ICMPv6 Router Solicitation

Solved
kkrause
Conversationalist

ICMPv6 Router Solicitation

I've recently installed Meraki MS225 switches to a few networks. I'm seeing now ICMPv6 router solicitation packets flooding the network. There are no devices on the network (a small test bed) with IPv6 enabled. The tcpdump shows the source mac address as the Meraki switch. Is there a way I can disable ICMPv6 on the switch?

 

TIA

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

Cisco Meraki Switches can pass IPv6 traffic, as well as report information on clients using IPv6. But if I'm right It does not support IPV6 configuration.

https://documentation.meraki.com/General_Administration/Other_Topics/IPv6_Device_Compatibility

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

13 Replies 13
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

I'm not sure that this can be disabled on a MS. How ever I'm not sure that this is 'flooding' your network as these ICMPv6 router solicitation looks to be sent every 4.2 seconds.

kkrause
Conversationalist

Thanks for the response, Raphael. I've heard the same thing from others, but no one states definitively one way or the other.

 

I just ran another tcpdump and received 1017 ICMPv6 router solicitation packets from the mac address of the Meraki switch. A handful of those were from the mac of the single Meraki AP I have in the test network.

alemabrahao
Kind of a big deal
Kind of a big deal

Cisco Meraki Switches can pass IPv6 traffic, as well as report information on clients using IPv6. But if I'm right It does not support IPV6 configuration.

https://documentation.meraki.com/General_Administration/Other_Topics/IPv6_Device_Compatibility

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
kkrause
Conversationalist

Thanks for your response. Looking at the doc you referenced, it doesn't appear that configuration is allowed. This jives with what I've heard elsewhere. I did notice that IPv6 ACLs are now allowed and have attempted to configure an ACL to block ICMPv6, but since the requests appear to be coming from the switch (which has no IPv6 IP assigned) I'm not having any luck in blocking the requests.

 

Thanks

RaphaelL
Kind of a big deal
Kind of a big deal

To be honest , I don't understand why and where the ipv6 trafic is sourced by the Meraki devices. 

 

Can't seem to be able to turn that off. Might need to open a case to see if there is no hidden backend options for that.

alemabrahao
Kind of a big deal
Kind of a big deal

One more information.

 

The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the reachability of a neighbor, and track neighboring devices.

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3se/3850/ip6-neighb-di...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Crocker
A model citizen

I believe we saw something similar when we installed our first MS250 at our HQ, hanging off a stack of Catalyst 3650's. Our firewall suddenly started seeing a bunch of IPv6 router solicitation requests and that set off some alarms (we shouldn't see any IPv6 traffic).

 

In the end, we ended up disabling IGMP snooping and Flood unknown multicast traffic under Switch -> Switch Settings -> Multicast Settings. These were enabled by default, with no way to adjust separate settings between IPv4 and IPv6.

kkrause
Conversationalist

Thanks for the response. That's exactly what we're seeing as well. I'll check with the powers that be and see if your suggestion is something they would like to try.

 

RaphaelL
Kind of a big deal
Kind of a big deal

We only have IGMP Snooping enabled which is a deal breaker to disable and still the icmpv6 packets are being sourced by the Meraki devices: 

RaphaelL_0-1665590373564.png

 

alemabrahao
Kind of a big deal
Kind of a big deal

I don't think that is the case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal

I agree. I disabled both settings under MS 14.33 and the MS is still sourcing the ipv6 packets : 

RaphaelL_0-1665590632695.png

 

Crocker
A model citizen

Wonder if my notes are wrong. Have you rebooted that MS since disabling those settings?

RaphaelL
Kind of a big deal
Kind of a big deal

Yes , the MS was rebooted and the changes done about 1 hour ago and the trafic is still present.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels