02-13-2022 02:01 PM
I have a 2901 dual stack router. I need to limit SSH and HTTP access to IPv4 and IPv6 ranges. At the moment, access is limited to list of IPv4 addresses but IPv6 is wide opened and I cant't find anything in the docs.
Any help would be appreciated!
access-list 10 permit 123.12.23.12 access-list 10 permit 192.168.1.0 0.0.0.255 !
! ipv6 access-list ipv6_trusted_subnets permit ipv6 2001:123:321::/48 any !
! line vty 0 4 access-class 10 in exec-timeout 60 0 login local transport input ssh
Solved! Go to Solution.
02-13-2022 02:16 PM
Hello @ciscoKuzia,
Under line vty add
ipv6 access-class ipv6_trusted_subnets in
----------------------
Don't forget to rate helpful posts!
02-14-2022 03:25 AM
Hi @Amine ZAKARIA and @ciscoKuzia ,
"With IPv6 support added in Cisco IOS Release 12.2(2)T, the ip http server command simultaneously enables and disables both IP and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command will only be applied to IPv4 traffic. IPv6 traffic filtering is not supported."
More info at: Cisco IOS HTTP Services Command Reference.
Hope this helps !!!
02-13-2022 02:16 PM
Hello @ciscoKuzia,
Under line vty add
ipv6 access-class ipv6_trusted_subnets in
----------------------
Don't forget to rate helpful posts!
02-13-2022 03:41 PM
That worked! Thank you @Amine ZAKARIA !
Any idea on how to do the same thing but for http (https)?
(config)#ipv6 htt? % Unrecognized command
02-13-2022 05:47 PM
I don't believe there is a specific command to turn off http(s) services only for IPv6. I think the command "ip http" and "ip http secure-server" apply for both IPv4 and 6.
02-13-2022 06:35 PM - edited 02-13-2022 06:35 PM
Unfortunately, I can still access https via IPv6 address while IPv4 address is accessible only from the trusted range as well as I'm not able to add IPv6 to a standard access-list.
(config)#access-list 10 permit 2001:XXXX:D:FFFF::1470 ^ % Invalid input detected at '^' marker. ----------------------------------------------------- (config)#ip http access-class ? <1-99> Access list number
-----------------------------------------------------
(config)#ipv6 http?
% Unrecognized command
02-14-2022 12:23 AM
Hello @ciscoKuzia ,
So far not sure if it's possible to filter ipv6 with access-class for http/s, but instead you can apply the ipv6 acl on the interface directly.
ipv6 access-list ACLv6
deny tcp host 2001:123:321::2 host 2001:123:321::1 eq 80
deny tcp host 2001:123:321::2 host 2001:123:321::1 eq 443
permit ipv6 any any
And under the interface apply the ACLv6:
ipv6 traffic-filter ACLv6 in
Regards!
--------------------------------------------
Don't forget to mark as resolved if it solve your issue
02-14-2022 03:25 AM
Hi @Amine ZAKARIA and @ciscoKuzia ,
"With IPv6 support added in Cisco IOS Release 12.2(2)T, the ip http server command simultaneously enables and disables both IP and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command will only be applied to IPv4 traffic. IPv6 traffic filtering is not supported."
More info at: Cisco IOS HTTP Services Command Reference.
Hope this helps !!!
02-14-2022 10:07 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: