03-19-2014 01:27 PM - edited 03-01-2019 05:44 PM
Hi,
As we are not using IPV6 at all I want to disable it on our 4500 switch.
Will this cause any impact to the existing connections?
Can I make the changes during working hours or wait and execute the 'no ipv6 unicast-routing' command after office hours?
Thanks.
Solved! Go to Solution.
03-19-2014 05:00 PM
It should be perfectly fine to use the command during office hours, but it is a best practice to make changes after office hours.
03-20-2014 09:53 AM
Note that it isn't best practice to disable IPv6 on the switch unless the network contains 100% v4-only clients. If you have any modern clients (Linux, OS-X > 10.4, Windows > XP, tablets, smartphones, ...) at all they are dual-stack by default, and even if you are only routing v4, miscreants with on-link zombies could conduct a dual-stack man-in-the-middle attack where they broadcast RA's, get the clients to autoconfigure SLAAC v6 addresses, and have the zombie be the default gateway and DNS server. Since the clients will prefer v6 addresses to v4, they will preferentially send all off-site traffic to the zombie over v6, where it can be proxied through NAT-PT into modified v4 traffic out.
Also, dual-stack clients may try to tunnel 6to4 or Teredo or ISATAP traffic off-link, and in general your IPS and firewall do a bad job of inspecting inside tunnels.
So, even on v4-only subnets, you want your layer-2 switch defenses to prevent client port DHCPv6 service and ICMPv6 RA's and ICMPv6 redirects, just like you want filters against v4 DHCP service and ICMPv4 redirects. And you want your network monitoring to be dual-stack, and you want your firewall to block IPv6 tunnel technologies, particularly the protocol 41 encapsulation and the 3544/UDP Teredo server port.
Plus, with backbone v6 traffic levels already in the 3-70% range (depending on where you look), it's time to be getting live v6 experience.
That said, if you really want v6 off, check your sdm prefer stance. You can reload the switch to not dedicate any TCAM to v6. But you'll lose the ability to filter against rogue v6 clients in the process.
-- Jim Leinweber, WI State Lab of Hygiene
03-19-2014 05:00 PM
It should be perfectly fine to use the command during office hours, but it is a best practice to make changes after office hours.
03-20-2014 09:53 AM
Note that it isn't best practice to disable IPv6 on the switch unless the network contains 100% v4-only clients. If you have any modern clients (Linux, OS-X > 10.4, Windows > XP, tablets, smartphones, ...) at all they are dual-stack by default, and even if you are only routing v4, miscreants with on-link zombies could conduct a dual-stack man-in-the-middle attack where they broadcast RA's, get the clients to autoconfigure SLAAC v6 addresses, and have the zombie be the default gateway and DNS server. Since the clients will prefer v6 addresses to v4, they will preferentially send all off-site traffic to the zombie over v6, where it can be proxied through NAT-PT into modified v4 traffic out.
Also, dual-stack clients may try to tunnel 6to4 or Teredo or ISATAP traffic off-link, and in general your IPS and firewall do a bad job of inspecting inside tunnels.
So, even on v4-only subnets, you want your layer-2 switch defenses to prevent client port DHCPv6 service and ICMPv6 RA's and ICMPv6 redirects, just like you want filters against v4 DHCP service and ICMPv4 redirects. And you want your network monitoring to be dual-stack, and you want your firewall to block IPv6 tunnel technologies, particularly the protocol 41 encapsulation and the 3544/UDP Teredo server port.
Plus, with backbone v6 traffic levels already in the 3-70% range (depending on where you look), it's time to be getting live v6 experience.
That said, if you really want v6 off, check your sdm prefer stance. You can reload the switch to not dedicate any TCAM to v6. But you'll lose the ability to filter against rogue v6 clients in the process.
-- Jim Leinweber, WI State Lab of Hygiene
03-24-2014 06:11 AM
Thanks for the detailed explanation Jim.
Very informative.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide