmp any any echo-reply log-input sequence 30
Configuration Examples for Implementing Traffic Filters and Firewalls for IPv6 Security
- Examples Creating and Applying IPv6 ACLs
- Example Controlling Access to a vty
- Example Configuring TCP or UDP Matching
- Example Configuring Cisco IOS Firewall for IPv6
- Example Configuring Cisco IOS Zone-Based Firewall for IPv6
Examples Creating and Applying IPv6 ACLs
- Example Creating and Applying an IPv6 ACL for Release 12.2(13)T or 12.0(23)S
- Example Creating and Applying an IPv6 ACL for 12.2(11)T 12.0(22)S or Earlier Releases
Example Creating and Applying an IPv6 ACL for Release 12.2(13)T or 12.0(23)S
The following example is from a router running Cisco IOS Release 12.2(13)T.
The example configures two IPv6 ACLs named OUTBOUND and INBOUND and applies both ACLs to outbound and inbound traffic on Ethernet interface 0. The first and second permit entries in the OUTBOUND list permit all TCP and User Datagram Protocol (UDP) packets from network 2001:DB8:0300:0201::/32 to exit out of Ethernet interface 0. The entries also configure the temporary IPv6 reflexive ACL named REFLECTOUT to filter returning (incoming) TCP and UDP packets on Ethernet interface 0. The first deny entry in the OUTBOUND list keeps all packets from the network fec0:0:0:0201::/64 (packets that have the site-local prefix fec0:0:0:0201 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0.
The evaluate command in the INBOUND list applies the temporary IPv6 reflexive ACL named REFLECTOUT to inbound TCP and UDP packets on Ethernet interface 0. When outgoing TCP or UDP packets are permitted on Ethernet interface 0 by the OUTBOUND list, the INBOUND list uses the REFLECTOUT list to match (evaluate) the returning (incoming) TCP and UDP packets.
ipv6 access-list OUTBOUND permit tcp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT permit udp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT deny fec0:0:0:0201::/64 any ipv6 access-list INBOUND evaluate REFLECTOUT interface ethernet 0 ipv6 traffic-filter OUTBOUND out ipv6 traffic-filter INBOUND in
 Note |
Given that a permit any any statement is not included as the last entry in the OUTBOUND or INBOUND ACL, only TCP and UDP packets matching the configured permit entries in the ACL and ICMP packets matching the implicit permit conditions in the ACL are permitted out of and in to Ethernet interface 0 (the implicit deny all condition at the end of the ACL denies all other packet types on the interface). |
The following example can be run on a router running Cisco IOS Release 12.2(13)T or 12.0(23)S.
The example configures HTTP access to be restricted to certain hours during the day, and to log any activity outside of the permitted hours:
time-range lunchtime periodic weekdays 12:00 to 13:00 ipv6 access-list OUTBOUND permit tcp any any eq www time-range lunchtime deny tcp any any eq www log-input permit tcp 2001:DB8::/32 any permit udp 2001:DB8::/32 any
Example Creating and Applying an IPv6 ACL for 12.2(11)T 12.0(22)S or Earlier Releases
The following example is from a router running Cisco IOS Release 12.2(11)T, 12.0(22)S, or earlier releases.
The example configures the IPv6 ACL named list2 and applies the ACL to outbound traffic on Ethernet interface 0. Specifically, the first ACL entry keeps all packets from the network fec0:0:0:2::/64 (packets that have the site-local prefix fec0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The second entry in the ACL permits all other traffic to exit out of Ethernet interface 0. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.
ipv6 access-list list2 deny fec0:0:0:2::/64 any ipv6 access-list list2 permit any any interface ethernet 0 ipv6 traffic-filter list2 out
If the same configuration was used on a router running Cisco IOS Release 12.2(13)T, 12.0(23)S, or later releases, the configuration would be translated into IPv6 access list configuration mode as follows:
ipv6 access-list list2 deny ipv6 fec0:0:0:2::/64 any permit ipv6 any any interface ethernet 0 ipv6 traffic-filter list2 out
Note |
IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that are translated from global configuration mode to IPv6 access list configuration mode. |
Example Controlling Access to a vty
In the following example, incoming connections to the virtual terminal lines 0 to 4 are filtered based on the IPv6 access list named acl1:
ipv6 access-list acl1 permit ipv6 host 2001:DB8:0:4::2/32 any ! line vty 0 4 ipv6 access-class acl1 in
Example Configuring TCP or UDP Matching
The following example allows any TCP traffic regardless of whether or not an AH is present:
IPv6 access list example1
permit tcp any any
The following example allows TCP or UDP parsing only when an AH header is present. TCP or UDP traffic without an AH will not be matched:
IPv6 access list example2
deny tcp host 2001::1 any log sequence 5
permit tcp any any auth sequence 10
permit udp any any auth sequence 20
The following example allows any IPv6 traffic containing an authentication header:
IPv6 access list example3
permit ahp any any
Example Configuring Cisco IOS Firewall for IPv6
This Cisco IOS Firewall configuration example uses inbound and outbound filters for inspection and makes use of access lists to manage the traffic. The inspect mechanism is the method of permitting return traffic based upon a packet being valid for an existing session for which the state is being maintained:
enable configure terminal ipv6 unicast-routing ipv6 inspect name ipv6_test icmp timeout 60 ipv6 inspect name ipv6_test tcp timeout 60 ipv6 inspect name ipv6_test udp timeout 60 interface FastEthernet0/0 ipv6 address 3FFE:C000:0:7::/64 eui-64 ipv6 enable ipv6 traffic-filter INBOUND out ipv6 inspect ipv6_test in interface FastEthernet0/1 ipv6 address 3FFE:C000:1:7::/64 eui-64 ipv6 enable ipv6 traffic-filter OUTBOUND in ! This is used for 3745b connection to tftpboot server interface FastEthernet4/0 ip address 192.168.17.33 255.255.255.0 duplex auto speed 100 ip default-gateway 192.168.17.8 ! end of tftpboot server config ! Access-lists to deny everything except for Neighbor Discovery ICMP messages ipv6 access-list INBOUND permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log ipv6 access-list OUTBOUND permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log
Example Configuring Cisco IOS Zone-Based Firewall for IPv6
The following example shows how to enable the zone-based firewall, enabling inspection of IPv6 traffic flowing through the router.
