4.4.2.10 Packet Tracer - Troubleshooting IPv6 ACLs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi friends welcome to all in this video we are going to see the packet tracer our activity troubleshooting ipv6 ACLs before that if you like to get my future uploading video info considered subscribe well are coming to our activity here we can see our a trussing table also we will go through the objectives of this packet trace our activity in part 1 troubleshoot HTTP access in party to troubleshoot FTP access and in part 3 troubleshoot SSH access coming to our scenario the following three policies have been implemented on the network calls from that to 0 0 1 : DB 8 : c AF e double colons are 64 network denote how HTTP access to the other networks so here we can see this network in our topology the devices L 0 and PCs 0 next is a house from the 2 0 0 1 : DB 8 : c AF e : 1 double colons are 64 a network are prevented from access to the FTP service on the server 2 here we can see this network which is connected to this s 1 here we can see those devices L 1 and server server 1 here we can see it's prevented from access to the FTP service on server 2 here we can see that server next is a host from the 2 0 0 1 : DB 8 : c AF e : 1 double colon slash 64 and 2 0 0 1 : TB 8 : c AF e : 2 double colon slash 64 networks are prevented from accessing r1 via SSH here we can see those networks here is one network and here is the ethernet to work these two networks are prevented from accessing this device r1 via SSH no other restrictions should be in place unfortunately the rules that have been implemented are not working correct your task is to find and fix the errors related to the access list on our one note to access r1 and to the FTP servers use the username you saw zero one and two password you serve zero one pass no we will come to path to one troubleshoot HTTP access goes from that to zero zero 1 : TB 8 : CA fe w : / 64 network are intentionally unable to access the HTTP service but should not be otherwise restricted coming to our topology here we can see there's Pesa fide in it to work so this network is not allowed to access HTTP service from other networks that is from this server one and several two now we will come to step two one determine the ACL problem as you perform the following tasks compare the results to what you would expect from the ACL coming to a using l0 l1 and l2 attempt to access HTTP services of server 1 and server 2 first of all we will get the IP address of server 1 here we can see that I will copy this address now we will try to access the web page from this device l0 to the server 1 as per our policy we should not be able to access this HTTP service from the server 1 we will try that from this l0 here is the ipv6 address now we are waiting for the web page no we are not getting the web page here we can see where it was - timed out now we will try to access from other devices we will try from l1 the browser we will try to access our server 1 here we can see we are getting the web page from server 1 and coming to l2 ipv6 address of server 1 here we can see we are getting the web page from server 1 now we will get the IP address of a server 2 here we can see that we will copy this address and we will try to get web page from these devices l0 l1 and l2 first of all coming to l0 and will try to get the HTTP sorry's we are waiting for the web page from server to know we are not getting the web page or it costs to timed out now we will let try from l1 the prowl sir here is the address we are getting the web page from server to coming to l2 we are getting the web page from server to coming to a topology here we have seen be able to access the web page I mean the HTTP service from this device l1 and the l2 but not from this device l0 to this server server 1 and server to coming to be using l0 pings server 1 and server 2 so we will get the IP address of server 1 first and we will come to l0 command prompt ping to server 1 we will try this first here we can see we are getting the message a destination host unreachable we unable to ping to server 1 and you will try server 2 also you will get the IP address here ping to server to destination host unreachable here we have seen this device l0 is unable to ping to this service server 1 and server 2 also we have seen the policy where they told for this network is this network is not allowed to access only HTTP service but we have seen even this network is unable to access this ICMP service also now we will come to see using PC 0 access the HTTP services of server 1 and server to well we will get the IP address of server 1 here is that and coming to PC 0 the stove a browser here we are going to access HTTP services and here we are going to give the actress we are waiting for the webpage no we are not getting the webpage or it was timed out now we will try to access the server to very snipey v6 actress coming to the browser HTTP service now we will try that no it's not coming we unable to access of a page from server to also hence here we can see we unable to access any service from this network to other networks here itself we can identify the problem it may be the implicit deny of any services now we will come to D do the running configuration on our one examine access list G 0 - access and it's a placement on the interfaces is the access list placed on the correct interface and in the correct direction is there any statement in the list that permits or denies traffic to other networks are the statements in the correct order a run other orders as a necessary right so we will let's check this show command on this router r1 coming to the router our run show running config and to here we can see the details here we can see ipv6 access list g0 - access and here we can see the details a denied tcp so it's a denying accessing www that is HTTP service from this network to any network and to here