01-21-2009 07:34 PM - edited 03-09-2019 09:58 PM
Hi All -
Got an interesting requirement that (for something seemingly simple) has been remarkably challenging to locate a solution for...
Having a problem with random IPv6 traffic showing up on the enterprise LAN from time to time and freaking out certain network-connected devices that don't know how to process it (CPU 100%, etc.). So I'm looking for a way to filter/drop that IPv6 traffic at the network edge. I can certainly set the core 6500's not route (or even ignore) IPv6, but that still doesn't stop it from running around WITHIN a VLAN.
Is there a way that a IPv4-only device can identify IPv6 traffic (by a protocol type code or something along that line) so that it can be filtered/dropped before it even makes it onto the backbone?
Thanks in advance!
Mike
01-26-2009 08:21 AM
Mike-
Good question! The first thing I thought of was VACL's, but VACLs w/IPv6 are not supported on the 6000 series switch.
Are the 6500's your access layer? Are they your L3 gateway? Is it possible for you to find the device(s) running IPv6 and correct them?
01-26-2009 09:28 AM
"but that still doesn't stop it from running around WITHIN a VLAN"
You are correct. The good thing is IPv6 devices use their MAC to go out looking for other IPv6 devices. You can capture the traffic with an IPS and use the MAC to find it.
If you don't have an IPS my ASA\PIXes generate a "no route to" for IPv6 destinations and I can pull the MAC from the message.
AS for keeping it off the backbone, don't enable IPv6 routing and it will be dropped.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: