IPV6 and IPV4 ACLs

Similar Messages

• GRC Controls Suite Support for IPV6 and IPV4

  Dear all
  Please can you help to confirm whether latest version of GRC Controls Suite support the co-existence of IPv4 and IPv6 or capable of transporting IPv6 and IPv4 traffic within it?
  Any help much appreciated?
  best regards
  Vineet

  Please see MOS Note ID: 741001.1 - GRC Suite Certification Matrix
  If the information you need is not there, I strongly recommend open an SR to find out and let us all know!

• IPv6 plus IPv4 on Solaris 8/9

  Can IPv6 and IPv4 be enabled together on Solaris 8 or Solaris 9? If so can they be used inter changably in any fashion?
  Does introduction of IPv6 change any network cards?
  If a machine is enabled with IPv6 alone, then how will it interact with machines supporting IPv4?
  Thanks a lot in anticipation of your answers.

  Yes you can run the protocols together. They run on the same net card at the same time.
  They are not "interchangeable" as you put it. IPv6 is not compatible with IPv4 in the sense that a pure IPv6 host cannot communicate with a pure IPv4 host, which answers another of your questions I think.
  If you have a pure IPv4 box A and a pure IPv6 box B you need a gateway C that runs both protocols and can route between them.
  And yes, your network card is "changed", in that it now passes IPv4 and IPv6 packets up to the kernel.

• Filtering/Dropping IPv6 on IPv4-only Devices?

  Hi All -
  Got an interesting requirement that (for something seemingly simple) has been remarkably challenging to locate a solution for...
  Having a problem with random IPv6 traffic showing up on the enterprise LAN from time to time and freaking out certain network-connected devices that don't know how to process it (CPU 100%, etc.). So I'm looking for a way to filter/drop that IPv6 traffic at the network edge. I can certainly set the core 6500's not route (or even ignore) IPv6, but that still doesn't stop it from running around WITHIN a VLAN.
  Is there a way that a IPv4-only device can identify IPv6 traffic (by a protocol type code or something along that line) so that it can be filtered/dropped before it even makes it onto the backbone?
  Thanks in advance!
  Mike

  Mike-
  Good question! The first thing I thought of was VACL's, but VACLs w/IPv6 are not supported on the 6000 series switch.
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml#vacl
  Are the 6500's your access layer? Are they your L3 gateway? Is it possible for you to find the device(s) running IPv6 and correct them?

• Convert from IPv6 to IPv4

  Hi,
  when using: request.getRemoteAddr() I get the ip in IPv6 format.
  But, I am using maxmind to get geo information, which needs ip in IPv4 format.
  How can I convert from IPv6 to IPv4?
  Thanks.

  I'm not too familiar with IP6, but I think it is controlled by the OS and hardware. Windows Vista, for example, uses ip6 by default, so you would need to switch to ip4 in order to get request.getRemoteAddr() to display as ip4 (such as it does running on my MacBook Pro)
  If you are trying to get ip4 for all clients that connect and you don't know their OS, you can try some third party freeware programs out there like IPConvert.

• IPv6 in IPv4 Tunneling

  Any support for IPv6-in-IPv4 tunneling, e.g. HE, for us whose ISP do not do native IPv6 or 6RD?

  Gabby wrote:
  http://www6.nohold.net/Cisco2/ukp.aspx?pid=93&vw=1&articleid=23904
  All of the Linksys devices currently support only Internet Protocol version 4 (IPv4) addressing.  However, WRT610N and E4200 nominally support the latest Internet Protocol version 6 (IPv6) but these products are NOT yet IPv6 compliant.
  NOTE:  Future firmware releases of Linksys devices will be available to support IPv6.
  This information is OUTDATED.

• OpenVPN IPv6 client, IPv4 server, Port forwarding?

