1
00:00:00,210 --> 00:00:05,670
One protocol that you want to be especially careful with is ICMP v six.

2
00:00:05,790 --> 00:00:10,890
Remember, in IP version four, we use ARP to determine the MAC address of a neighbor.

3
00:00:10,920 --> 00:00:20,220
ARP is no longer used in IP version six neighbor discovery protocol or MDP is part of ICMP version six.

4
00:00:20,220 --> 00:00:29,130
So if you have a blanket deny of IP version six inadvertently, it could affect the communication of

5
00:00:29,130 --> 00:00:31,710
devices in your IP version six network.

6
00:00:32,009 --> 00:00:38,910
ICMP is also used for path into you discovery, so don't just block ICMP Version six.

7
00:00:39,360 --> 00:00:43,230
Be careful blocking that protocol in IP version four.

8
00:00:43,500 --> 00:00:50,400
In some cases you don't want to block ICMP, but you can be a little bit more blasé blocking ICMP in

9
00:00:50,400 --> 00:00:53,970
IP version four versus IP version six.

10
00:00:54,450 --> 00:01:03,810
Be careful again that some protocols required for neighbor discovery and basic IP version six functionality

11
00:01:03,810 --> 00:01:06,780
require ICMP version six.

12
00:01:07,260 --> 00:01:11,640
Now IP Version six access lists once again are very similar to IP version four.

13
00:01:11,940 --> 00:01:18,450
You need to be careful again with protocols that you used to an IP version four such as broadcasts and

14
00:01:18,450 --> 00:01:20,280
ARP IP version six.

15
00:01:20,280 --> 00:01:23,430
It doesn't use broadcasts, it uses multiple costs.

16
00:01:23,430 --> 00:01:30,330
So to discover neighbors, we use the neighbor discovery protocol and multicast rather than using ops

17
00:01:30,330 --> 00:01:31,680
and broadcasts.

18
00:01:32,070 --> 00:01:39,210
IP Version six also includes new fields such as a flow label and extension headers, which are different

19
00:01:39,210 --> 00:01:40,680
to IP version four.

20
00:01:41,220 --> 00:01:48,180
IP version six access lists therefore allow you to match on traffic classes, flow labels, IPV six

21
00:01:48,180 --> 00:01:51,840
and next header field source and Destination 128.

22
00:01:51,840 --> 00:01:59,850
But IPV six addresses upper layer headers, higher layer protocol such as TCP and UDP and their relevant

23
00:01:59,850 --> 00:02:03,300
port numbers, as well as flags such as Sun and ACH.

24
00:02:03,300 --> 00:02:10,979
We also have ICMP version six types and codes that you could match on as well as IP version six extension

25
00:02:10,979 --> 00:02:12,720
header values and types.

26
00:02:12,990 --> 00:02:14,220
So be careful.

27
00:02:14,220 --> 00:02:20,730
There are differences between IP version six access lists and IP version for access lists.

28
00:02:20,850 --> 00:02:24,960
There are also limitations with IP version six access lists.

29
00:02:25,290 --> 00:02:29,310
IP version six tends to have more tunnels than IP version four.

30
00:02:29,340 --> 00:02:36,240
So as an example, you may have IP version six packets transported over an IP version for network using

31
00:02:36,240 --> 00:02:38,040
GREE tunnels.

32
00:02:38,340 --> 00:02:45,270
So be careful if you're trying to block IP version six packets using an IP version six access list and

33
00:02:45,270 --> 00:02:49,620
that's tunnelled within a IP version for Geo Tunnel.

34
00:02:49,650 --> 00:02:54,060
Your access list won't work in IP version for access lists.

35
00:02:54,060 --> 00:02:57,300
Wildcard masks don't have to be contiguous.

36
00:02:57,810 --> 00:03:00,450
In other words, it doesn't have to look like this.

37
00:03:00,450 --> 00:03:09,030
You could match all odd IP addresses or all even IP addresses by manipulating the inverse mask of an

38
00:03:09,030 --> 00:03:10,620
IP version for access list.

39
00:03:11,220 --> 00:03:18,870
However, in IP version six, you create IP version six access lists using a prefix length number that

40
00:03:18,870 --> 00:03:23,250
indicates the number of contiguous prefix mask bits.

41
00:03:23,310 --> 00:03:26,280
That's very different to IP version four.

42
00:03:26,640 --> 00:03:33,570
In IP version six access lists, the prefix length number represents the number of contiguous bits that

43
00:03:33,570 --> 00:03:37,950
will be matched for that IP version six address prefix.

44
00:03:38,370 --> 00:03:45,330
So we use a slash notation where the number after the slash indicates the number of bits of the prefix

45
00:03:45,330 --> 00:03:46,080
length.

46
00:03:46,410 --> 00:03:53,600
That means therefore that you can only match on an IP version six address prefix and cannot use just

47
00:03:53,640 --> 00:03:57,210
contiguous masks with IP version six access lists.

48
00:03:57,540 --> 00:04:03,900
In addition, it's a very common to have prefix lengths that are evenly divisible by four.

49
00:04:04,260 --> 00:04:11,550
So you'd use things such as slash 48, slash 52, slash 56, slash 64 as an example.

50
00:04:12,090 --> 00:04:19,860
And it's not a standard practice to have a prefix length that doesn't fall on a hex digit boundary.

51
00:04:19,980 --> 00:04:22,380
That's very different again to IP version.

52
00:04:22,380 --> 00:04:30,810
For IP version for addresses, you may have a slash 22, slash 23 slash 24, but then a slash 25 or

53
00:04:30,810 --> 00:04:32,010
slash 26.

54
00:04:32,610 --> 00:04:40,380
So unlike an IP version for where you don't just use slash eight or slash 16 or slash 24 or slash 32,

55
00:04:40,410 --> 00:04:43,650
that tends to be the practice in IP version six.

56
00:04:43,950 --> 00:04:49,830
So as an example, you'll match slash 60 for you matching on a hex digit boundary.

57
00:04:50,130 --> 00:04:53,640
Remember, hex digits are for binary bits and length.

58
00:04:54,000 --> 00:04:57,510
So we use slash 48, slash 52, slash 56.

59
00:04:57,510 --> 00:04:59,460
Slash 60, slash 64.

60
00:04:59,830 --> 00:05:02,590
Rather than something like slash SC2.

61
00:05:02,860 --> 00:05:08,590
It's important to remember that excessive logging can negatively impact rider performance.

62
00:05:08,830 --> 00:05:12,790
The root of CPU is involved when a log entry is created.

63
00:05:13,150 --> 00:05:16,060
Therefore, be careful using the logging keyword.

64
00:05:17,090 --> 00:05:20,800
Just like with IP version four, IP version six access list.

65
00:05:20,810 --> 00:05:24,890
Don't deny packets originating from a router.

66
00:05:25,250 --> 00:05:31,820
So an outbound access list on a router interface will not block router packets sent by that router.