I did plan to finish the BIG lab off with a couple of network services, some IPv6 filtering and some policy routing. However Cisco IOU seems to have an issue with setting up NTP, there are no DHCP client PCs to play with and policy routing is more tuned to QoS than for "general" usage. So we'll focus on IPv6 filtering instead, and save the other topics for separate posts.
IPv6 Filtering.
Recall from part 8 that we nominated the loopback interface on R1 as our "secure network", we then blocked R10 from accessing this network, we start by assigning the IPv6 address of FEC0:0:0:111::1/128 to the loopback interface, and confirm we can see it
R1(config)#int lo0
R1(config-if)#ipv6 address fec0:0:0:111::1/128
R1(config-if)#ipv6 eigrp 100
R1(config-if)#exit
R1(config)#exit
R1#sh ipv6 int bri
Serial0/0 [up/up]
unassigned
Serial0/1 [up/up]
unassigned
Serial0/2 [administratively down/down]
unassigned
Serial0/3 [administratively down/down]
unassigned
Multilink1 [up/up]
FE80::FF:FE00:1
FEC0:0:0:110::1
Loopback0 [up/up]
FE80::FF:FE00:1
FEC0:0:0:111::1
R1#
And we confirm that R10 has it in it's routing table:
R10#sh ipv6 route
IPv6 Routing Table - default - 28 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C FEC0::/64 [0/0]
via Serial1/0, directly connected
L FEC0::A8BB:CCFF:FE00:A00/128 [0/0]
via Serial1/0, receive
O FEC0:0:0:100::1/128 [110/64]
via FE80::FF:FE00:8, Serial1/0
O FEC0:0:0:100::2/128 [110/128]
via FE80::FF:FE00:8, Serial1/0
OE2 FEC0:0:0:110::1/128 [110/100]
via FE80::FF:FE00:8, Serial1/0
OE2 FEC0:0:0:110::2/128 [110/100]
via FE80::FF:FE00:8, Serial1/0
OE2 FEC0:0:0:111::1/128 [110/100]
via FE80::FF:FE00:8, Serial1/0
OE2 FEC0:0:0:120::1/128 [110/100]
via FE80::FF:FE00:8, Serial1/0
R10#ping FEC0:0:0:111::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:111::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/37/40 ms
R10#
Now that we have the visibility we need, its time to implement our filtering. We will use a distribute list as before (see part 8). But this time it won't go under the EIGRP process as when we set up IPv6 in part 9 we went in the other direction, but the process is the same, but we will set it up on R10 this time:We start with a prefix-list:
R10#sh run | i prefix distribute-list prefix-list deny-111-1 in ipv6 prefix-list deny-111-1 seq 5 deny FEC0:0:0:111::1/128 ipv6 prefix-list deny-111-1 seq 10 permit ::/0 ge 64And as we are learning about the route through OSPF External (type 2) then we need to apply it under our OSPF IPv6 process:
ipv6 router ospf 1 router-id 10.10.10.10 log-adjacency-changes distribute-list prefix-list deny-111-1 inAnd now our ipv6 routing table on R10 looks like this:
R10#sh ipv6 route
IPv6 Routing Table - default - 27 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C FEC0::/64 [0/0]
via Serial1/0, directly connected
L FEC0::A8BB:CCFF:FE00:A00/128 [0/0]
via Serial1/0, receive
O FEC0:0:0:100::1/128 [110/64]
via FE80::FF:FE00:8, Serial1/0
O FEC0:0:0:100::2/128 [110/128]
via FE80::FF:FE00:8, Serial1/0
OE2 FEC0:0:0:110::1/128 [110/100]
via FE80::FF:FE00:8, Serial1/0
OE2 FEC0:0:0:110::2/128 [110/100]
via FE80::FF:FE00:8, Serial1/0
OE2 FEC0:0:0:120::1/128 [110/100]
via FE80::FF:FE00:8, Serial1/0
The syntax for the permit any statement (seq 10) in our prefix-list is pretty important, without the "ge 64" we won't get any other routes into our routing table.And there we have a quick way to implement route filtering in IPv6, and with that the end of our big lab series. I hope you have enjoyed it.