Filtering/Dropping IPv6 on IPv4-only Devices?

mpervere · ‎01-21-2009

Hi All -

Got an interesting requirement that (for something seemingly simple) has been remarkably challenging to locate a solution for...

Having a problem with random IPv6 traffic showing up on the enterprise LAN from time to time and freaking out certain network-connected devices that don't know how to process it (CPU 100%, etc.). So I'm looking for a way to filter/drop that IPv6 traffic at the network edge. I can certainly set the core 6500's not route (or even ignore) IPv6, but that still doesn't stop it from running around WITHIN a VLAN.

Is there a way that a IPv4-only device can identify IPv6 traffic (by a protocol type code or something along that line) so that it can be filtered/dropped before it even makes it onto the backbone?

Thanks in advance!

Mike

Collin Clark · ‎01-26-2009

Mike-

Good question! The first thing I thought of was VACL's, but VACLs w/IPv6 are not supported on the 6000 series switch.

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml#vacl

Are the 6500's your access layer? Are they your L3 gateway? Is it possible for you to find the device(s) running IPv6 and correct them?

duncanm · ‎01-26-2009

"but that still doesn't stop it from running around WITHIN a VLAN"

You are correct. The good thing is IPv6 devices use their MAC to go out looking for other IPv6 devices. You can capture the traffic with an IPS and use the MAC to find it.

If you don't have an IPS my ASA\PIXes generate a "no route to" for IPv6 destinations and I can pull the MAC from the message.

AS for keeping it off the backbone, don't enable IPv6 routing and it will be dropped.