[c-nsp] Blocking IPv6 on WiSM?
Mark Tinka
mtinka at globaltransit.net
Sat Aug 7 09:51:38 EDT 2010
On Saturday, August 07, 2010 02:57:33 am Phil Mayers wrote:
> I am also reluctant to enable "real" IPv6, which ought to
> suppress the client 6to4 activity, because (I believe)
> the IPv6 forwarding does not obey vlan-assignment, a
> feature we use to segregate clients.
>
> [Obviously I would *much* prefer to enable real IPv6, and
> we're prepared for it - except for the vlan assignment
> issue...]
Until RA Guard + DHCPv6 Snooping become routinely available
in Ethernet switches, managing this kind of problem will be
hectic at best.
We ran a network for a conference back in February, and
Windows 7/Vista boxes were handing out 6-to-4 addresses.
Annoying! As you noticed, filtering this upstream is useless
since client-to-client problems still remain. Also,
filtering upstream doesn't prevent clients from mis-
representing the network to other clients.
We had about 7 switches in production, and while it was
troublesome, it became a case of identifying the offenders'
MAC address, and applying it to MAC filters on all the
switches (since it was a wi-fi network, the offending user
could roam the floor - 25 AP's in total).
Of course, a wireless controller that can manage a wi-fi
network capable of filtering v6 packets would be useful. But
then again, running your traffic through this could present
its own set of problems at scale.
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100807/ac70c32e/attachment.bin>
More information about the cisco-nsp
mailing list