How to deny web access from a host to a server in an IPv6 network
The most popular and one of the most important simulation in the CCNA exam is the access-list question where candidates are asked to deny web access from a PC to a certain server while making sure that all other forms of access are allowed for the PC and other connected users. In this demonstration, I will share with us on how to use IPv6 access-list to solve this Cisco exam question. Lets jump in!
Our network topology is going to have a single Cisco 2811 router, a 2960 LAN switch, two PCs and a server. See below:
>>PC0 should have web access to to server0.
>>No other PC on the LAN should have web access to server0.
>>Because there are other services available on the network, all other forms of access from hosts on the LAN to server0 should be permitted.
>>Setup to be accomplished using IPv6.
To implement IPV6 access-list on our network, first we have to enable IPv6 unicast-routing on the router and configure the interfaces with IPv6 addresses. See below:
TimiGate(config-if)#ipv6 add 2000::1/64
TimiGate(config-if)#ipv6 add 2001::1/64
Now, we configure IPv6 access-list
TimiGate(config)#ipv6 access-list cisco
TimiGate(config-ipv6-acl)#permit tcp host 2001::2 host 2000::2 eq www (this line permits PC0 web access to server0).
TimiGate(config-ipv6-acl)#deny tcp any host 2000::2 eq www (this line denies web access from any other host to server0).
TimiGate(config-ipv6-acl)#permit ip any any (this line permits all other forms of traffics from any PC to any PC, including server0).
Next, we apply the access-list to the interface connecting to the server in an outbound direction.
TimiGate(config-if)#ipv6 traffic-filter cisco out
To verify, open the web browser on PC0 and type in the IPv6 address of server0. It should be successful. Next, go to PC1 and repeat the same. It should not be able to access server0 via web browser. Finally, while still on PC1, initiate icmp request to server0. It should be successful.
To see packets being matched by the access-list, use the command sh access-list. See below:
To get the Packet Tracer file of this LAB, kindly drop your email in the comment box below. Thank you.