  I'd like to use an anonymous VPN with OpenVPN, but my new ISP only gives IPv6 addresses and IPv4 only via DualStack lite (4in6).
  As a consequence, my machine is only reachable with IPv6 Port Forwarding.
  The VPN-Provider only supports IPv4.
  Now the question:
  Can I reach my machine through IPv6 Port forwarding with OpenVPN and get a static IPv4 and Port forwarding(v4) from him?
  As I see it:
  I should be able to establish a connection with the VPN. I get a static address and the provider is forwarding the ports. Because I made the connection TO him it doesn't matter which ports are open on my side. Right?
  Or is it the other way around, that both need ports that can be forwarded?

  I guess you mean forwarding from WAN (server) to LAN (client) (both static IPs)?
  (Server must be your Internet gw/router.)
  NAT requires the ipfw firewall running so you need to add these ports (TCP? and/or UDP?) to the "allowed in" list for the server public/WAN IP. Turn on logging of denied packets to see what happens.

• Difference between address-family ipv6 and address-family ipv6 labeled unicast

  Hello Experts,
  Can someone explain me the difference between address-family ipv6 and address-family ipv6 labeled unicast. Per my understanding, i think both of them are used to send labelled IPv6 prefix advertisements through BGP..If so, are the following configs same?
  address-family ipv6
  neighbor 192.168.0.1 activate
  neighbor 192.168.0.1 send-label
  router bgp 10
  neighbor 192.168.0.1
  address-family ipv6 labelled unicast
  Please let me know if my understanding is correct
  Thanks
  Mukundh

  Thanks for the reply Nagendra...
  I have another related query regarding this. We have BGP neighborship flapping between 2 routers ...One is Cisco 7204 and another is Juniper M120 I think.... The Juniper logs show that BGP is flapped due to family inet6 not configured on the Juniper end and Juniper is receiving BGP advertisements with native IPv6 as next hop from Cisco when it shouldn't be receiving that.. The following are commands on Cisco and Juniper...
  ##### CISCO####
  outer bgp 5603
  neighbor 95.176.254.10 inherit peer-session LAR  neighbor 95.176.254.10 description --- M320-LAB-LJ-CIGALETOVA  address-family ipv4
    neighbor 95.176.254.10 activate
    neighbor 95.176.254.10 inherit peer-policy LAR-ipv4  address-family ipv6
    neighbor 95.176.254.10 activate
    neighbor 95.176.254.10 send-community both
    neighbor 95.176.254.10 route-reflector-client
    neighbor 95.176.254.10 send-label
  template peer-session LAR
    remote-as 5603
    update-source Loopback0
    timers 30 90
  exit-peer-session
  template peer-policy LAR-ipv4
    route-map LAR-ipv4-out out
    route-reflector-client
    soft-reconfiguration inbound
    send-community both
  exit-peer-policy
  ####JUNIPER####
  protocols{bgp{
  group I-BGP-IPV4 {
              type internal;
              family inet {
                  unicast;
              family inet6 {
                  labeled-unicast {
                      explicit-null;
              export RR-Export-All;
              neighbor 95.176.255.254 {
                  description C7201-RR-IP-CIGALETOVA;
                  local-address 95.176.254.10;
              neighbor 95.176.255.252 {
                  description C7201-RR-IP-CIGALETOVA;
                  local-address 95.176.254.10;
  By the cisco command above, shouldn't cisco be sending only labelled ipv6 prefixes or am I wrong in this. And if Cisco sends both unlabelled and labelled prefixes, is there a way to make it send only ipv6 prefixes?
  Thanks
  Mukundh

• Is it possible to get an IPv6 and 802.11n capable router?

  I would like to upgrade my current wireless router to an one that supports IPv6 and 802.11n. I want to do 6in4 tunnels for IPv6 to Hurricane Electric for my tunnel service and I have computers that have 802.11n. Currently I have the Actiontec (Verizon) MI424-WR wireless router with 10/100 ports. Can I get this through Verizon? I know I can go buy a Wireless router that can provide this on the outside, but want to ensure that this doesn't mess up my tv services. I have the three services currently on FIOS. TV, Internet and phone. So the router controls the TV settop boxes also.

