cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10350
Views
10
Helpful
3
Replies

Disabling IPV6 effects?

NInja Black
Level 1
Level 1

Hi,

 As we are not using IPV6 at all I want to disable it on our 4500 switch.

 

Will this cause any impact to the existing connections?

 

Can I make the changes during working hours or wait and execute the 'no ipv6 unicast-routing' command after office hours?

 

Thanks.

2 Accepted Solutions

Accepted Solutions

Phillip Remaker
Cisco Employee
Cisco Employee

It should be perfectly fine to use the command during office hours, but it is a best practice to make changes after office hours.

 

View solution in original post

Note that it isn't best practice to disable IPv6 on the switch unless the network contains 100% v4-only clients.  If you have any modern clients (Linux, OS-X > 10.4, Windows > XP, tablets, smartphones, ...) at all they are dual-stack by default, and even if you are only routing v4, miscreants with on-link zombies could conduct a dual-stack man-in-the-middle attack where they broadcast RA's, get the clients to autoconfigure SLAAC v6 addresses, and have the zombie be the default gateway and DNS server.   Since the clients will prefer v6 addresses to v4, they will preferentially send all off-site traffic to the zombie over v6, where it can be proxied through NAT-PT into modified v4 traffic out.

Also, dual-stack clients may try to tunnel 6to4 or Teredo or ISATAP traffic off-link, and in general your IPS and firewall do a bad job of inspecting inside tunnels. 

So, even on v4-only subnets, you want your layer-2 switch defenses to prevent client port DHCPv6 service and ICMPv6 RA's and ICMPv6 redirects, just like you want filters against v4 DHCP service and ICMPv4 redirects.   And you want your network monitoring to be dual-stack, and you want your firewall to block IPv6 tunnel technologies, particularly the protocol 41 encapsulation and the 3544/UDP Teredo server port.

Plus, with backbone v6 traffic levels already in the 3-70% range (depending on where you look), it's time to be getting live v6 experience.

That said, if you really want v6 off, check your sdm prefer stance.  You can reload the switch to not dedicate any TCAM to v6.  But you'll lose the ability to filter against rogue v6 clients in the process.

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

3 Replies 3

Phillip Remaker
Cisco Employee
Cisco Employee

It should be perfectly fine to use the command during office hours, but it is a best practice to make changes after office hours.

 

Note that it isn't best practice to disable IPv6 on the switch unless the network contains 100% v4-only clients.  If you have any modern clients (Linux, OS-X > 10.4, Windows > XP, tablets, smartphones, ...) at all they are dual-stack by default, and even if you are only routing v4, miscreants with on-link zombies could conduct a dual-stack man-in-the-middle attack where they broadcast RA's, get the clients to autoconfigure SLAAC v6 addresses, and have the zombie be the default gateway and DNS server.   Since the clients will prefer v6 addresses to v4, they will preferentially send all off-site traffic to the zombie over v6, where it can be proxied through NAT-PT into modified v4 traffic out.

Also, dual-stack clients may try to tunnel 6to4 or Teredo or ISATAP traffic off-link, and in general your IPS and firewall do a bad job of inspecting inside tunnels. 

So, even on v4-only subnets, you want your layer-2 switch defenses to prevent client port DHCPv6 service and ICMPv6 RA's and ICMPv6 redirects, just like you want filters against v4 DHCP service and ICMPv4 redirects.   And you want your network monitoring to be dual-stack, and you want your firewall to block IPv6 tunnel technologies, particularly the protocol 41 encapsulation and the 3544/UDP Teredo server port.

Plus, with backbone v6 traffic levels already in the 3-70% range (depending on where you look), it's time to be getting live v6 experience.

That said, if you really want v6 off, check your sdm prefer stance.  You can reload the switch to not dedicate any TCAM to v6.  But you'll lose the ability to filter against rogue v6 clients in the process.

-- Jim Leinweber, WI State Lab of Hygiene

Thanks for the detailed explanation Jim.

Very informative.