Assignment 4: Router Security

Now that you have successfully configured IPv6 on your router, management access is now also possible via IPv6.  This means that anyone on the IPv6 Internet could potentially telnet or ssh to your router.

As a knowledgeable network administrator you understand that this is a huge security problem that needs to be fixed immediately.

For this exercise, we will be configuring a basic filter to only allow your own addresses access to the router.

  1. Configure a new IPv6 access-list that only allows access to your router for snmp (udp 161), telnet (tcp 23) and ssh (tcp 22) from the /60 that is assigned to you. All other attempts to access your router over IPv6 should be blocked.

In the real world, Telnet is an insecure plain-text protocol.  Avoid enabling Telnet in your networks.  We leave it in just for the sake of the access-list configuration exercise.  Also, you may only want to allow access to a very small set of IPv6 addresses only your Network Administrators use instead of the entire /60.

 

Configuration

First we'll create the an IPv6 access list. Make sure to use your own correct IPv6 /60 prefix or you will lock yourself out from accessing the router.

 

Configuration Template:

! -- Declare IPv6 management access-list
!
ipv6 access-list v6-management
permit udp <Assigned IPv6 Prefix/60> any eq snmp
permit tcp <Assigned IPv6 Prefix/60> any eq telnet
permit tcp <Assigned IPv6 Prefix/60> any eq 22

 

Configuration Example (Group 1):

! -- Declare IPv6 management access-list
!
ipv6 access-list v6-management
permit udp 2607:F8F0:690:10::/60 any eq snmp
permit tcp 2607:F8F0:690:10::/60 any eq telnet
permit tcp 2607:F8F0:690:10::/60 any eq 22

Then apply the access list to the Cisco virtual terminal lines (VTY) to protect the router as per below.

 

Configuration Template:

!-- Apply IPv6 access-list to virtual terminal lines
!
line vty 0 15
ipv6 access-class v6-management in

 

Verify with:

  • You should be able to IPv6 telnet and ssh to your router from your VM client machine.
  • Ask your neighbours to check that they are no longer able to access your router over IPv6.