we cannot see they did not give the command parameter ipv6 any any and as I told here we can see an implicit DNA of any other services here we have to permit all other ipv6 services accepted this HTTP service now we will check the placement and the direction of this access list coming to a topology here we can see this is the source network we have to implement this access list on this interface that she is Gigabit Ethernet 0/0 in the in direction here is our show running config output we have to go to the interface Gigabit Ethernet 0 smart 0 here we can see that details and ipv6 traffic filter G 0 - access in yes it's everything correct coming to step to implement a solution make adjustments to access list to fix the problem right we will do that on this router r1 coming to the router r1 configure terminal here we are going to give ipv6 access list then we have to give the access list in name that is a g0 - access and here we are going to permit ipv6 any-any now we will verify that the show running config here we can see that it's added coming to step 3 verify the problem is resolved and to document the solution the problem is resolved document the solution otherwise return to step 2 1 right also we will verify now first of all we will try to access the web page from l0 you will get the IP address of server 1 here is that hill 0 web browser no we are not getting the webpage so policy is implemented and you know we will get the IP address or server - no we are not getting the webpage request timed out now we will try to access HTTPS salaries from CSP C 0 here we will give HTTP years and - here is the server to address here we can see we are getting the web page here the salaries is HTTP now we will get the IP address of server one HTTP and here is the ipv6 address of server one here we are we can see we are getting the web page from server one now we will try to ping from her this is 0 to this service or 1 and server to coming to L 0 we will try to server 2 here we can see we are getting the replay from server to now we will ping to server 1 here is the actress we are getting the replay from server 1 also hence here we can see the implementer policy is working that is this network is not allowed to access HTTP service from other networks and all other services are permitted now we will come to party to troubleshoot FTP access host from the 2 0 0 1 : TB 8 : CAF e : 1 double : / 64 network are prevented from accessing the FTP server ease of server to but no other or restriction should be in place coming to a topology here we can see that specified in it to work here this network is prevented from accessing the FTP service of this server that is server to here we can see that now we will come to step 1 determine the ACL problem as you perform the following tasks compare the results to the expectations of the ACL coming to a are using l0 l1 and DL to attempt to access FTP service of server 2 here we can see that command what we have to give we will do this now we will start from the device l0 the stop command prom - here we are going to give the command if TP then server to ipv6 address it's prompted for the username that is user or 0 1 and the password you saw 0 1 PA SS here we can see be able to access FTP from this il 0 device now we will come to l1 desktop command prompt here is the command yes it's prompted for the username user 0 1 password is user 0 1 pass here also we can see be able to access FTP service from server to and coming to L to desktop command prompt FTP - server - username is a user 0 1 password is user 0 1 pass here we can see be able to access FTP service pensa here we have seen all the devices that is l0 l1 and the l2 able to access the FTP service from this server server 2 but our second policy says this network should not be able to access the service FTP from this server 2 but we have seen that this device Alvin I able to access our FTP service from this server 2 hence this is a problem we identified here coming to be user running configuration on r1 examine excessive list G 1 - Excel and it's placement on the interfaces is the access list replaced on the correct port in the correct direction is there any statement in the list that permits or denies traffic to other networks are the statements in the correct order so all these things we will check along with that I run other tests also necessary coming to the router r1 here you are going to give the show command or running config and here we can see the access listed even - access here we can see three lines here against the first line it's the third policy for the SSH and here we can see the policy for the FTP denied TCP here we can see the network that is host Network then we are going to deny only this host we will check the ipv6 address of this server - here we can see that it's correct equal to the service FTP and also a permitting all other services a permit ipv6 any any so here everything is correct before coming to the placement and the direction of the access list here we can see this is the source network we have to implement it is successfully for this interface that is gig up the third of 0/1 in the direction in we have to check that coming to the interface Gigabit Ethernet to 0/1 here we can see that yes it's correct but here we can see they given out so it's incorrect so we have to change the direction as in coming to step to implement a solution make adjustments to access list to fix the problem right we will do that coming to the configuration on our one configure terminal we have to go to that interface a gigabit deterrent 0/1 and TV how to remove that we will copy this line the here we will give no then that command so that we can reconfigure instead of out we have to give in you're going to remove this out and we are going to give in now we will verify the configuration show running config and coming to the interface G 0/1 here we can see that now