id="info"

Networking

What you need to know about configuring Cisco IOS firewall services in IPv6

Brandon Carroll explains the adjustments to configuration of firewall services in the Cisco IOS if you're moving from IPv4 to IPv6. It's not as bad as you might think.

As the IPv4 address space is quickly becoming a thing of the past many today are turning their attention to IPv6. I find that many are somewhat hesitant in regards to the migration because it feels like new ground, but it's not as bad as you may think. Take, for example, Firewall Services. The Cisco IOS with IPv4 supports a few "alternative" methods of configuring a firewall. You have your garden variety static access-list:

access-list 101 permit tcp any host 10.1.1.1 eq www

access-list 101 permit tcp any host 10.1.1.1 eq ftp

access-list 101 permit tcp any host 10.1.1.1 eq 22

With a router running IPv6 the access-list configuration exists as well, but its a bit more like an extended named access-list.

IPv6 access list sample:

permit tcp any host 2001:DB9:2:3::3 eq www sequence 10

permit tcp any host 2001:DB9:2:3::3 eq telnet sequence 20

permit tcp any host 2001:DB9:2:3::3 eq 22 sequence 30

permit tcp any host 2001:DB9:2:3::3 eq ftp sequence 40

The application is actually a bit more intuitive since you use the ip traffic-filter command on an interface as opposed to the ip access-group command that you're likely familiar with.

In IOS you have the Reflexive Access-list:

interface Ethernet0/1

ip address 172.16.1.2 255.255.255.0

ip access-group inboundfilter in

ip access-group outboundfilter out

ip access-list extended inboundfilter

permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

evaluate tcptraffic

ip access-list extended outboundfilter

permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic

You also have the ability to configure reflexive access-lists in IPv6 and once again, not much difference:

interface Ethernet0/1

ipv6 address 2001:db9:1::1/64

ipv6 traffic-filter inboundfilter in

ipv6 traffic-filter  outboundfilter out

ipv6 access-list inboundfilter

permit icmp host 2001:db8:1::F host 2001:db9:2::2

evaluate tcptraffic

ipv6 access-list outboundfilter

permit tcp any any reflect tcptraffic

Permit icmp any any

There's also good-old Context Based Access Control (CBAC) which is also called the IOS firewall.

For IPv4 it would look something like the following:

ip inspect name FW tcp

!

interface Ethernet0

ip address 10.10.10.2 255.255.255.0

ip access-group 101 in

ip inspect FW in

!

interface Serial0.1 point-to-point

ip address 10.10.11.2 255.255.255.252

ip access-group 102 in

frame-relay interface-dlci 200 IETF

!

For IPv6 it's essentially the same:

ip inspect name FW tcp

!

interface Ethernet0

ipv6 address 2001:db9:1::1/64

ipv6 traffic-filter inboundfilter in

ip inspect FW in

!

interface Serial0.1 point-to-point

ipv6 address 2001:db9:2::A/64

ipv6 traffic-filter  outboundfilter in

frame-relay interface-dlci 200 IETF

!

And finally there are Zone-Based Firewalls. For IPv4 and IPv6 these look alike as well:

class-map type inspect match-any MYPROTOS

match protocol tcp

match protocol udp

match protocol icmp

!

policy-map type inspect OUTBOUND

class type inspect MYPROTOS

inspect

!

zone security inside

zone security outside

!

zone-pair security IN>OUT source inside destination outside

service-policy type inspect OUTBOUND

!

interface fastethernet0/0

zone-member security private

!

interface fastethernet0/1

zone-member security public

!

For the above-mentioned policy, you can add either IPv4 or IPv6 addressing to the interfaces. TCP, UDP, and ICMP are not tied to the layer 3 protocol so the firewall services don't miss a beat.

All-in-all these are very quick and basic examples that simply illustrate one thing; the configuration of firewall services on a Cisco IOS device don't differ much between IPv4 and IPv6. So, now, lab it up, get comfortable with the addressing, and begin your migration with a dual-stack deployment...and add the firewall services once you're comfortable.

About

Brandon Carroll, CCIE #23837, is an IT Director, Blogger, Podcaster, and Mac Enthusiast. Brandon has nearly 15 years in the networking industry consulting for large and small enterprise and service provider networks.

Editor's Picks