Configuring A Dual Ip Stack On An Interface; Enforcing The Use Of Modified Eui-64 Interface Ids In Ipv6 Addresses; Configuring Ipv6 Duplicate Address Detection - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring IPv6
(Optional) Suppress Router Advertisement messages on an interface. By default, Router Advertisement
Step 3
messages are automatically sent in response to router solicitation messages. You may want to disable
these messages on any interface for which you do not want the security appliance to supply the IPv6
prefix (for example, the outside interface).
Enter the following command to suppress Router Advertisement messages on an interface:
hostname(config-if)# ipv6 nd suppress-ra
Configuring a Dual IP Stack on an Interface
The security appliance supports the configuration of both IPv6 and IPv4 on an interface. You do not need
to enter any special commands to do so; simply enter the IPv4 configuration commands and IPv6
configuration commands as you normally would. Make sure you configure a default route for both IPv4
and IPv6.
Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses
RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface
identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits
long and be constructed in Modified EUI-64 format. The security appliance can enforce this requirement
for hosts attached to the local link.
To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link,
enter the following command:
hostname(config)# ipv6 enforce-eui64 if_name
The if_name argument is the name of the interface, as specified by the nameif command, on which you
are enabling the address format enforcement.
When this command is enabled on an interface, the source addresses of IPv6 packets received on that
interface are verified against the source MAC addresses to ensure that the interface identifiers use the
Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface
identifier, the packets are dropped and the following system log message is generated:
%PIX|ASA-3-325003: EUI-64 source address check failed.
The address format verification is only performed when a flow is created. Packets from an existing flow
are not checked. Additionally, the address verification can only be performed for hosts on the local link.
Packets received from hosts behind a router will fail the address format verification, and be dropped,
because their source MAC address will be the router MAC address and not the host MAC address.
Configuring IPv6 Duplicate Address Detection
During the stateless autoconfiguration process, duplicate address detection verifies the uniqueness of
new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in
a tentative state while duplicate address detection is performed). Duplicate address detection is
performed first on the new link-local address. When the link local address is verified as unique, then
duplicate address detection is performed all the other IPv6 unicast addresses on the interface.
Cisco Security Appliance Command Line Configuration Guide
12-4
Chapter 12
Configuring IPv6
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
