[CCNAv6 S4] 4.3.2.6 Packet Tracer - Configuring IPv6 ACLs



Packet Tracer - Configuring IPv6 ACLs
Addressing Table

Objectives

Part 1: Configure, Apply, and Verify an IPv6 ACL

Part 2: Configure, Apply, and Verify a Second IPv6 ACL

Part 1:     Configure, Apply, and Verify an IPv6 ACL
Logs indicate that a computer on the 2001:DB8:1:11::0/64 network is repeatedly refreshing their web page causing a Denial-of-Service (DoS) attack against Server3. Until the client can be identified and cleaned, you must block HTTP and HTTPS access to that network with an access list.

Step 1:     Configure an ACL that will block HTTP and HTTPS access.

Configure an ACL named BLOCK_HTTP on R1 with the following statements.

a.     Block HTTP and HTTPS traffic from reaching Server3.

R1(config)# deny tcp any host 2001:DB8:1:30::30 eq www
R1(config)# deny tcp any host 2001:DB8:1:30::30 eq 443
b.    Allow all other IPv6 traffic to pass.

Step 2:     Apply the ACL to the correct interface.

Apply the ACL on the interface closest the source of the traffic to be blocked.

R1(config-if)# ipv6 traffic-filter BLOCK_HTTP in
Step 3:     Verify the ACL implementation.

Verify the ACL is operating as intended by conducting the following tests:

·         Open the web browser of PC1 to http:// 2001:DB8:1:30::30 or https://2001:DB8:1:30::30. The website should appear.
·         Open the web browser of PC2 to http:// 2001:DB8:1:30::30 or https://2001:DB8:1:30::30. The website should be blocked
·         Ping from PC2 to 2001:DB8:1:30::30. The ping should be successful.
Part 2:     Configure, Apply, and Verify a Second IPv6 ACL
The logs now indicate that your server is receiving pings from many different IPv6 addresses in a Distributed Denial of Service (DDoS) attack. You must filter ICMP ping requests to your server.

Step 1:     Create an access list to block ICMP.

Configure an ACL named BLOCK_ICMP on R3 with the following statements:

a.     Block all ICMP traffic from any hosts to any destination.

b.    Allow all other IPv6 traffic to pass.

Step 2:     Apply the ACL to the correct interface.

In this case, ICMP traffic can come from any source. To ensure that ICMP traffic is blocked regardless of its source or changes that occur to the network topology, apply the ACL closest to the destination.

Step 3:     Verify that the proper access list functions.

a.     Ping from PC2 to 2001:DB8:1:30::30. The ping should fail.

b.    Ping from PC1 to 2001:DB8:1:30::30. The ping should fail.

Open the web browser of PC1 to http:// 2001:DB8:1:30::30 or https://2001:DB8:1:30::30. The website should display.



Configuration R1:

enable
configure terminal
ipv6 access-list BLOCK_HTTP
 deny tcp any host 2001:DB8:1:30::30 eq www
 deny tcp any host 2001:DB8:1:30::30 eq 443
 permit ipv6 any any
interface g0/0
 ip access-group BLOCK_HTTP in
 end
write memory
!

Configuration R3:

enable
configure terminal
ipv6 access-list BLOCK_ICMP
 deny icmp any any
 permit ipv6 any any
interface g0/0
 ip access-group BLOCK_ICMP out
 end
write memory
!

END !~!


Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

[CCNAv6 S4] 8.2.4.14 Packet Tracer - Troubleshooting Enterprise Networks 3

Hình ảnh
Packet Tracer – Troubleshooting Enterprise Networks 3 Addressing Table Background This activity uses a variety of technologies you have encountered during your CCNA studies, including routing, port security, EtherChannel, DHCP, NAT, PPP, and Frame Relay. Your task is to review the requirements, isolate and resolve any issues, and then document the steps you took to verify the requirements. Note: This activity begins with a partial score. Requirements DHCP ·         R1 is the DHCP server for the R1 LAN. Switching Technologies ·         Port security is configured to only allow PC1 to access S1's F0/3 interface. All violations should disable the interface. ·         Link aggregation using EtherChannel is configured on S2, S3, and S4. Routing ·         All routers are configured with OSPF process ID 1 and no routing updates should be sent across interfaces that do n...
Đọc thêm

[CCNAv6 S2] 2.2.2.4 Packet Tracer - Configuring IPv4 Static and Default Routes

Hình ảnh
Packet Tracer - Configuring IPv4 Static and Default Routes Addressing Table Objectives Part 1: Examine the Network and Evaluate the Need for Static Routing Part 2: Configure Static and Default Routes Part 3: Verify Connectivity Background In this activity, you will configure static and default routes. A static route is a route that is entered manually by the network administrator to create a reliable and safe route. There are four different static routes that are used in this activity: a recursive static route, a directly attached static route, a fully specified static route, and a default route. Part 1:     Examine the Network and Evaluate the Need for Static Routing a.     Looking at the topology diagram, how many networks are there in total? b.    How many networks are directly connected to R1, R2, and R3? c.     How many static routes are required by each router to reach networks that are not directly ...
Đọc thêm

[CCNAv6 S2] 7.3.2.4 Packet Tracer - Troubleshooting Standard IPv4 ACLs

Hình ảnh
Packet Tracer – Troubleshooting Standard IPv4 ACLs Addressing Table Objectives Part 1: Troubleshoot ACL Issue 1 Part 2: Troubleshoot ACL Issue 2 Part 3: Troubleshoot ACL Issue 3 Scenario This network is meant to have the following three policies implemented: ·         Hosts from the 192.168.0.0/24 network are unable to access network 10.0.0.0/8. ·         L3 can’t access any devices in network 192.168.0.0/24. ·         L3 can’t access Server1 or Server2. L3 should only access Server3. ·         Hosts from the 172.16.0.0/16 network have full access to Server1, Server2 and Server3. Note: All FTP usernames and passwords are “cisco”. No other restrictions should be in place. Unfortunately, the rules that have been implemented are not working correctly. Your task is to find and fix the errors related to the access lists on R1. Part 1:     Troublesh...
Đọc thêm