  Well Verzion them selve has no plans to switch customers over to ipv6 capable routers right away as its hard to get on Wireless N router from them as well unless you are on a buisness plan.Now If you Turn off your wireless from the Verizon side and hook up a router switch to a open port on the verizon router\modem there should be no problem as thats how i do mine.Also there are only certain routers and that support Wireless N and IPv6 access and I will post some info here as well about that.
  http://www.dlink.com/products/?pid=767  <<<  Heres The Dlink one im using as Dlink and Cisco (linksys) are the only companys that support Ipv6 fully on certain models.
  Heres another IPV6 Router >> http://www.dlink.com/products/?pid=737
  only two i know of but was told there are two more dlink models that support it but i contacted dlink and they told that the two links i have posted here are the only fully compatible IPV6 routers availible.
  Heres one of ciscos routers >> http://homestore.cisco.com/en-us/Routers/Linksys-E​4200-MaximumPerformance-Wirelessn-router_stcVVprod​...

• IPv6 and ASA OS

  We're preparing for a migration to IPv6 and I am trying to find if there is a recommended ASA OS by Cisco to support IPv6.  My firewall currently is running version 7.2(3).  I know this version has IPv6 commands, but I want to make sure it supports everything I need.
  Thanks!
  Dan

  Here is what is supported in version 7.2.x for IPv6:
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ipv6.html
  The later version of ASA has more supports for IPv6.
  Here is the configuration guide for ASA 8.3, and the IPv6 configuration can be found on a number of sections:
  http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/config.html
  (Under configuring interfaces section, Adding an IPv6 access-list section, Configuring IPv6 Neighbour Discovery section, etc.)
  Hope that helps.

• Router ACL and Port ACL

  how to find out after looking at the ACl that this is router acl and this is port acl.
  is there is any syntax difference between these two acl's? or these two look the same.

  how to find out after looking at the ACl that this is router acl and this is port acl.
  It depends on where the ACL is applied:
  Layer-3 interface (SVI, routed port): Router ACL
  Layer-2 interface (physical switch interfaces): Port ACL
  is there is any syntax difference between these two acl's?
  Both support Standard and Extended ACLs, the Port ACLs support MAC Extended ACLs in addition.
  Link: c3560 Configuring Network Security with ACLs

• How will the Time Capsule support IPv6 and coop with the new emerging security threats that will emerge due to the new technical possibilities that IPv6 provide?

  How will the Time Capsule support IPv6 and coop with the new emerging security threats that will emerge due to the new technical possibilities that IPv6 provide?

  Cross your fingers and hope.
  Obviously if there is any big or known threat Apple will send out a firmware fix.
  But the TC is designed to be end user simple device. It has no firewall that is visible at any rate. I don't know that it truly doesn't have a firewall but it is not part of the end user controls.
  IMO if you have major security concerns that go beyond end device firewall, which is where Apple do put most of the security, since firewall in the router is plainly not a stop to anybody deliberately downloading an infected file or website, and most end users.. do not want a firewall that prevents them using the web like a business does, where only certain ports are allowed. Everything else tough luck.. you are not allowed to use it. Then TC is unsuitable for you anyway.. buy a proper firewall appliance.

• ACL Applied in Inbound direction and another ACL exist for in outbound direction - will return traffic allow

  interface gix/y
  ip address A.B.C.D 255.255.255.192
  ip access-group ACL-Inbound in
  ip access-group ACL-Outbound out
  exit
  In ACL-Inbound I have allowed SMTP traffic 6 source address to 4 destination server. One sample output among 24 acl is given below.
  permit tcp host E.F.G.H host I.J.K.L eq 25
  I haven't applied any specific rule for SMTP traffic on outbound direction. My understanding is destinations will be able to reply to the request. Does that need to be specified in the ACL

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  As Fahad has already noted, if you're going to use both an in and out ACL, you'll need to account for the traffic allowed in both direction.  Normally, the in and out ACE are just mirror entries, so for your example of:
  in
  permit tcp host E.F.G.H host I.J.K.L eq 25
  out would be:
  permit tcp host I.J.K.L eq 25 host E.F.G.H
  Fahad also mentioned using a Reflexive ACL.  These will generate a stateful mirror ACE for the reverse traffic.  The reverse ACE will stay active for a short duration after seeing traffic that creates it and the it will time out and remove itself.  Normally you would only use one on a trusted side of the device for generated flows.  When used with a trusted side, the ACE often are made more generic, for example, any inside to outside HTTP flow will allow and ACE for the return traffic.

