ZBF in a mixed ipv4 and ipv6 environment, don't touch ipv4
I have a dual stacked router for both ipv4 and ipv6. Ipv4 traffic should pass the zbf untouched due to the fact that there is another rock solid ipv4 firewall egress of the inside Interface. Is there a way that a class map like this could function on ipv6 traffic only?:
class-map type inspect match-any fullproto description Permitted Traffic to internet match protocol http match protocol https match protocol dns match protocol imaps match protocol icmp match protocol ftp match protocol ntp match protocol rtsp match protocol realmedia match protocol netshow match protocol appleqtc match protocol streamworks match protocol vdolive match protocol ssh match protocol user-rdp
So far there is only a CBAC solution in place for ipv6.
I'm showing my Interfaces:
interface FastEthernet0/0 description *** Inside IPV6 *** no ip address speed auto full-duplex ipv6 address FE80::1 link-local ipv6 address ????:????:????:10::1/64 ipv6 nd other-config-flag ipv6 dhcp relay destination ?:?:?:10::12 ipv6 traffic-filter inne6-inn in no cdp enable no mop enabled
interface FastEthernet0/0.4 description *** Inside IPV4 *** encapsulation dot1Q 4 ip address 82.?.?.129 255.255.255.248 no cdp enable
interface FastEthernet0/1 description *** Outside *** ip address 82.?.?.42 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp speed auto full-duplex ipv6 address FE80::2 link-local ipv6 address ?:599::2/126 ipv6 enable ipv6 nd prefix default no-advertise ipv6 nd prefix ?:599::/126 no-advertise ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 nd router-preference High ipv6 inspect ipv6-cbac out ipv6 traffic-filter ut-inn6 in no cdp enable no mop enabled
That should also work, but be aware that the way intra-zone-traffic gets inspected changed on some IOS-versions.
Perhaps another way:
If you can use sub interfaces for inside *and* outside, you could configure one interface for ipv4 and one for ipv6. The ipv4-(sub)-interfaces are not assigned to any zone and so will just route the traffic.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...