[c-nsp] Blocking IPv6 on WiSM?
Phil Mayers
p.mayers at imperial.ac.uk
Thu Aug 26 06:31:03 EDT 2010
On 06/08/10 19:57, Phil Mayers wrote:
> All,
>
> We have occasional but serious problems with rogue IPv6 routers on our
> Cisco lightweight wireless service (WiSMs in 6500s). Win7/vista machines
> with internet connection sharing seem to acquire then re-advertise a
> 6to4 prefix. This causes broken connectivity (because 6to4 is blocked at
> our site - sadly this does not prevent the windows machines *thinking*
> they have a 6to4 range)
>
> In addition, the windows machines are DHCPv6 servers, and advertise
> themselves as DNSv6 servers. When they disconnect from the wireless,
> clients suffer DNS timeouts. This seems to particularly cause problems
> for iPhones.
All,
Just a follow up.
We seem to have finally "solved" this by disabling EMM (Ethernet
Multicast Mode). This seems to disable forwarding of all multicast
packets, including IPv4 (as well as the link-local mDNS stuff). This
obviously stops RAs, router solicits and DHCPv6 discovers.
It's unsatisfactory, but our only other idea (using the IDS
functionality) didn't work - it detected the activity fine but did not
seem able to stop the clients.
Cisco confirmed in a reply to the TAC case there's nothing that can
currently be done; ACLs are IPv4 only and none of the available knobs
will block IPv6 ethertype. We're in the process of getting a PER opened
(if they choose to accept it...)
For others reading the archives: we did look into things like "ramond":
http://ramond.sourceforge.net/
...which can in theory detect then suppress the RAs, but it didn't seem
likely to solve the DHCPv6/DNSv6 issue (which caused the iPhones real
trouble when their "DNSv6" server, actually a windows PC with ICS
enabled, went away...)
Thanks for all the suggestions. I'm frankly amazed Cisco don't have more
customers seeing this problem - maybe multicast=off is the norm?
More information about the cisco-nsp
mailing list