Re: Catalyst 3850, 4500x, 9300 completely disable ipv6

jsblach · ‎08-25-2022

hi together,

how does one completely disable all ipv6 functionality of a switch? we do not use ipv6, we do not want to use ipv6 at the moment. the switches flood the network with neighbor solicitation messages for 10% of the total traffic. i really need to suppress this.

thanks in advance

balaji.bandi · ‎08-25-2022

Depends on code running on each device - here is global command :

use the no ipv6 unicast-routing

check the below guide :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/ipv6/b_166_ipv6_9300_cg/b_165_ipv6_3850_cg_chapter_01.html#con_1059790

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jsblach · ‎08-25-2022

thank you for your reply. ipv6 unicast routing is already disabled on all devices, but still they insist on using ns

balaji.bandi · ‎08-25-2022

then i would check what SDM configured dual stack ?

show run | in ipv6 give you any configuration done per interface level ? or any routing process ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jsblach · ‎08-25-2022

there is nothing configured, and the only sdm templates i can choose are access and nat. system runs on access

balaji.bandi · ‎08-25-2022

 but still they insist on using ns

if nothing found, then what you seeing, can you show us also ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jsblach · ‎08-25-2022

and these are originated by the switch. the white snap was a 10s recording

balaji.bandi · ‎08-25-2022

i would be more interested to find out that ipv6 MAC address. since we do not know your environment, we suggest to look below document :

https://blog.apnic.net/2019/10/18/how-to-ipv6-neighbor-discovery/

and find out where this ipv6 multicast for fe80XXXXXXXXXXXXXXXXXXXX673c

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jsblach · ‎08-25-2022

the mac is the mac of the switch, like i already stated.

again, i do have multiple types of switches, which do send a lot of ns messages. in one network three switches amount for 10% of the total traffic in ns (look at my snips). i am sure that i used all the commands to disable ipv6, and i am sure that the switches are doing this without the interaction of any connected devices. i do have 3850s 9300s and 4500xs that show this behavior, but i also do have a lot of these who dont. i couldn't make out any significant differences when comparing sh run all outputs. i do have all kinds of software versions, this doesnt seem to make any difference.

ammahend · ‎08-25-2022

these are neighbor solicitation messages, they are sent when a host joins the network to perform Duplicate Address Detection (DAD) for its link-local address, try configuring a suppression policy, you can apply the policy at device level or interface level.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-s/ip6-nd-mcast-supp.html#GUID-5AA59D6D-7CAC-400B-8D1E-BA7FD4ACBF64

-hope this helps-

jsblach · ‎08-25-2022

i tried this before and it didn't change anything. i tried it again with the same result.

JimWicks · ‎08-25-2022

When you say that "the switches flood the network with these messages", do you mean that the source-mac address of these frames is from the switches, or just that the switches are forwarding these frames which are sourced from other devices connected to the switchports ?? The commands above will only disable the generation of IPv6 packets by the switches themselves, it will not stop them forwarding these frames within the same layer2 VLAN, because IPv6 ND are regular Ethernet multicast frames as far as the L2switch is concerned.

If you see that many pps of what appears to be very similar frames, that would usually suggest you try to look and see if you have any topology-loop or misbehaving connected devices by tracing that stream of frames back to their source ("show mac-address dynamic").

jsblach · ‎08-25-2022

no i mean the switch itself. to make sure that it is not a reaction to some external requests i put an access-list with icmp any any deny on all ports as in policy. sure i could block it with the same policy as out policy on the uplink, but i'd rather have the switch not doing this at all.

heleros · ‎12-16-2022

Here too. I have exactly the same issue. Switches send all the time NS Messages with Source Address ::
How to deactivate ipv6 completely??? There is so much ipv6 traffic, and we don´t use ipv6.

Defututus · ‎05-30-2024

it could be device-tracking. If you need it try these policies

Policy for trunks:

device-tracking policy DISABLE-IP-TRACKING
tracking disable
trusted-port
device-role switch

Policy for access ports:

device-tracking policy IP-TRACKING
limit address-count 2
security-level glean
no protocol ndp
no protocol dhcp6
tracking enable reachable-lifetime 30