Packet Tracer Advanced IPv6 (DHCPv6 & Access Control)

Topology

Scenario
NetVise Corporation has hired a new security manager who would like to implement several new control policies for the IPv6 network. You have been placed in charge of implementing the required access control lists according to the given specifications alongside a new DHCPv6 server. The security manager has also requested that the IPv6 security implementation is fully documented and verified. Prior to starting this lab, your manager provided you with some supporting training material. You are expected to review the provided material thoroughly before starting this lab.

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 1 of 3

Packet Tracer IPv6 Access Control Lists

Addressing Table
Device Interface S0/0/0 S1-RTR S0/0/1 G0/0 S1-PC NIC S0/0/0 S2-RTR S0/0/1 G0/0 S2-PC NIC S0/0/0 S3-RTR S0/0/1 G0/0 S3-PC NIC Type Global Unicast Global Unicast Global Unicast Static Global Unicast Global Unicast Global Unicast Static Global Unicast Global Unicast Global Unicast DHCPv6 IP Address 2001:c1c0:34:12::1 2001:c1c0:34:13::1 2001:c1c0:34:1::1 2001:c1c0:34:1::100 2001:c1c0:34:12::2 2001:c1c0:34:23::2 2001:c1c0:34:2::1 2001:c1c0:34:2::100 2001:c1c0:34:13::3 2001:c1c0:34:23::3 2001:c1c0:34:3::1 Prefix /64 /64 /64 /64 /64 /64 /64 /64 /64 /64 /64 Default Gateway N/A N/A N/A 2001:c1c0:34:1::1 N/A N/A N/A 2001:c1c0:34:2::1 N/A N/A N/A

Objectives
Configure DHCPv6 server and verify address allocation. Verify routing and connectivity (preconfigured). Configure standard and extended access lists (ACLs) Securing VTY Lines using Access Lists

Task 1: Configure DHCPv6 server and verify address allocation. Step 1: Configure S3-RTR with the following parameters to allocate an IPv6 address to S3-PC. IPv6 Address Pool: 2001:c1c0:34:3::/64 (assigned with a prefix length of 64). Domain Name: netspace.com DNS Server: 2001:4860:4860::8888

Task 2: Verify routing and connectivity Step 1: All interfaces have been preconfigured according to the address table and routing has been enabled using EIGRPv6. After DHCPv6 is configured to allocate an address to S3-PC, you should be able to ping both S1-PC and S2-PC sourcing from S3-PC. Task 3: Configure DHCPv6 server and verify address allocation.

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 2 of 3

Packet Tracer IPv6 Access Control Lists Step 1: Configure a standard access control list (ACL) to block all traffic sourcing from S3-PC DHCP pool to S1PC. Permit all other traffic. Remember, you should place standard access-control lists as close as possible to the destination. Step 2: Configure an extended access control list (ACL) to block TCP applications HTTP & FTP traffic sourcing from S3-PCs specific IPv6 address when destined for S2-RTRs G0/0 LAN subnet. Permit all other traffic. Remember, you should place extended access-control lists as close as possible to the source. Using a traffic generator on S3-PC you can send traffic with destination ports of 80 and 21 respectfully, if you notice the accesslist matches increment, you have configured the task correctly and the appropriate traffic is being blocked. Task 4: Securing VTY lines using access lists Step 1: Telnet is preconfigured on S1-RTR, restrict access to only allow management access from S2-PC and deny all other sources.

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 3 of 3