Preparó: Andrés Enríquez

4.4.2.10 PT Troubleshooting IPv6 ACLs

Topology

Addressing Table
Device Interface IPv6 Address / Prefix Default Gateway

G0/0 2001:DB8:CAFE::1/64 N/A

R1 G0/1 2001:DB8:CAFE:1::1/64 N/A

G0/2 2001:DB8:CAFE:2::1/64 N/A

PC0 NIC 2001:DB8:CAFE::2/64 FE80::1

Server1 NIC 2001:DB8:CAFE:1::2/64 FE80::1

Server2 NIC 2001:DB8:CAFE:2::2/64 FE80::1

L0 NIC 2001:DB8:CAFE::3/64 FE80::1

L1 NIC 2001:DB8:CAFE:1::3/64 FE80::1

L2 NIC 2001:DB8:CAFE:2::3/64 FE80::1

Objectives
Part 1: Troubleshoot HTTP Access
Part 2: Troubleshoot FTP Access
Part 3: Troubleshoot SSH Access

Scenario
The following three polices have been implemented on the network:
         Hosts from the 2001:DB8:CAFÉ::/64 network do not have HTTP access to the other networks.
Preparó: Andrés Enríquez

         Hosts from the 2001:DB8:CAFÉ:1::/64 network are prevented from access to the FTP service on Server2.

         Hosts from the 2001:DB8:CAFE:1::/64 and 2001:DB8:CAFE:2::/64 networks are prevented from
accessing R1 via SSH.
Preparó: Andrés Enríquez

No other restrictions should be in place. Unfortunately, the rules that have been implemented are not working
correctly. Your task is to find and fix the errors related to the access lists on R1.
Note: To access R1 and the FTP servers, use the username user01 and password user01pass.

Part 1:     Troubleshoot HTTP Access

Hosts from the 2001:DB8:CAFE::/64 network are intentionally unable to access the HTTP service, but
should not be otherwise restricted.

Step 1:     Determine the ACL problem.

As you perform the following tasks, compare the results to what you would expect from the ACL.
a. Using L0, L1, and L2, attempt to access HTTP services of Server1 and Server2.

Server 1 Server 2
Preparó: Andrés Enríquez

b. Using L0, ping Server1 and Server2.

c. Using PC0, access the HTTPS services of Server1 and Server2.

Preparó: Andrés Enríquez

d. View the running configuration on R1. Examine access list G0-ACCESS and its placement on the
interfaces. Is the access list placed on the correct interface and in the correct direction? Is there any
statement in the list that permits or denies traffic to other networks? Are the statements in the correct
order?
La access-list está incompleta.

Listas actuales:
!
ipv6 access-list G0-ACCESS
deny tcp 2001:DB8:CAFE::/64 any eq www
!
!
e.     Run other tests as necessary.

Step 2:     Implement a solution.

Make adjustments to access lists to fix the problem.

R1(config)# ipv6 access-list G0-ACCESS

R1(config-ipv6-acl)# permit ipv6 any any

Step 3:     Verify the problem is resolved and document the solution.

If the problem is resolved, document the solution; otherwise return to Step 1.

No babía tráfico, debido a la regla implícita: deny any.

Se adicionó a la lista de control de acceso G0-ACCESS:
permit ipv6 any any.
Preparó: Andrés Enríquez
Preparó: Andrés Enríquez

Part 2:     Troubleshoot FTP Access

Hosts from the 2001:DB8:CAFE:1::/64 network are prevented from accessing the FTP service of Server2,
but no other restriction should be in place.

Step 1:     Determine the ACL problem.

As you perform the following tasks, compare the results to the expectations of the ACL.
a. Using L0, L1, and L2, attempt to access FTP service of Server2.
username user01 and password user01pass
PC> ftp 2001:db8:cafe:2::2
Preparó: Andrés Enríquez

b.    View the running configuration on R1. Examine access list G1-ACCESS and its placement on the
interfaces. Is the access list placed on the correct port in the correct direction? Is there any statement
in the list that permits or denies traffic to other networks? Are the statements in the correct order?

ipv6 access-list G1-ACCESS

deny tcp 2001:DB8:CAFE:1::/64 any eq 22
deny tcp 2001:DB8:CAFE:1::/64 host 2001:DB8:CAFE:2::2 eq ftp
permit ipv6 any any
!
e. Run other tests as necessary.

Step 2:     Implement a solution.

Make adjustments to access lists to fix the problem.
R1(config)#
interface GigabitEthernet0/1
no ipv6 traffic-filter G1-ACCESS out
ipv6 traffic-filter G1-ACCESS in

Step 3:     Verify the problem is resolved and document the solution.

If the problem is resolved, document the solution; otherwise return to Step 1.

La lista de control de acceso G1-ACCESS fue aplicada como salida (out). Se remueve este parámetro y se aplica a la
interfaz Gi0/1 como entrada (in)
Preparó: Andrés Enríquez

Part 3:     Troubleshoot SSH Access

Only the hosts from 2001:DB8:CAFE::/64 network are permitted remote access to R1 via SSH.

Step 1:     Determine the ACL problem.

As you perform the following tasks, compare the results to what you would expect from the ACL.
a. From L0 or PC0, verify SSH access to R1.

b. Using L1 and L2, attempt to access R1 via SSH.

Preparó: Andrés Enríquez

c. View the running configuration on R1. Examine access lists and their placements on the interfaces. Is
the access list placed on the correct interface and in the correct direction? Is there any statement in
the list that permits or denies traffic to other networks? Are the statements in the correct order?

ipv6 access-list G2-ACCESS

permit ipv6 any any
deny tcp 2001:DB8:CAFE:2::/64 any eq 22
!

d.    Perform other tests, as necessary.

Step 2:     Implement a solution.

Make adjustments to access lists to fix the problem.

R1(config)# no ipv6 access-list G2-ACCESS

R1(config)# ipv6 access-list G2-ACCESS
R1(config-ipv6-acl)# deny tcp 2001:DB8:CAFE:2::/64 any eq 22
Preparó: Andrés Enríquez

R1(config-ipv6-acl)# permit ipv6 any any

Step 3:     Verify that the problem is resolved and document the solution.
If the problem is resolved, document the solution: otherwise return to Step 1.

La lista de control de acceso G2-ACCESS inicialmente permite todo el tráfico IPv6.

Se debe eliminar la lista y crear una de nuevo con el orden correcto.
Preparó: Andrés Enríquez