• IPv6 and Application Networking

  We've got a CSS11500 (and just invested in SSL modules for it) and are getting a mandate to move to IPv6 by June 2008. Does anybody know if future WebNS releases will support IPv6? If not, what is Cisco's path for supporting IPv6 in the application networking space - the ACE?

  Hi,
  Both CSM and CSS do not support IPv6 and will probably not in future.
  ACE's hardware is IPv6 capable, but functionality will be added in future, not sure when.
  Hope it helps!!

• Why can't Safari 5.1 prefer ipv6 vs ipv4?

  So prior to the installation of Lion, I had configured my network for ipv6 connectivity to the internet via Hurricane Electric Tunnel broker.  Simply put, it was amazing.  Now after the installation i've realized that my ipv6 support has slowed dramatically.  When I tested to see exactly why this took place, i recieved the following:
  It preferred ipv6 pre-lion, now its hot for ipv4, what gives?  So I tested Dual Stack connectivity and i got this:
  When i chose the ipV6 only test, I got this:
  There's a not below the results that state: "If your browser is able to connect to the IPv6-only Test, yet using the Dual-Stack Test returns a page with a red box stating that you are using IPv4, then your browser and/or IP stack in your machine are preferring IPv4 over IPv6, which is undesired/broken behavior."
  Since its obviously a Safari issue, Any idea how to correct this?

  http://docs.info.apple.com/article.html?path=AirPortUtility/5.1/en/ap2127.html
  This may be a bit premature, as iPv6 has not been fully implemented yet:
  What is IPv6?
  http://support.apple.com/kb/HT4669?viewlocale=en_US
  These articles may also be of interest:
  http://en.wikipedia.org/wiki/Ipv6
  The last five blocks of the IP Version 4 addresses have been handed over to the regional bodies that distribute them.
  Those five blocks, called /8s and which contain 16 million addresses each, are expected to be completely depleted by September 2011.
  The move to the new addressing scheme, IP version 6, is under way but could take years to complete.
  "This is one of the most important days in the internet's history," said Rod Beckstrom, head of net overseer Icann at a press conference called to mark the handing over of the final five blocks.
  "It is a point that the founders of the internet thought would occur far in the future," he said. "It gives us an opportunity to shift to an internet protocol that offers a pool so large that it is difficult even to imagine."
  IPv6 has a pool of addresses a billion, trillion times larger than the 4.3 billion that IPv4 can support.
  While that pool of 4.3 billion addresses was seen as plenty when the net was getting going, its recent growth has seen it get used up very quickly.
  The shift to IPv6 was needed, he said, to support the continuing growth of the net and its greater use by all kinds of connected devices.
  "The future of the internet and the innovation it fosters lies with IPv6," said Mr Beckstrom.
  Despite the imminent exhaustion of the IPv4 pool, few ISPs, companies, academic organisations and others have made the switch. A World IPv6 Day is being planned for 8 June that will give governments, companies and others the chance to test out the technology.
  Cisco, Verizon, Yahoo, Google, Facebook and many others have committed to testing IPv6 on 8 June.
  In the UK, the switch to the new addressing scheme might take years, said Philip Sheldrake, head of 6UK, an organisation set up to advise companies how to make the move.
  Most firms would upgrade equipment, routers, hubs and modems, as part of their "normal replenishment cycle", he said.
  Equipment that is going to be in use for years before being replaced could be fitted with "dual stack" systems that can handle both IPv4 and IPv6 addresses
  Some ISPs and others may take a more aggressive approach to the switch, said Mr Sheldrake.
  "There are automated approaches that involve some remote updating of firmware in equipment," he said.
  "The internet does not break when IPv4 is exhausted," said Mr Sheldrake explaining why this long term shift was feasible.
  "What we are looking at here is that some parts of the world that have less IPv4 will be more on the front foot of adopting v6 than the UK because we have some good v4 space," he said.
  http://www.bbc.co.uk/news/technology-12367484