Hi George. >> My suggestion is to put all those hosts with public accessible >> services on one subnet, and all clients on another subnet. You can >> then have different ACL's protecting the different subnets (allow any >> -> tcp/80 on the www-server subnet, deny any on the client subnet). If >> you would like to (and have enough subnets) you can put the www-server >> on one subnet and a ftp-server on another as well. > > The problem is that the pd assigned from the ISP is not static! > So how can you set ACL rules with a dynamic prefix? > > The assignment you say may be used but still you cannot define the > www-server > subnet on the ACL because you cannot know what the subnet will be!
No you don't know the subnet, but that's not a problem. Here's a partitial config assuming a /56 PD: int fa0 ! WAN ipv6 dhcp client pd PREFIX int fa1 ! www-server subnet ipv6 address PREFIX 0:0:0:1::/64 eui-64 ipv6 traffic-filter WWW-SERVER out int fa2 ! clients subnet ipv6 address PREFIX 0:0:0:2::/64 eui-64 ipv6 traffic-filter CLIENTS out ipv6 access-list WWW-SERVER permit tcp any any eq 80 deny ipv6 any any ipv6 access-list CLIENTS deny ipv6 any any Yes, the subnets need to live on separate interfaces, physical or logical, for easy filtering. Note: This config is PARTIAL and parts of it won't work at all! For example will the Client subnet have little connectivity :-) >> > IS there a way to allow some services to internal hosts without >> exposing >> > everything to internet? >> >> Yes, use ULA's (RFC4193). > > I actually meant how to set the ACL in order to allow access to only one > host and not the whole range. Why would you use ULA's? ULA's are a great way to run internal services without worries. As long as you ingress filter fc00::/7 on the WAN-link you are safe. Having multiple IPv6 addresses on a interface opens up a lot of new possibilities! -- Pelle RFC1925, truth 11: Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
