TSHOOT – IPv6 ACL configs, quirks, and must know IPv6 subnetting for exam day!

ipv6_Top

There was some lack of depth in my review of ACL’s in general, so wanted to jump on my lab to demonstrate some output and concepts for on the job and the exam room.

If you read absolutely nothing else in this post, jump down to the bottom where a chaotic looking IPv6 ACL line is broken down into Binary to determine its subnet!

I hear some instructors say it is not necessary to subnet IPv6 yet with a LOL in the comment, but yes, the time has come that we MUST know how to subnet IPv6!!!

I’ll start in with some basic reviews of IPv6 ACLs, and IPv6 gotchas in general with ND, as it has its own unique place in IPv6 ACL’s!

Basics of IPv6 ACL’s

IPv6 ACL’s can only be named, there is no option of numeric IPv6 ACL’s or standard / extended ACL’s with IPv6 as seen here:

R1>en
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ipv6 unicast-routing
R1(config)#ipv6 access-list ?
WORD User selected string identifying this access list
log-update Control access list log updates  <————— What???
R1(config)#ipv6 access-list TSHOOT ?

<cr>

R1(config)#ipv6 access-list TSHOOT

As seen there is only “WORD” when configuring an IPv6 ACL, however I also highlighted in pink this other weird option, which Cisco describes on its website as:

“IPv6 ACL updates are logged at five minute intervals, following the first logged update. Configuring a lower number of updates (a number lower than the default) is useful when more frequent update logging is desired.”

This is the “log” message tagged onto the end of an ACL line, I won’t go into it much more than just knowing it is there, and what it does.

With IPv6 ACL’s, there are two implicit statements at the end:

“permit icmp nd any any” – This is for Neighbor Discovery
“deny ipv6 any any” – Implicit deny all

Neighbor Discovery can be blocked on an IPv6 ACL as seen here:

R1(config-ipv6-acl)#deny icmp any any nd?
nd-na nd-ns

So if you see “nd-xx” in a deny ACL, you probably have a communication issue of some sort on your hands, be it in the exam room or the real world – But it does not stop there!

ND is on by default when IPv6 is enabled on an interface as seen here:

R1(config)#int fa0/1
R1(config-if)#ipv6 enable
R1(config-if)#do sh ipv6 int fa0/1
FastEthernet0/1 is administratively down, line protocol is down
IPv6 is tentative, link-local address is FE80::21E:F7FF:FE97:F14B [TEN]
No Virtual link-local address(es):
No global unicast address is configured
Joined group address(es):
FF02::1
FF02::2
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.

However these all can be negated on the interface (turned off) as well:

R1(config-if)#no ipv6 nd ?
advertisement-interval Send an advertisement interval option in RA’s
autoconfig Automatic Configuration
dad Duplicate Address Detection
managed-config-flag Hosts should use DHCP for address config
ns-interval Set advertised NS retransmission interval
nud Neighbor Unreachability Detection
other-config-flag Hosts should use DHCP for non-address config
prefix Configure IPv6 Routing Prefix Advertisement
ra Router Advertisement control
reachable-time Set advertised reachability time
router-preference Set default router preference value

R1(config-if)#no ipv6 nd

So either “sh ipv6 access-list (name)” or “sh ipv6 int (int)” both can reveal Neighbor Discovery being blocked or disabled (as well as reviewing the running config).

A quick snapshot of the IPv6 ACL configuration options:

R1(config)#ipv6 access-list TSHOOT
R1(config-ipv6-acl)#?
IPv6 Access List configuration commands:
default Set a command to its defaults
deny Specify packets to reject
evaluate Evaluate an access list
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
sequence Sequence number for this entry
<cr>

R1(config-ipv6-acl)#

Basically the same as an IPv4 extended ACL, however the “evaluate” statement I thought was interesting here, I am not sure I have ever tested that before.

