Citrix ADC / NetScaler IPv6 Black and Whitelist

Published by Jeroen Tielen on

In this blog post from begining 2020 I created a black and white list for IPv4.
Here is an update to achieve the same but then for IPv6.
If you dont have IPv6 running already read this post 😉 

Note 1: The defaults are just for example and you need to fill in the public ip’s which you want to block/whitelist.
Note 2: Hackers use other ip’s or use VPN’s. So this is no 100% safe solution but just an extra step.
Note 3: I’m not responsible for any damage 😉

This black and white list is a bit different then the IPv4 version. As we cant match the ipv6 subnet directly into the pattern set. To bad. 🙁

There are some examples in the pattern sets already and here is the explenation:

  • 2a02:a446::
    • The complete subnet is 2a02:a446:0000:0000:0000:0000:0000:0000
    • This equals to a /32 subnet
  • 2a02:a446:3::
    • The complete subnet is 2a02:a446:0003:0000:0000:0000:0000:0000
    • This equals to a /48 subnet
  • 2a02:a446:10::
    • The complete subnet is 2a02:a446:0010:0000:0000:0000:0000:0000
    • This equals to an /44 subnet

So when adding a subnet to the pattern set make sure you end with the double colons. And alway strip leading zeros, or else there will be no hit 😉

The expression in the responder policies will only filter /16, /20, /24, /28, /32, /36, /40, /44 and /48 subnets. Do you need others, change them and dont forget to add a policy expression as well.

Bind the required responder policy to the virtual server and you are good to go.

If someone has done it different please let me know in the comments. 😉


Jeroen Tielen

Experienced Consultant/Architect with a demonstrated history of working in the information technology and services industry. Skilled in Citrix, Microsoft, VMware, Ivanti, etc.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: