Re: Disable IPv6 on 2960-X

zkorossy · ‎02-26-2022

We use 2960-X switches and want to configure them so no IPv6 traffic can be sent. We don't use IPv6 and want to drop all traffic to help mitigate security vulnerabilities associated with it. How would I go about doing that?

balaji.bandi · ‎02-26-2022

Check is the IPv6 enable first :

#show sdm prefer

#show ipv6 interface
#show ipv6 protocols

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎02-28-2022

@zkorossy wrote:

We don't use IPv6 and want to drop all traffic to help mitigate security vulnerabilities associated with it. How would I go about doing that?

You would want to apply some ipv6 security just as you would do for ipv4, Even if you dont have Ipv6 enabled on your network most windows hosts are dual stack now as such you would want to negate any unwarranted neighbor discovery or router solicitation from those clients, The below should provide such protection with dhcp snooping/guard applied also for ipv6 (defaults should be applicable)

Layer2
ipv6 nd inspection policy ND
ipv6 nd raguard policy RA
ipv6 snooping policy Snoop
ipv6 dhcp guard policy Dhcp_Guard

vlan configuration X <vlan>
ipv6 nd inspection attach-policy ND
ipv6 nd raguard attach-policy RA
ipv6 snooping attach-policy Snoop
ipv6 dhcp guard attach-policy Dhcp_Guard

Layer3
ipv6 access-list no_dhcpv6
deny ipv6 any any

interface Vlan X
ipv6 nd prefix default no-advertise
ipv6 nd managed-config-flag
ipv6 nd ra suppress all
ipv6 nd ra lifetime 0
ipv6 traffic-filter no_dhcpv6 in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

zkorossy · ‎02-28-2022

But if the switch isn't passing any IPv6 traffic, then there shouldn't be any discovery or router solicitation, correct?

paul driver · ‎02-28-2022

Hello
This is not the case even if you network isn’t enable for IPV6 but you have client hosts that are dual stack enabled then through the use IPV6 using SLACC for instance, address allocation can be obtained and ipv6 hosts could further query for information such has DNS, MIM attacking hosts can forge such activity and then gain access to your network traffic via ipv6.

Large scale flooding is another possibility through neighbor solicitation which could increase cpu/memory utilization of you network devices

You should consider L2 ipv6 security (snooping, RA/Ns, source guard etc..) just as much as you would for IPV4 L2 security

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

zkorossy · ‎02-28-2022

I guess I don't understand why. Even if clients connected to the switch are dual stack, if the switch doesn't pass IPv6 traffic beyond their port, then what can they do?

paul driver · ‎02-28-2022

Hello
Lets say you have windows clients, then by default they are dual stacked and if you haven’t negated this default feature then you do have ipv6 active.
This means that clients within your network would already actively have IPv6 locally and would be able to reach each other, and then what’s to stop anyone inadvertently initiating IPv6 globally?

So now if you have no ipv6 layer 2 security then nothing is to stop you being susceptible to the same attacks that are applicable within ipv4 layer 2., - be it at ipv6 level (arp spoofing, dhcp rouges, unwarranted host RA's/neighbour discovery’s etc..)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul