ISP Problem Solving Blog, Software Development and More

Mor-Pah.net

Posted on by Posted in cisco

Ok, this one actually took me a little while to find. In a setup I had been working on recently a switch had a number of IPv6 /48’s added to an SVI. The problem with this was that each /48 was for a specific customer but unfortunately the Cisco’s were automatically advertising these prefixes for servers to auto configure essentially but inadvertently stealing other customers addresses.

Running the following will show you the current status of the SVI and stateless autoconfig:

switch(config-if)#do sh ipv6 int vlan 105
Vlan105 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::217:59FF:FFFF:FFFF
  No Virtual link-local address(es):
  Global unicast address(es):
    FFFF:FFFF:FFFF:1::1, subnet is FFFF:FFFF:FFFF:1::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FF2A:14DA
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  Input features: Access List
  Output features: Check hwidb
  Inbound access list HOST_PACL
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  Hosts use stateless autoconfig for addresses.

From the above you can see ‘stateless autoconfig’ is enabled. By running the below you can set the flags for RA (Router Advertisements) to disable stateless autoconfiguration.

switch(config-if)#int vlan 105
switch(config-if)#ipv6 nd prefix default no-autoconfig no-rtr-address
switch(config-if)#ipv6 nd other-config-flag
switch(config-if)#ipv6 nd managed-config-flag
switch(config-if)#ipv6 nd prefix [interface IP address(es) here)]/64 no-advertise
switch(config-if)#ipv6 nd router-preference High

switch(config-if)#do sh ipv6 int vlan 105
Vlan105 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::217:59FF:FFFF:FFFF
  No Virtual link-local address(es):
  Global unicast address(es):
    FFFF:FFFF:FFFF:1::1, subnet is FFFF:FFFF:FFFF:1::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FF2A:14DA
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  Input features: Access List
  Output features: Check hwidb
  Inbound access list HOST_PACL
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  Hosts use DHCP to obtain routable addresses.
  Hosts use DHCP to obtain other configuration.

Hope this helps people:)

Jay Greig

Leave a comment

Your email address will not be published. Required fields are marked *