parameter-map type inspect v6-param-map sessions maximum 10000 ipv6 routing-header-enforcement loose ! ! class-map type inspect match-any v6-class match protocol tcp match protocol udp match protocol icmp match protocol ftp ! ! policy-map type inspect v6-policy class type inspect v6-class inspect ! zone security z1 zone security z2 ! zone-pair security zp source z1 destination z2 service-policy type inspect v6-policy
Additional References
Related Documents
| Related Topic |
Document Title |
|---|---|
| IPv6 IPsec |
" Implementing IPsec in IPv6 Security ," Cisco IOS IPv6 Configuration Guide |
| Basic IPv6 configuration |
" Implementing IPv6 Addressing and Basic Connectivity ," Cisco IOS IPv6 Configuration Guide |
| Zone-based firewalls |
" Zone-Based Policy Firewall ," Cisco IOS Security Configuration Guide: Securing the Data Plane |
| IPv6 supported feature list |
"Start Here: Cisco IOS Software Release Specifics for IPv6 Features ," Cisco IOS IPv6 Configuration Guide |
| IPv6 commands: complete command syntax, command mode, defaults, usage guidelines, and examples |
Cisco IOS IPv6 Command Reference |
Standards
| Standards |
Title |
|---|---|
| No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIBs
| MIBs |
MIBs Link |
|---|---|
| To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
| RFCs |
Title |
|---|---|
| RFC 2401 |
Security Architecture for the Internet Protocol |
| RFC 2402 |
IP Authentication Header |
| RFC 2428 |
FTP Extensions for IPv6 and NATs |
| RFC 2460 |
Internet Protocol, Version 6 (IPv6) Specification |
| RFC 2474 |
Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers |
| RFC 3576 |
Change of Authorization |
Technical Assistance
| Description |
Link |
|---|---|
| The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Implementing Traffic Filters and Firewalls for IPv6 Security
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Table 1 | Feature Information for Implementing Traffic Filters and Firewalls for IPv6 Security |
| Feature Name |
Releases |
Feature Information |
|---|---|---|
| ACL--Hardware and Software Counters Granularity for IPv4 and IPv6 ACL Statistics |
12.2(50)SY |
This feature allows both IPv4 and IPv6 ACLs on the Cisco Catalyst 6500 platform to update the ACL entry statistics with a platform entry count. |
| IOS Zone-Based Firewall |
15.1(2)T |
Cisco IOS Zone-Based Firewall for IPv6 coexists with Cisco IOS Zone-Based Firewall for IPv4 in order to support IPv6 traffic. |
| IPv6 ACL Extensions for IPsec Authentication Header |
12.4(20)T |
The IPv6 ACL extensions for IPsec authentication headers feature allows TCP or UDP parsing when an IPv6 IPsec authentication header is present. |
| IPv6 Services--Extended Access Control Lists1 |
12.0(23)S 12.2(14)S 12.2(28)SB 12.2(25)SG 12.2(33)SRA 12.2(17a)SX112.2(13)T 12.3 12.3(2)T 12.4 12.4(2)T 15.0(1)S |
Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control. |
| IPv6 Services--IPv6 IOS Firewall |
12.3(7)T 12.4 12.4(2)T |
This feature provides advanced traffic filtering functionality as an integral part of a network's firewall. |
| IPv6 Services--IPv6 IOS Firewall FTP Application Support |
12.3(11)T 12.4 12.4(2)T |
IPv6 supports this feature. |
| IPv6 Services--Standard Access Control Lists |
12.0(22)S 12.2(14)S 12.2(28)SB 12.2(25)SG 12.2(33)SRA 12.2(17a)SX1 12.2(2)T 12.3 12.3(2)T 12.4 12.4(2)T 15.0(1)S |
Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Feedback