it's correct coming to step 3 verify the problem is resolved and to document the solution if the problem is resolved at document the solution otherwise return to step 1 so now we will verify that now we will try to access FTP service from this device as l0 l1 and l2 to this server - first of all we will start from l0 we should be able to access once more we will try that here we can see it's prompted for a username user 0 1 and the password user 0 1 Pass be able to access FTP service in this l0 device now we will come to l2 here also we should be able to access here we can see prompted for a username user 0 1 password user 0 1 Pass be able to access FTP service in this device l2 now we will try from l1 to access this FTP service as per our policy we should not be able to access this FTP service we will try that previously we got now we will try FTP service trying to connect now it's not connecting our policy is implemented now we will come to part three troubleshoot SSH access only the horse from 2 0 0 1 : DB 8 : c AF e double colons are 64 network are permitted and remote access to our one via SSH here we can see only this network is allowed to access this router r1 via SSH other 2 networks here we can see this Network and this network is not allowed to access this r1 why is SH so bitter I will mark the second two network also sir is that so these two networks are not allowed to access this r1 via SSH coming to step 1 determine the ACL problem as you perform the following task compare the results to what you would expect from the ACL coming to a from l0 or PC 0 verify SSH access to r1 first of all we will try to get the ipv6 address of r1 we will copy this address coming to l0 we will try to access this r1 with the help of SSH so here we have to give an ssh space - - L then the username user 0 1 at the target here is the ipv6 address of r1 it's prompted for a password here is the password the user 0 1 pass here we can see be able to access the device I mean the router r1 why is SH coming to be using l1 and the L to attempt to access our one via SSH so as per our policy here these two networks are not allowed to access this router r1 via SSH so we will try we will try to access this r1 via SSH and we will check that coming to L 1 command prompt it's trying to connect here we can see connection timed out a remote house not responding right so we will try from l2 command prompt and - here you are going to give the command oh it's prone for password user zero one pass here we can see be able to access this router r1 via SSH from this device l - shall we identify the problem as per our policy this network also is not allowed to access this router r1 why is SH but here this device able to access this r1 coming to see do the running configuration on r1 examine access list and their placements on the interfaces is the access list placed on the correct interface and in the correct direction is there any statement in the line that permits or denies traffic to other networks are the statements in the correct order so all these we will check also we will perform other tests as necessary coming to the router r1 enable show running config and - here we can see the policies here are two networks are not allowed to access this r1 via SSH here we can see it access list Jeevan - access denied tcp the network then - a network and here is the service ssh the port number is 22 coming to the other access list - here we can see that access list g2 - access here we can see the details here they given parameter i pv 6 any any first so we have seen that's why this device l2 is able to access this r1 via SSH here we have to keep this a line that is denied TCP this line first then this permit ipv6 any any second so here the order of the command is incorrect coming to the direction and the placement of the access list here we can see the interface a gigabit authority rose large - we have to check that interface here we can see that interface d0 starts to ipv6 traffic filter g2 - access in it's correct so here the problem is the statements are not in the correct order so we have to make those statements in the correct order coming to step to implement a solution make adjustments to access list to fix the problem okay coming to r1 here we will give show ipv6 access list and to here we can see access list details we are going to remove this access list configure terminal we are going to give no ipv6 access list g1 - we will check that here it's a g2 - access g2 - access and now we are going to create that will remove this no now we are going to give in the correct order so first we are going to give this deny and then we are going to permit ipv6 any any no we will verify that show running config here we can see g2 - access first we are denying this SSH then we permit ipv6 any-any now it's in the correct order coming to step 3 verify that the problem is resolved and to document the solution if the problem is resolved document the solution Aurora is returned to step 1 now we will try to access this router r1 via SSH from this device l2 here we have that command it's trying to connect no it's not connecting now now our third policy also implemented successfully these two networks are not allowed to access this router r1 via SSH will that's all in this packet tracer activity that is a troubleshooting ipv6 ACLs here we can see completion status a 90 out of 90 turn city how indeed out in this packet race or activity please comment below also if you like my video give it thumb and share to your friends and you don't forget to subscribe this channel so that you will get latest uploading video info directly into your Gmail thank you
Info
Channel: Tech Acad
Views: 5,095
Rating: undefined out of 5
Keywords: IPv6 Access Control List
Id: VFtqilyYLcM
Channel Id: undefined
Length: 28min 10sec (1690 seconds)
Published: Sun Apr 15 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.