Demo of how IPv6 ACL’s can have TRICKY input / output:

R1(config-ipv6-acl)#permit ?
<0-255> An IPv6 protocol number
X:X:X:X::X/<0-128> IPv6 source prefix x:x::y/<z>
ahp Authentication Header Protocol
any Any source prefix
esp Encapsulation Security Payload
host A single source host
icmp Internet Control Message Protocol
ipv6 Any IPv6
pcp Payload Compression Protocol
sctp Streams Control Transmission Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol

R1(config-ipv6-acl)#permit any ?
X:X:X:X::X/<0-128> IPv6 destination prefix x:x::y/<z>
any Any destination prefix
host A single destination host

R1(config-ipv6-acl)#permit any any ?
auth Match on authentication header
dest-option Destination Option header (all types)
dest-option-type Destination Option header with type
dscp Match packets with given dscp value
flow-label Flow label
fragments Check non-initial fragments
log Log matches against this entry
log-input Log matches against this entry, including input
mobility Mobility header (all types)
mobility-type Mobility header with type
reflect Create reflexive access list entry
routing Routing header (all types)
routing-type Routing header with type
sequence Sequence number for this entry
time-range Specify a time-range
<cr>

R1(config-ipv6-acl)#permit any any

There is actually two things to point out here, how again the named IPv6 ACL acts like an extended ACL in the way that it requires a Source AND Destination, however the configuration does NOT require a protocol to be specified:

R1(config)#do sh ipv6 access-list
IPv6 access list TSHOOT
permit ipv6 any any sequence 10
R1(config)#

Then to apply it to an interface with “ipv6 traffic-filter” command:

R1(config)#int fa0/1

R1(config-if)#ipv6 traffic-filter ?
WORD Access-list name

R1(config-if)#ipv6 traffic-filter TSHOOT ?
in inbound packets
out outbound packets

R1(config-if)#ipv6 traffic-filter TSHOOT in ?
<cr>

R1(config-if)#ipv6 traffic-filter TSHOOT in
R1(config-if)#

Remember that it is “traffic-filter” and not “access-group” with IPv6, however when applying to a line to filter the Management Plane, it is still “access-class” :

R1(config)#line vty 0 4
R1(config-line)#ipv6 access-class ?
WORD Access-list name

R1(config-line)#ipv6 access-class TSHOOT ?
in
out

R1(config-line)#ipv6 access-class TSHOOT in ?
<cr>

R1(config-line)#ipv6 access-class TSHOOT in

IPv6 ACL’s can either use Prefix notation and “Host/Any” in the same ACL line:

R1(config-ipv6-acl)#permit ipv6 ?
X:X:X:X::X/<0-128> IPv6 source prefix x:x::y/<z>
any Any source prefix
host A single source host

R1(config-ipv6-acl)#permit ipv6 2010::1/128 ?
X:X:X:X::X/<0-128> IPv6 destination prefix x:x::y/<z>
any Any destination prefix
host A single destination host

R1(config-ipv6-acl)#permit ipv6 2010::1/128 host 2010::2 ?
auth Match on authentication header
dest-option Destination Option header (all types)
dest-option-type Destination Option header with type
dscp Match packets with given dscp value
flow-label Flow label
fragments Check non-initial fragments
log Log matches against this entry
log-input Log matches against this entry, including input
mobility Mobility header (all types)
mobility-type Mobility header with type
reflect Create reflexive access list entry
routing Routing header (all types)
routing-type Routing header with type
sequence Sequence number for this entry
time-range Specify a time-range
<cr>

R1(config-ipv6-acl)#permit ipv6 2010::1/128 host 2010::2

Highlighted in pink are the logging options that also have the “ipv6 access-list log-update …” command mentioned above, while highlighted in blue are some good to know modifiers, especially that a sequence # can be defined at the END of the ACL line!!!

Watch that on exam day, as “deny any any seq 5” on an IPv6 ACL can drop all traffic!

Otherwise the ACL behaves the same as an IPv4 ACL in most every other way when reading it, if TCP or UDP is specified then a protocol can be matched by either the source / destination / both, however they can be tricky to read with Prefix notation in there.

Consider the following ACL line:

R1(config-ipv6-acl)#permit udp 2010::0/0 eq snmp 2020::10/128 sequence 5
R1(config-ipv6-acl)#

What traffic is this command allowing?

Its permitting SNMP (port 161):

snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)

From the Source 2010::1/0, to the Host Address of 2020::2 or 2020::2/128.

It is also putting it above the default beginning sequence # of 10.

However when we look at the ACL line we have configured in IOS:

R1(config-ipv6-acl)#do sh ipv6 access-list TSHOOT
IPv6 access list TSHOOT
permit udp any eq snmp host 2020::10 sequence 5
permit ipv6 any any sequence 10

/0 = Any, no matter what is in front of it!

