Lab ID: 10.1116A326.DHI2.

Configuring IPv6 ACLs

Objective
Learn how to configure an IP version 6 (IPv6) access control list (ACL) and verify operation using Ping and
Telnet.

Lab Topology
The topology diagram below represents the NetMap in the Simulator.

Command Summary
Command Description
configure terminal enters global configuration mode from privileged EXEC
mode
deny tcp {source-ipv6-prefix/prefix-length | is used to set deny conditions for an IPv6 access list
any | host source-ipv6-address}
{destination-ipv6-prefix/prefix-length | any |
host destination-ipv6-address} [eq {port |
protocol}]
enable enters privileged EXEC mode
end ends and exits configuration mode
exit exits one level in the menu structure
interface type number changes from global configuration mode to interface
configuration mode

1 Boson NetSim Lab Manual

 Command Description
ipconfig /ipv6 ipv6-address is used in NetSim to assign an IPv6 address and subnet
mask to a workstation interface
ipv6 access-list access-list-name defines an IPv6 access list and places the device in IPv6
access list configuration mode
ipv6 traffic-filter access-list-name {in | out} is used to filter incoming or outgoing IPv6 traffic on an
interface
permit ipv6 any any sets permit conditions for an IPv6 access list
ping ip-address sends an Internet Control Message Protocol (ICMP) echo
request to the specified address
show ipv6 access-list displays the contents of all current IPv6 access lists
show running-config displays the active configuration file
telnet ip-address starts the terminal emulation program from a PC, router,
or switch; permits you to access devices remotely over
the network

The IPv6 addresses and subnet masks used in this lab are shown in the table below:

IP Addresses
Device IPv6 Address
Router1 2001:DB8:1:1::1/64
PC1 2001:DB8:1:1::2/64
PC2 2001:DB8:1:1::3/64

Lab Tasks
Task 1: Configure an IPv6 ACL that Controls Telnet Traffic
This task involves configuring an IPv6 access list that allows Telnet traffic from PC1 and that blocks Telnet
traffic from PC2.
1. On PC1, configure the appropriate IPv6 address; refer to the IPv6 Addresses table

2. On PC2, configure the appropriate IPv6 address.

3. On PC1 and PC2, ping Router1’s IPv6 address (2001:DB8:1:1::1) to verify connectivity between the
PCs and Router1. The pings should be successful.

4. From PC1 and PC2, attempt to telnet to Router1 (2001:DB8:1:1::1). The Telnet sessions should
succeed. Exit the Telnet sessions.

5. On Router1, display the IPv6 access lists. How many ACLs are currently configured on Router1? _

2 Boson NetSim Lab Manual

 6. On Router1, configure an IPv6 ACL named block_telnet to block access from PC2 (2001:
DB8:1:1::3) via Telnet and to permit all other IPv6 traffic.

7. On Router1, apply the block_telnet ACL to the FastEthernet 1/0 interface inbound.

8. On Router1, verify your configuration.

9. On PC1 and PC2, ping Router1 (2001:DB8:1:1::1) to verify connectivity between the PCs and
Router1. The pings should be successful.

10. On PC1, verify Telnet connectivity from PC1 to Router1 (2001:DB8:1:1::1). Exit the Telnet session.

11. From PC2, attempt to telnet to Router1 (2001:DB8:1:1::1). The Telnet session should fail.

12. On Router1, display the IPv6 access lists; observe the matches logged in the ACL statements.

Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.

3 Boson NetSim Lab Manual

 Lab Solutions
Task 1: Configure an IPv6 ACL that Controls Telnet Traffic
1. On PC1, issue the following command to configure the appropriate IPv6 address:

C:>ipconfig /ipv6 2001:DB8:1:1::2/64

2. On PC2, issue the following command to configure the appropriate IPv6 address:

C:>ipconfig /ipv6 2001:DB8:1:1::3/64

3. From PC1 and PC2, pings to Router1 (2001:DB8:1:1::1) should be successful.

C:>ping 2001:DB8:1:1::1

4. From PC1 and PC2, issue the following commands to attempt to telnet to Router1 (2001:DB8:1:1::1)
and to then exit the Telnet sessions. The Telnet sessions should succeed. The following is sample
output from PC1:

C:>telnet 2001:DB8:1:1::1
Password: boson
Router1>exit
[Connection to 2001:DB8:1:1::1 closed by foreign host]

5. On Router1, issue the following command to display the IPv6 access lists:

Router1#show ipv6 access-list

There are no ACLs currently configured on Router1.

6. On Router1, you should issue the following commands to configure the block_telnet IPv6 ACL that
blocks PC2 IPv6 Telnet traffic and permits all other IPv6 traffic:

Router1#configure terminal
Router1(config)#ipv6 access-list block_telnet
Router1(config-ipv6-acl)#deny tcp host 2001:DB8:1:1::3 any eq telnet
Router1(config-ipv6-acl)#permit ipv6 any any

7. On Router1, you should issue the following commands to apply the block_telnet ACL to the
FastEthernet 1/0 inbound interface:

Router1(config-ipv6-acl)#interface fastethernet 1/0

Router1(config-if)#ipv6 traffic-filter block_telnet in

4 Boson NetSim Lab Manual

 8. On Router1, you should issue the following command to verify your configuration on the
FastEthernet 1/0 interface.

Router1#show running-config interface fastethernet 1/0

Building configuration...
Current configuration : 165 bytes
!
interface FastEthernet1/0
ip address 10.1.0.1 255.255.255.0
no ip directed-broadcast
ipv6 address 2001:DB8:1:1::1/64
ipv6 traffic-filter block_telnet in
end

9. From PC1 and PC2, pings to Router1 (2001:DB8:1:1::1) should be successful.

C:>ping 2001:DB8:1:1::1

10. On PC1, you should issue the following commands to verify Telnet connectivity from PC1 to Router1
and exit the Telnet session:

C:>telnet 2001:DB8:1:1::1
Password: boson
Router1>exit
[Connection to 2001:DB8:1:1::1 closed by foreign host]

11. On PC2, you should issue the following command to attempt a Telnet session to Router1. The Telnet
session should fail.

C:>telnet 2001:DB8:1:1::1
Trying 10.10.0.1 ...
% Destination unreachable; gateway or host down

12. On Router1, you should issue the following command to display the IPv6 access lists and to observe
matches to the ACL statements. Sample output is shown below:

Router1#show ipv6 access-list

IPv6 access list block_telnet
deny tcp host 2001:DB8:1:1::3 any eq telnet (1 matches) sequence 10
permit ipv6 any any (3 matches) sequence 20

5 Boson NetSim Lab Manual

 Sample Configuration Script
Router1
Router1#show running-config
Building configuration...
Current configuration : 737 bytes
!
Version 15.b
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router1
!
ip subnet-zero
!
ip cef
no ip domain-lookup
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
shutdown
!
interface FastEthernet1/0
no ip address
no ip directed-broadcast
ipv6 address 2001:DB8:1:1::1/64
ipv6 traffic-filter block_telnet in
!
ip classless
no ip http server
!
ipv6 access-list block_telnet
deny tcp host 2001:DB8:1:1::3 any eq telnet
permit ipv6 any any
!
line con 0
line aux 0
line vty 0 4
login
!
no scheduler allocate
end

Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.

6 Boson NetSim Lab Manual