Cisco ASA 5505 User Manual

Page 305

Advertising
background image

8-13

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 8 Completing Interface Configuration (Routed Mode)

Completing Interface Configuration in Routed Mode

If the link-local address for an interface changes, duplicate address detection is performed on the new
link-local address and all of the other IPv6 address associated with the interface are regenerated
(duplicate address detection is performed only on the new link-local address).

The ASA uses neighbor solicitation messages to perform duplicate address detection. By default, the
number of times an interface performs duplicate address detection is 1.

Modified EUI-64 Interface IDs

RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface
identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits
long and be constructed in Modified EUI-64 format. The ASA can enforce this requirement for hosts
attached to the local link.

When this feature is enabled on an interface, the source addresses of IPv6 packets received on that
interface are verified against the source MAC addresses to ensure that the interface identifiers use the
Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface
identifier, the packets are dropped and the following system log message is generated:

%ASA-3-325003: EUI-64 source address check failed.

The address format verification is only performed when a flow is created. Packets from an existing flow
are not checked. Additionally, the address verification can only be performed for hosts on the local link.
Packets received from hosts behind a router will fail the address format verification, and be dropped,
because their source MAC address will be the router MAC address and not the host MAC address.

Configuring a Global IPv6 Address and Other Options

To configure a global IPv6 address and other options, perform the following steps.

Note

Configuring the global address automatically configures the link-local address, so you do not need to
configure it separately.

Restrictions

The ASA does not support IPv6 anycast addresses.

Prerequisites

Set up your interfaces depending on your model:

ASA 5510 and higher—

Chapter 6, “Starting Interface Configuration (ASA 5510 and Higher).”

ASA 5505—

Chapter 7, “Starting Interface Configuration (ASA 5505).”

In multiple context mode, you can only configure context interfaces that you already assigned to the
context in the system configuration according to the

“Configuring Multiple Contexts” section on

page 5-14

.

In multiple context mode, complete this procedure in the context execution space. To change from
the system to a context configuration, enter the changeto context name command.

Advertising