For IPv6 migration, should we replace existing L2 switches running VLANs?

My L3 Core switch, Nortel ERS 8600, is IPv6 compatible. However, during migration to IPv6, do we need to also check the compatibility of edge/distribution switches in a VLAN-based campus network?

Solution 1:

Some of the potential attacks involve putting a rogue router or DHCP server on your network. The best protection is to let the L2 switches filter the traffic. If a switch port goes to a workstation it probably should not send out packets that usually a DHCP server or a router would send. If you want such protection you should look at the protocols that the switch supports.

For IPv6 having RA Guard on the L2 switches is always important. Even if you don't use IPv6 yourself an attacker can make devices think that you do by pretending to be an IPv6 router. Filtering bad Router Advertisements can best be done as soon as possible on the switch closest to the potentisl attacker (or person with a accidentally badly configured device)

If you want more control over the network, like enforcing DHCP and preventing address spoofing you need such features for both protocols as well.

Solution 2:

It depends on whether you want them to do anything IP-aware. An ethernet frame is an ethernet frame is an ethernet frame, as Gertrude Stein didn't say; a good switch will repeat it based on MAC addresses without caring what the payload is, so if that's all your switches do - layer-2 stuff like VLANs and port-mirroring - you should be fine regardless.

The problems start when you want your switches to be layer-3 aware, and if you want them to do dual-stack stuff at that (IP) layer. For example, if you want each switch to have both an ipv4 and an ipv6 management address on each VLAN, then you'll need to check that your switches support ipv6 properly.