Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Disable IPv6 on router IOS

john.cottingim
Level 1
Level 1

‎02-03-2016 10:06 AM - edited ‎03-01-2019 05:50 PM

I've found this question has been asked many times on the web and in the Cisco forums. But I've never found an answer. I'm hoping that someone out there has the answer hidden in their back pocket.

The question:

How do you disable IPv6 listening ports in a Cisco IOS router?

With absolutely no IPv6 configuration on a router, the listening ports are created when SNMP communities or NTP are configured. This symptom exists across several Cisco platforms (6500, 3700, 2800 to name a few) and IOS versions.

Example:

(The following is the complete output from a test device.)

router#show ip sockets | include ^P|v6 !Notice no ports listening from this command!
Proto       Remote      Port      Local       Port  In Out  Stat TTY OutputIF
router#
router#config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#snmp-server community test
router(config)#end
router#show ip sockets | include ^P|v6
Proto       Remote      Port      Local       Port  In Out  Stat TTY OutputIF
 17(v6)  --listen--          --any--           161   0   0 20001   0
 17(v6)  --listen--          --any--           162   0   0 20011   0
 17(v6)  --listen--          --any--         59017   0   0 20001   0
router#
router#
router#config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ntp server 1.1.1.1
router(config)#end
router#
router#show ip sockets | include ^P|v6
Proto       Remote      Port      Local       Port  In Out  Stat TTY OutputIF
 17(v6)  --listen--          --any--           161   0   0 20001   0
 17(v6)  --listen--          --any--           162   0   0 20011   0
 17(v6)  --listen--          --any--         59017   0   0 20001   0
 17(v6)  --listen--          --any--           123   0   0 20001   0

What is not the answer:

  • Disable SNMP/NTP.
    • We must be able to manage the router with snmp and set the clock accurately.

  • Secure SNMP/NTP with an IPV6 ACL.
    • Securing the ports with an ACL is not the same as disabling them and doesn't answer the question.

  • Questions such as: Why would you want to disable them that anyway if no other IPv6 configuration exists?
    • The reason have have for disabling is complex, compliance-related, and is outside of the scope of this discussion.

Possible answers:

  • The IPv6 listening ports are required for the processes to run and can't be disabled.
    • If the IPv6 listening ports truly cannot be disabled, then this statement must come from Cisco.

  • Some command(s) (even if they are hidden) that will disable IPv6 listening ports and eliminate them from the  "show ip sockets" command output.

3 people had this problem
Labels:
0 Helpful
Who Me Too'd this topic