Just because someone might find this useful as I found little help for the stateless IPv6 configuration to get the range from the ISP:
Features of this config:
- IPv4 and IPv6 DHCP from ISP to end user.
- Zone firewall for ICMP, VPN and DHCP plus custom for LAN, WAN and self zones (needed for DHCPv6).
- Zone firewall uses IP ACL, L4, L7 and category based rules.
- Netflow to local collector.
- Nat for IPv4 (not a thing for IPv6).
- Should be fairly hardened (I tested mine and everything unsolicited from the WAN is blocked (Steath, so no unreachable sent), so hopefully secure.
- SNMP and NTP config.
Hopefully this stands as a good boilerplate for those needing similar. Just needs FlexVPN or similar adding so you can VPN to home or work. And add any dynamic routing you may need.
Would be nice if someone could critique this and tell me if there are any glaring gotchas, or if this is a good secure config. Only thing I know could be done better is match-any for the zone filters to reduce the number of class maps.
Tested on C1161-8P and IOS-XE 17.6.3a
=====
service nagle
service telnet-zeroidle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
hostname router
logging buffered 512000 informational
logging source-interface Vlan1
logging facility local3
no logging rate-limit
no logging console
no logging trap
aaa new-model
aaa authentication login default local line enable
aaa authorization network default local if-authenticated
aaa authorization exec default local if-authenticated
aaa authorization config-commands
aaa authorization console
aaa session-id common
aaa common-criteria policy iiot_policy
min-length 10
max-length 127
numeric-count 1
upper-case 1
lower-case 1
char-changes 4
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
login on-success log
ip nbar http-services
ip name-server 8.8.8.8 8.8.4.4
ip dhcp excluded-address 192.168.10.0 192.168.10.99
ip dhcp excluded-address 192.168.10.200 192.168.10.255
ip domain name personal
ip dhcp pool LAN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
domain-name personal
dns-server 8.8.8.8 8.8.4.4
netbios-node-type h-node
import all
update arp
lease 8
ipv6 unicast-routing
ipv6 dhcp pool PREFIX_2
dns-server 2001:4860:4860::8888
dns-server 2001:4860:4860::8844
domain-name personal
no ipv6 source-route
flow record netflow
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect counter packets long
collect counter bytes long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
flow exporter netflow
destination 192.168.10.200
transport udp 2055
source Vlan1
flow monitor netflow
exporter netflow
record netflow
spanning-tree extend system-id
spanning-tree vlan 1 priority 8192
username admin privilege 15 secret setme
!
vlan internal allocation policy ascending
lldp run
class-map type inspect match-all ICMP
match access-group name ICMP
class-map type inspect match-all DHCP
match access-group name DHCP
class-map type inspect match-all VPN
match access-group name VPN
class-map type inspect match-all ICMPv6
match access-group name ICMPv6
class-map type inspect match-all DHCPv6
match access-group name DHCPv6
class-map type inspect match-all VPNv6
match access-group name VPNv6
class-map type inspect match-any BY_PROTOCOL
match protocol telnet
match protocol smtp
match protocol pop3
match protocol imap
match protocol http
match protocol ftp
match protocol dns
match protocol tftp
match protocol https
match protocol icmp
match protocol tcp
match protocol udp
class-map match-any BY_CATEGORY
match protocol attribute category browsing
match protocol attribute category social-networking
match protocol attribute category software-updates
match protocol attribute category file-sharing
match protocol attribute category trojan
class-map type inspect match-all LAN_TO_WAN
match access-group name LAN_TO_WAN
match class-map BY_PROTOCOL
class-map type inspect match-all LAN_TO_WANv6
match access-group name LAN_TO_WANv6
match class-map BY_PROTOCOL
class-map type inspect match-all WAN_TO_LAN
match access-group name WAN_TO_LAN
match class-map BY_PROTOCOL
class-map type inspect match-all WAN_TO_LANv6
match access-group name WAN_TO_LANv6
match class-map BY_PROTOCOL
class-map type inspect match-all WAN_TO_SELF
match access-group name WAN_TO_SELF
match class-map BY_PROTOCOL
class-map type inspect match-all WAN_TO_SELFv6
match access-group name WAN_TO_SELFv6
match class-map BY_PROTOCOL
class-map type inspect match-all SELF_TO_WAN
match access-group name SELF_TO_WAN
match class-map BY_PROTOCOL
class-map type inspect match-all SELF_TO_WANv6
match access-group name SELF_TO_WANv6
match class-map BY_PROTOCOL
policy-map type inspect avc BY_CATEGORY
class BY_CATEGORY
allow
class class-default
allow
policy-map type inspect SELF_TO_WAN
class type inspect ICMP
inspect
class type inspect ICMPv6
inspect
class type inspect DHCP
inspect
class type inspect DHCPv6
inspect
class type inspect VPN
inspect
class type inspect VPNv6
inspect
class type inspect SELF_TO_WAN
inspect
class type inspect SELF_TO_WANv6
inspect
class class-default
drop
policy-map type inspect WAN_TO_SELF
class type inspect ICMP
inspect
class type inspect ICMPv6
inspect
class type inspect DHCP
inspect
class type inspect DHCPv6
inspect
class type inspect VPN
inspect
class type inspect VPNv6
inspect
class type inspect WAN_TO_SELF
inspect
class type inspect WAN_TO_SELFv6
inspect
class class-default
drop
policy-map type inspect LAN_TO_WAN
class type inspect ICMP
inspect
class type inspect ICMPv6
inspect
class type inspect LAN_TO_WAN
inspect
service-policy avc BY_CATEGORY
class type inspect LAN_TO_WANv6
inspect
service-policy avc BY_CATEGORY
class class-default
drop
policy-map type inspect WAN_TO_LAN
class type inspect ICMP
inspect
class type inspect ICMPv6
inspect
class type inspect WAN_TO_LAN
inspect
service-policy avc BY_CATEGORY
class type inspect WAN_TO_LANv6
inspect
service-policy avc BY_CATEGORY
class class-default
drop
zone security LAN
zone security WAN
zone-pair security LAN_TO_WAN source LAN destination WAN
service-policy type inspect LAN_TO_WAN
zone-pair security WAN_TO_LAN source WAN destination LAN
service-policy type inspect WAN_TO_LAN
zone-pair security SELF_TO_WAN source self destination WAN
service-policy type inspect SELF_TO_WAN
zone-pair security WAN_TO_SELF source WAN destination self
service-policy type inspect WAN_TO_SELF
interface Null0
no ip unreachables
interface GigabitEthernet0/0/0
description FIBRE WAN / INTERNET
ip flow monitor netflow input
ip flow monitor netflow output
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
zone-member security WAN
negotiation auto
ipv6 dhcp client pd PREFIX_1 rapid-commit
ipv6 address autoconfig default
ipv6 enable
no ipv6 redirects
interface GigabitEthernet0/0/1
description FIBRE WAN / BACKUP
no ip address
zone-member security WAN
negotiation auto
interface GigabitEthernet0/1/0
description INTERNAL LAN / SPARE
interface GigabitEthernet0/1/1
description INTERNAL LAN / SPARE
interface GigabitEthernet0/1/2
description INTERNAL LAN / SPARE
interface GigabitEthernet0/1/3
description INTERNAL LAN / SPARE
interface GigabitEthernet0/1/4
description INTERNAL LAN / SPARE
interface GigabitEthernet0/1/5
description INTERNAL LAN / SPARE
interface GigabitEthernet0/1/6
description INTERNAL LAN / SPARE
interface GigabitEthernet0/1/7
description INTERNAL LAN / SPARE
interface Vlan1
description INTERNAL LAN / VLAN
ip flow monitor netflow input
ip flow monitor netflow output
ip address 192.168.10.1 255.255.255.0
no ip redirects
ip nat inside
zone-member security LAN
ipv6 address PREFIX_1 ::1/62
ipv6 dhcp server PREFIX_2
ipv6 nd other-config-flag
ipv6 enable
no ipv6 redirects
ip tcp synwait-time 10
ip tcp path-mtu-discovery age-timer 20
ip forward-protocol nd
ip tftp source-interface Vlan1
ip ftp source-interface Vlan1
ip http authentication local
ip http server
no ip http secure-server
ip nat inside source route-map LAN_TO_WAN_MAP interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Vlan1
ip ssh version 2
ip scp server enable
ip access-list extended LAN_TO_WAN
10 permit ip any any
ip access-list extended WAN_TO_LAN
10 deny ip any any
ip access-list extended SELF_TO_WAN
10 permit ip any any
ip access-list extended WAN_TO_SELF
10 deny ip any any
ip access-list extended ICMP
10 permit icmp any any
ip access-list extended DHCP
10 permit udp any eq bootps any
20 permit udp any eq bootpc any
30 permit udp any any eq bootps
40 permit udp any any eq bootpc
ip access-list extended VPN
10 permit udp any any eq isakmp
20 permit udp any any eq non500-isakmp
30 permit ahp any any
40 permit esp any any
ip access-list extended LAN_TO_WAN_NAT
10 permit ip 192.168.10.0 0.0.0.255 any
ip access-list standard VTY
10 permit 192.168.10.0 0.0.0.255
ipv6 access-list LAN_TO_WANv6
sequence 10 permit ipv6 any any
ipv6 access-list WAN_TO_LANv6
sequence 10 permit ipv6 any any
ipv6 access-list SELF_TO_WANv6
sequence 10 deny ipv6 any any
ipv6 access-list WAN_TO_SELFv6
sequence 10 deny ipv6 any any
ipv6 access-list ICMPv6
sequence 10 permit icmp any any
ipv6 access-list DHCPv6
sequence 10 permit udp any eq 546 any
sequence 20 permit udp any eq 547 any
sequence 30 permit udp any any eq 546
sequence 40 permit udp any any eq 547
ipv6 access-list VPNv6
sequence 10 permit udp any any eq isakmp
sequence 20 permit udp any any eq non500-isakmp
sequence 30 permit ahp any any
sequence 40 permit esp any any
route-map LAN_TO_WAN_MAP permit 10
match ip address LAN_TO_WAN_NAT
snmp-server packetsize 2048
snmp-server contact Personal User
snmp-server chassis-id Home
snmp-server system-shutdown
snmp-server manager
banner motd '
/----------------------------------------------------------------------------\
| System Property Of: Personal User |
|----------------------------------------------------------------------------|
| This Is A Private System -- Authorised Access Only |
| Disconnect Immediately If You Are Not Authorised To Access This System |
| Unauthorised Access Will Be Logged And Could Constitute A Criminal Offence |
| Such Logs May Be Used As Evidence In Legal Proceedings |
\----------------------------------------------------------------------------/
'
line con 0
session-timeout 600
exec-timeout 0 0
logging synchronous
history size 256
transport preferred ssh
transport output all
stopbits 1
line vty 0 15
session-timeout 600
access-class VTY in
exec-timeout 60 0
privilege level 15
logging synchronous
history size 256
transport preferred ssh
transport input ssh
transport output all
ntp source Vlan1
ntp server 85.199.214.100 prefer
ntp server 178.79.155.116 minpoll 10
ntp server 139.59.199.215 minpoll 10
ntp logging
end