Share This

 Thanks to good help from Lasse, here is a start point for a simple ipv6 traffic-filter, please send me any additions


no ipv6 access-list blix-in6
ipv6 access-list blix-in6
! link-local
permit icmp fe80::/10 any nd-na
permit icmp fe80::/10 any nd-ns
! close down windows ports
deny tcp any any range 137 139
deny tcp any any eq 135
deny tcp any any eq 445
deny udp any any range netbios-ns netbios-ss
deny udp any any eq 135
deny udp any any eq 445
! close sql server
deny tcp any any eq 1433
deny tcp any any eq 1434
deny udp any any eq 1433
deny udp any any eq 1434
! only allow ipv6 from 2001::/3 as this is our only outgoing ipv6 route
allow ipv6 2001::/3 any
deny ipv6 any any

no ipv6 access-list blix-out6
ipv6 access-list blix-out6
! permit established sessions
permit tcp any any established
! only send our own network
permit ipv6 2001:1ad8:ab::/48 any
deny ipv6 any any


To apply the configuration, issue the following command

int gi0/24
ipv6 traffic-filter blix-in6 in
ipv6 traffic-filter blix-out6 out


Share This

Motivation for IPv6: IPv4 is running out of addressing space, so why not give IPv6 a try?

• In March 2009, Tony Hain of networking equipment manufacturer Cisco Systems predicts the exhaustion date of the unallocated IANA pool to be around July 2011.^[5]

IPv4 uses 32bit addresses which is translated to dotted decimal form x.y.z.w where x,y,z,w can use the values from 0-255 (1 byte). 32bit = 4byte.

IPv6 uses 128bit addresses which is translated to hexadecmial form aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:xyzw where aaaa,bbbb,xyzw,etc can have values from 0000 to ffff (hexadecimal). Each double-character (x-y,z-w) corresponds to 8bit, 00-ff, 1 byte represented in hexadecimal.

An IPv6 address looks like 2001:1ad8:ab::1/128
Leading zeroes can be omitted, it is allowed to use :: to omit multiple double-byte (x-y-z-w) zeroes, but only once.
2001:1ad8:ab::1/128 is actually 2001:1ad8:00ab:0000:0000:0000:0000:0001/128
Like IPv4, IPv6 can be written with prefixlengths:
2001:1ad8:ab::/128 - 1 address
2001:1ad8:ab::/127 - 2 addresses
2001:1ad8:ab::/126 - 4 addresses
2001:1ad8:ab::/125 - 8 addresses
2001:1ad8:ab::/124 - 16 addresses
..
2001:1ad8:ab::/120 - 256 addresses
..
2001:1ad8:ab::/115 - 8192 addresses
..
2001:1ad8:ab::/64 - about 1.84*10^19 addresses
..
2001:1ad8:ab::/48 - about 1.21*10^24 addresses
The valid 0000-ffff in this /48 is 2001:1ad8:00ab:xyzw:: each such /48 consits of 65536 /64 prefices
The valid 0000-ffff (stuv) in theeses /64’s are 2001:1ad8:00ab:xyzw:stuv::/64 each such /64 consits of 65536 /80 prefixes
Each /80 consits of 65536 /96 prefixes
Each /96 consits of 65536 /112 prefixes
Each /112 consits of 65536 host addresses. (/128)

The current policy allocates a /32 IPv6 network to a LIR or ISP, /40 or /48 to a service provider and /56 or /64 to the enduser and/or customer.

Share This

I have spent the last day deploying IPv6 in our network with ssh, nameservers and webhosting now IPv6-capable. Not all our websites have Quad-A in DNS yet, but it is on its way. Whoho!

Today this server has

• received or sent 113 mails over IPv6 and 2683 over IPv4
• served 167 http requests over IPv6 and 49739 over IPv4
• loged in 1 user via ssh on IPv6 and 5 over IPv4
• accepted 0 ftp logins on IPv6 and 20 over IPv4

I have been researching the Internets and I can’t find a definite guide for how I can most efficiently subnet my /48 ? I am wondering if there is a recommened way of subnetting a /48 into /64 subnets for linknets, internal services, internet- and colocation customers?

Share This