1 00:00:00,390 --> 00:00:08,040 IP version 6 access lists you know some of the way to IP version for access lists or apply it to interfaces 2 00:00:08,250 --> 00:00:11,600 either in an inbound or outbound direction. 3 00:00:11,670 --> 00:00:20,140 You could apply a IP version 6 access list to a router interface such as gigabit 00 or serial 1 slash 4 00:00:20,190 --> 00:00:21,500 zero better. 5 00:00:21,540 --> 00:00:29,640 They could also be applied to switched of virtual interfaces on a switch such as interface land to also 6 00:00:29,640 --> 00:00:37,540 remember that because of ships in the night IP version for an IP version 6 are independent of each other. 7 00:00:37,620 --> 00:00:45,570 So you could have both an IP version for inbound and outbound access list as well as an IP version 6 8 00:00:45,630 --> 00:00:49,800 inbound and outbound access list on the same interface. 9 00:00:50,100 --> 00:00:57,180 The IP version 4 axis lists have no effect on IP version 6 packets and IP version 6 access lists have 10 00:00:57,180 --> 00:01:04,040 no effect on IP version 4 packets in the same way as IP version for an IP version 6. 11 00:01:04,050 --> 00:01:12,250 It makes sense to apply access lists on ingress rather than a great interfaces to provide more security. 12 00:01:12,270 --> 00:01:17,180 So on an internet facing router you want an inbound access list. 13 00:01:17,220 --> 00:01:25,140 Denying traffic to the network and to the router rather than in a grace interface where the router is 14 00:01:25,140 --> 00:01:27,740 exposed to the Internet. 15 00:01:27,780 --> 00:01:35,100 So rather deny before processing if required instead of processing packets and then dropping them. 16 00:01:35,310 --> 00:01:41,970 It's less secure to use an outbound access list on the perimeter routers internal interface rather put 17 00:01:41,970 --> 00:01:48,880 it on the extolling to face and block traffic before it's processed by the routers writing table. 18 00:01:49,120 --> 00:01:56,170 When traffic is leaving the internal or trusted network to go into the internet apply it on the outbound 19 00:01:56,170 --> 00:01:57,470 interface. 20 00:01:57,590 --> 00:02:04,960 So on the Internet facing interface on a router traffic that arise from internet is processed ingress 21 00:02:04,990 --> 00:02:13,000 or inbound traffic leaving the internal network to go to the Internet is processed outbound on that 22 00:02:13,030 --> 00:02:17,340 Internet facing interface as always with access lists. 23 00:02:17,340 --> 00:02:21,820 The hard part is determining how to filter traffic. 24 00:02:21,830 --> 00:02:24,760 Same applies to IP version for an IP version 6. 25 00:02:24,800 --> 00:02:28,170 What are you going to permit and what are you going to deny. 26 00:02:28,960 --> 00:02:36,780 Generally you want to permit only certain protocols or certain applications and block everything else. 27 00:02:36,790 --> 00:02:40,750 So in other words anything that is not permitted will be blocked. 28 00:02:40,750 --> 00:02:48,210 And that's why by default on Cisco devices there's a denying any any at the end of an access list. 29 00:02:48,900 --> 00:02:55,840 So for both IP version 4 and IP version 6 there's an implied deny any any. 30 00:02:55,860 --> 00:03:03,240 So for IP version 6 we have denied IPV six any any as the last rule in an access list. 31 00:03:03,240 --> 00:03:07,510 So unless you explicitly permit something it's going to be denied. 32 00:03:08,420 --> 00:03:15,650 Now you can't simply copy your IP version for access lists and apply them to IP version 6 because you 33 00:03:15,650 --> 00:03:21,890 have different protocols and you perhaps have different requirements for IP version 6 versus IP version 34 00:03:21,890 --> 00:03:22,670 4. 35 00:03:23,090 --> 00:03:30,980 It makes more sense to start with a brand new IP version 6 policy and only permit specific IP version 36 00:03:30,980 --> 00:03:37,370 6 protocols rather than trying to copy your IP version 4 access list. 37 00:03:37,370 --> 00:03:44,990 So you need to decide which IP version 6 packets and protocols are permitted into your network and which 38 00:03:44,990 --> 00:03:48,080 protocols and packets are permitted out of your network.