This is an important concept to Prefix-Lists and prefixes overall, /0 means “Any” and /128 means “Host” for IPv6.

Now a more challenging, where do I even begin with this ACL entry:

R1(config-ipv6-acl)#deny 2378:5836:de87:2600:0:0:ff10::2/52 2010::28/124
R1(config-ipv6-acl)#

This is a tricky line in a few ways, first that the IPv6 address is chaos, but also that it is a host address # (::2) with a prefix mask of /52 at the end – So this is a subnetwork and not a host being denied by this statement as shown here:

R1(config-ipv6-acl)#do sh ipv6 access-list TSHOOT
IPv6 access list TSHOOT
permit udp any eq snmp host 2020::10 sequence 5
permit ipv6 any any sequence 10
deny ipv6 2378:5836:DE87:2000::/52 2010::20/124 sequence 20
R1(config-ipv6-acl)#

Of course never expect a “show” command to be available to work this out for you!

Breaking down IPv6 ACL’s in a calm rational way!

The Prefix mask is 128 BITS, of the 6 Hextet IPv6 Address, which in an ACL must end with a :: at the end of the line or it will be rejected / unrecognized:

NOT VALID:

R1(config-ipv6-acl)#permit 2222:2222:2222:2222:2222:2222/64 ?
% Unrecognized command

VALID:

R1(config-ipv6-acl)#permit 2222:2222:2222:2222:2222::0/64 ?
X:X:X:X::X/<0-128> IPv6 destination prefix x:x::y/<z>
any Any destination prefix
host A single destination host

VALID:

R1(config-ipv6-acl)#permit 2222:2222:2222:2222:2222::/64 ?
X:X:X:X::X/<0-128> IPv6 destination prefix x:x::y/<z>
any Any destination prefix
host A single destination host

A thorough understanding of these quirks is critical both for ROUTE, TSHOOT, and probably any CCIE exam (along with real world application)!

So how do you break down this mess / find the IPv6 subnet?

Easy!

0217ip1_640x282

Each of the 6 Hextets is broken down into 16 BIT fields in Binary!

So with our ACL line example of 2378:5836:de87:2600:0:0:ff10::2/52:

0010.0011.0111.1000 = 2378/16 – It is just that easy!

Each Hex value = 4 bits, going left to right it is 8 / 4 / 2 / 1, this makes up the largest Hex value possible of F or 15 (1111).

That is so easy yet critical to understand when looking at a chaotic IPv6 ACL Address with a weird mask, to prevent panic when your not sure how to break it down.

But you will be sure, because you read this, and completely understood this! 🙂

The Hex letters to be absolutely clear on breaking them down into binary:

A = 10 (1010)
B = 11 (1011)
C = 12 (1100)
D = 13 (1101)
E = 14 (1110)
F = 15 (1111)

To continue with our ACL example of 2378:5836:de87:2600:0:0:ff10::2/52, we need to right out the IPv6 address in binary 52 bits out, I advise using dots per Hex character:

0010.0011.0111.1000 = 2378/16
0101.1000.0011.0110 = 5836/32
1101.1110.1000.0111 = de87/48

Now we only need 4 more bits and the Prefix Mask is matched, the resulting subnet is:

2378:5836:de87:2000::/52

Confirmed once more by “sh ipv6 access-list TSHOOT” :

R1(config-ipv6-acl)#do sh ipv6 access-list TSHOOT
IPv6 access list TSHOOT
permit udp any eq snmp host 2020::10 sequence 5
permit ipv6 any any sequence 10
deny ipv6 2378:5836:DE87:2000::/52 2010::20/124 sequence 20
R1(config-ipv6-acl)#

Be careful not to get mixed up with the huge address, and think that it stops at the “2” Hex value, and the rest of the address is ::/64 because zero compression only works for LEADING zeros in a Hextet!

I will leave it here, as no matter what the ACL line, we can determine what it does!

Along with the knowledge of some of the quirks with IPv6 ACL’s, the single most important thing is knowing how to properly break it down into binary, and know your TCP / UDP protocols so you can identify incorrect ACL lines on the spot!

Hope this helps, to infinity, and beyond! 🙂

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s