Home / Blogs

IPv6: Don't Forget About Your Switches!

Dan Campbell

When preparing a network for IPv6, I often hear network administrators say that their switches are agnostic and that there is no need to worry about them. Not so fast.

Yes, LAN switches function mainly at layer 2 by forwarding Ethernet frames regardless of whether the packet inside is IPv4 or IPv6 (or even something else!) However, there are some functions on a switch that operate at layer 3 or higher. They include:

• Dynamic ARP Inspection (DAI)

• DHCP Snooping

• Multicast Listener Discovery (MLD) Snooping (the IPv6 equivalent of IGMP Snooping)

• Quality of Service (QoS) marking for upstream Differentiated Services treatment

• Access Lists (e.g., VLAN or regular ACLs).

These features were developed to push certain functions to the access layer where a network is often the most vulnerable or where it provides the closest point to the end user and thus the best place to apply certain logic and policies to application traffic. To function properly, they require layer 3 or upper layer information. They inspect the packet header or payload inside the Ethernet frame. These features may be necessary to translate your IPv4 network functionality to IPv6. While these features do not necessarily qualify the device as a layer 3 "switch" or an IPv6 router per se, they do act on more than just the Ethernet frame.

There is also the IP management interface on the switch, although I expect most networks will be dual stacked for the foreseeable future and will not abandon their IPv4 management interfaces, at least not until they can get their management systems to catch up.

The aforementioned features may not be things you are doing now, but you never know when you will. Security requirements and hardening guidelines are recommending things like DAI, DHCP Snooping and ACLs at the access layer. The more streaming video gets moved to IP networks, the more the need for multicast, and MLD Snooping is necessary to improve performance. Finally, the continued convergence of voice, video and other rich media and interactive applications to IP networks is furthering the need for QoS, and it is always best to mark traffic as close to the edge as possible.

So don't forget about your switches. A thorough IPv6 readiness assessment must consider the entire network, end to end, and everything in between.

Note: The previous list was off the top of my head and by no means all inclusive. I would welcome any comments that would help to compile a complete list.

By Dan Campbell, President, Millennia Systems, Inc.

Related topics: IPv6, Networks

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

I've personally had issues with switches behaving Chip Marshall  –  Jul 25, 2012 8:45 AM PDT

I've personally had issues with switches behaving badly with IPv6. Strange issues where the switch wouldn't pass any IPv6 traffic until it had a v6 management interface, or was blocking all IPv6 multicast traffic until IPv4 IGMP snooping was disabled.

Definitely should be lab tested before deployment!

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic

Data Volumes and Network Stress to Be Top IoT Concerns

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Dyn Evolves Internet Performance Space with Launch of Internet Intelligence

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Verisign iDefense 2015 Cyber-Threats and Trends

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Tips to Address New FFIEC DDoS Requirements

Is Your Organization Prepared for a Cyberattack?

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Why Managed DNS Means Secure DNS

Dyn Adds Chris Griffiths As New VP of Labs

New Nixu NameSurfer 7.3 Series Powers the Software-Defined Data Centre