Cisco ASA 5505 Configuration Manual page 256

Completing Interface Configuration (All Models)
When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not
used, and the following error message is generated:
%ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface
If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is
disabled on the interface. If the duplicate address is a global address, the address is not used. However,
all configuration commands associated with the duplicate address remain as configured while the state
of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new
link-local address and all of the other IPv6 address associated with the interface are regenerated
(duplicate address detection is performed only on the new link-local address).
The adaptive security appliance uses neighbor solicitation messages to perform duplicate address
detection. By default, the number of times an interface performs duplicate address detection is 1.
Information About Modified EUI-64 Interface IDs
RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface
identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits
long and be constructed in Modified EUI-64 format. The adaptive security appliance can enforce this
requirement for hosts attached to the local link.
When this command is enabled on an interface, the source addresses of IPv6 packets received on that
interface are verified against the source MAC addresses to ensure that the interface identifiers use the
Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface
identifier, the packets are dropped and the following system log message is generated:
%ASA-3-325003: EUI-64 source address check failed.
The address format verification is only performed when a flow is created. Packets from an existing flow
are not checked. Additionally, the address verification can only be performed for hosts on the local link.
Packets received from hosts behind a router will fail the address format verification, and be dropped,
because their source MAC address will be the router MAC address and not the host MAC address.
Restrictions
The adaptive security appliance does not support IPv6 anycast addresses.
Detailed Steps
Choose the Configuration > Device Setup > Interfaces pane.
Step 1
Step 2 Choose an interface, and click Edit.
The Edit Interface dialog box appears with the General tab selected.
Step 3 Click the IPv6 tab.
(Optional) To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a
Step 4
local link, check the Enforce EUI-64 check box.
If the interface identifiers do not conform to the modified EUI-64 format, an error message appears. See
the
Step 5 Configure the global IPv6 address using one of the following methods.
Cisco ASA 5500 Series Configuration Guide using ASDM
8-28
"Information About Modified EUI-64 Interface IDs" section on page 8-28
Chapter 8 Configuring Interfaces
for more information.
OL-20339-01