[c-nsp] Handling the inbound ACL's with dynamic pd ipv6 prefix from the ISP

Per Carlson pelle at hemmop.com
Thu Dec 9 15:43:23 EST 2010 

Hi George.

>> My suggestion is to put all those hosts with public accessible
>> services on one subnet, and all clients on another subnet. You can
>> then have different ACL's protecting the different subnets (allow any
>> -> tcp/80 on the www-server subnet, deny any on the client subnet). If
>> you would like to (and have enough subnets) you can put the www-server
>> on one subnet and a ftp-server on another as well.
>
> The problem is that the pd assigned from the ISP is not static!
> So how can you set ACL rules with a dynamic prefix?
>
> The assignment you say may be used but still you cannot define the
> www-server
> subnet on the ACL because you cannot know what the subnet will be!

No you don't know the subnet, but that's not a problem. Here's a
partitial config assuming a /56 PD:

int fa0
  ! WAN
  ipv6 dhcp client pd PREFIX

int fa1
  ! www-server subnet
  ipv6 address PREFIX 0:0:0:1::/64 eui-64
  ipv6 traffic-filter WWW-SERVER out

int fa2
  ! clients subnet
  ipv6 address PREFIX 0:0:0:2::/64 eui-64
  ipv6 traffic-filter CLIENTS out

ipv6 access-list WWW-SERVER
  permit tcp any any eq 80
  deny ipv6 any any

ipv6 access-list CLIENTS
  deny ipv6 any any


Yes, the subnets need to live on separate interfaces, physical or
logical, for easy filtering.

Note: This config is PARTIAL and parts of it won't work at all! For
example will the Client subnet have little connectivity :-)

>> > IS there a way to allow some services to internal hosts without
>> exposing
>> > everything to internet?
>>
>> Yes, use ULA's (RFC4193).
>
> I actually meant how to set the ACL in order to allow access to only one
> host and not the whole range. Why would you use ULA's?

ULA's are a great way to run internal services without worries. As
long as you ingress filter fc00::/7 on the WAN-link you are safe.
Having multiple IPv6 addresses on a interface opens up a lot of new
possibilities!

-- 
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.

More information about the cisco-nsp mailing list