Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10350
Views
10
Helpful
3
Replies

Disabling IPV6 effects?

Go to solution
NInja Black
Level 1
Level 1

‎03-19-2014 01:27 PM - edited ‎03-01-2019 05:44 PM

Hi,

 As we are not using IPV6 at all I want to disable it on our 4500 switch.

 

Will this cause any impact to the existing connections?

 

Can I make the changes during working hours or wait and execute the 'no ipv6 unicast-routing' command after office hours?

 

Thanks.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee

‎03-19-2014 05:00 PM

It should be perfectly fine to use the command during office hours, but it is a best practice to make changes after office hours.

 

View solution in original post

0 Helpful

Go to solution
James Leinweber
Level 4
Level 4
In response to Phillip Remaker

‎03-20-2014 09:53 AM

Note that it isn't best practice to disable IPv6 on the switch unless the network contains 100% v4-only clients.  If you have any modern clients (Linux, OS-X > 10.4, Windows > XP, tablets, smartphones, ...) at all they are dual-stack by default, and even if you are only routing v4, miscreants with on-link zombies could conduct a dual-stack man-in-the-middle attack where they broadcast RA's, get the clients to autoconfigure SLAAC v6 addresses, and have the zombie be the default gateway and DNS server.   Since the clients will prefer v6 addresses to v4, they will preferentially send all off-site traffic to the zombie over v6, where it can be proxied through NAT-PT into modified v4 traffic out.

Also, dual-stack clients may try to tunnel 6to4 or Teredo or ISATAP traffic off-link, and in general your IPS and firewall do a bad job of inspecting inside tunnels. 

So, even on v4-only subnets, you want your layer-2 switch defenses to prevent client port DHCPv6 service and ICMPv6 RA's and ICMPv6 redirects, just like you want filters against v4 DHCP service and ICMPv4 redirects.   And you want your network monitoring to be dual-stack, and you want your firewall to block IPv6 tunnel technologies, particularly the protocol 41 encapsulation and the 3544/UDP Teredo server port.

Plus, with backbone v6 traffic levels already in the 3-70% range (depending on where you look), it's time to be getting live v6 experience.

That said, if you really want v6 off, check your sdm prefer stance.  You can reload the switch to not dedicate any TCAM to v6.  But you'll lose the ability to filter against rogue v6 clients in the process.

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

3 Replies 3

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee

‎03-19-2014 05:00 PM

It should be perfectly fine to use the command during office hours, but it is a best practice to make changes after office hours.

 

0 Helpful

Go to solution
James Leinweber
Level 4
Level 4
In response to Phillip Remaker

‎03-20-2014 09:53 AM

Note that it isn't best practice to disable IPv6 on the switch unless the network contains 100% v4-only clients.  If you have any modern clients (Linux, OS-X > 10.4, Windows > XP, tablets, smartphones, ...) at all they are dual-stack by default, and even if you are only routing v4, miscreants with on-link zombies could conduct a dual-stack man-in-the-middle attack where they broadcast RA's, get the clients to autoconfigure SLAAC v6 addresses, and have the zombie be the default gateway and DNS server.   Since the clients will prefer v6 addresses to v4, they will preferentially send all off-site traffic to the zombie over v6, where it can be proxied through NAT-PT into modified v4 traffic out.

Also, dual-stack clients may try to tunnel 6to4 or Teredo or ISATAP traffic off-link, and in general your IPS and firewall do a bad job of inspecting inside tunnels. 

So, even on v4-only subnets, you want your layer-2 switch defenses to prevent client port DHCPv6 service and ICMPv6 RA's and ICMPv6 redirects, just like you want filters against v4 DHCP service and ICMPv4 redirects.   And you want your network monitoring to be dual-stack, and you want your firewall to block IPv6 tunnel technologies, particularly the protocol 41 encapsulation and the 3544/UDP Teredo server port.

Plus, with backbone v6 traffic levels already in the 3-70% range (depending on where you look), it's time to be getting live v6 experience.

That said, if you really want v6 off, check your sdm prefer stance.  You can reload the switch to not dedicate any TCAM to v6.  But you'll lose the ability to filter against rogue v6 clients in the process.

-- Jim Leinweber, WI State Lab of Hygiene

Go to solution
NInja Black
Level 1
Level 1
In response to James Leinweber

‎03-24-2014 06:11 AM

Thanks for the detailed explanation Jim.

Very informative.

0 Helpful
Customers Also Viewed These Support Documents