1 00:00:00,210 --> 00:00:08,070 IP version six access lists in a similar way to IP version for access lists or applied to interfaces 2 00:00:08,070 --> 00:00:11,250 either in an inbound or outbound direction. 3 00:00:11,400 --> 00:00:19,410 You could apply a IP version six axis list to a router interface such as gigabit zero zero or serial 4 00:00:19,410 --> 00:00:20,820 1/0. 5 00:00:21,030 --> 00:00:29,070 But they can also be applied to switch to virtual interfaces on a switch such as interface of VLAN two. 6 00:00:29,100 --> 00:00:36,120 Also remember that because of ships in the night, IP version four and IP version six are independent 7 00:00:36,120 --> 00:00:37,050 of each other. 8 00:00:37,410 --> 00:00:45,540 So you could have both an IP version for inbound and outbound access list as well as an IP version six 9 00:00:45,540 --> 00:00:49,560 inbound and outbound access list on the same interface. 10 00:00:49,890 --> 00:00:56,850 The IP version for access lists have no effect on IP version six packets and IP version six access lists 11 00:00:56,850 --> 00:01:02,250 have no effect on IP version four packets in the same way as IP version four. 12 00:01:02,580 --> 00:01:10,320 In IP version six, it makes sense to apply access lists on ingress rather than egress interfaces to 13 00:01:10,320 --> 00:01:12,000 provide more security. 14 00:01:12,000 --> 00:01:20,310 So on an internet facing router, you want an inbound access list denying traffic to the network and 15 00:01:20,310 --> 00:01:27,330 to the router rather than an egress interface where the router is exposed to the internet. 16 00:01:27,510 --> 00:01:31,900 So rather deny before processing if required. 17 00:01:31,920 --> 00:01:37,920 Instead of processing packets and then dropping them, it's less secure to use an outbound access list 18 00:01:38,130 --> 00:01:44,670 on a perimeter routers internal interface rather put it on the external interface and block traffic 19 00:01:44,670 --> 00:01:48,090 before it's processed by the routers routing table. 20 00:01:48,900 --> 00:01:56,100 When traffic is leaving the internal or trusted network to go into the internet, apply it on the outbound 21 00:01:56,100 --> 00:01:56,970 interface. 22 00:01:57,450 --> 00:02:04,190 So on the internet facing interface, on a router, traffic that arrives from the Internet is processed 23 00:02:04,200 --> 00:02:06,930 ingress or inbound traffic. 24 00:02:06,960 --> 00:02:14,760 Leaving the internal network to go to the internet is processed outbound on that internet facing interface. 25 00:02:15,700 --> 00:02:20,950 As always, with access lists, the hard part is determining how to filter traffic. 26 00:02:21,640 --> 00:02:24,690 Same applies to IP version four and IP version six. 27 00:02:24,700 --> 00:02:28,060 What are you going to permit and what are you going to deny? 28 00:02:28,860 --> 00:02:36,240 Generally you want to permit only certain protocols or certain applications and block everything else. 29 00:02:36,570 --> 00:02:40,470 So in other words, anything that is not permitted will be blocked. 30 00:02:40,470 --> 00:02:48,000 And that's why by default on Cisco devices, there's a deny any any at the end of an access list. 31 00:02:48,680 --> 00:02:55,280 So for both IP version four and IP version six, there's an implied deny any any. 32 00:02:55,640 --> 00:03:02,660 So for IP version six, we have deny IPv6 any any as the last rule in an access list. 33 00:03:03,050 --> 00:03:07,460 So unless you explicitly permit something, it's going to be denied. 34 00:03:08,260 --> 00:03:15,430 Now you can't simply copy your IP version for access lists and apply them to IP version six because 35 00:03:15,430 --> 00:03:21,490 you have different protocols and you perhaps have different requirements for IP version six versus IP 36 00:03:21,490 --> 00:03:22,450 version four. 37 00:03:22,870 --> 00:03:30,940 It makes more sense to start with a brand new IP version six policy and only permit specific IP version 38 00:03:30,940 --> 00:03:36,730 six protocols rather than trying to copy your IP version for access list. 39 00:03:37,120 --> 00:03:44,290 So you'll need to decide which IP version six packets and protocols are permitted into your network 40 00:03:44,290 --> 00:03:48,040 and which protocols and packets are permitted out of your network.