One of the first things you have to do before adding IPv6 addresses in a router, is to protect its management plane. A simple way to implement a part of that is to define an ACL (Access List) under the relevant terminal lines (VTYs).
In IOS it's quite simple.
One ACL for IPv4 and one ACL for IPv6, which cannot share the same name.
! IOS
!----
ip access-list extended IPV4-VTY-ACL
permit ip 10.0.0.0 0.0.0.255 any
deny ip any any log
!
ipv6 access-list IPV6-VTY-ACL
permit ipv6 2001:DB8::/32 any
deny ipv6 any any log
!
line vty 0 10
access-class IPV4-VTY-ACL in
ipv6 access-class IPV6-VTY-ACL in
!
In IOS-XR it gets a little bit tricky.
One ACL for IPv4 and one ACL for IPv6, which must share the same name.
! IOS-XR
!-------
ipv4 access-list VTY-ACL
10 permit ipv4 10.0.0.0 0.0.0.255 any
20 deny ipv4 any any log
!
ipv6 access-list VTY-ACL
10 permit ipv6 2001:DB8::/32 any
20 deny ipv6 any any log
!
vty-pool default 0 10
line default
access-class ingress VTY-ACL
!
Ok, then you think that this is good because it saves you typing.
So you expect to meet the same behavior when viewing the ACLs. Bad Luck. You still have to use the "ipv6" keyword in order to view the ipv6 ACL.
RP/0/RSP0/CPU0:ASR#sh access-lists VTY-ACL
ipv4 access-list VTY-ACL
10 permit ipv4 10.0.0.0 0.0.0.255 any
20 deny ipv4 any any log
RP/0/RSP0/CPU0:ASR#sh access-lists ipv4 VTY-ACL
ipv4 access-list VTY-ACL
10 permit ipv4 10.0.0.0 0.0.0.255 any
20 deny ipv4 any any log
RP/0/RSP0/CPU0:ASR#sh access-lists ipv6 VTY-ACL
ipv6 access-list VTY-ACL
10 permit ipv6 2001:DB8::/32 any
20 deny ipv6 any any log
0 comments:
Post a Comment