07-29-2011 02:13 AM
Here is my «little» problem:
Background:
Extended Unique Identifier (EUI)
When the link-local address is automatically generated, the device identifier is derived from the switch's 48- bit (hexadecimal) MAC address to create a 64bit Extended Unique Identifier (EUI) to be appended to the fe80 link-local prefix, as follows:
- ff-fe is inserted between third and fourth bytes of MAC address
- The second low-order bit (the Universal/Local bit) in the first byte of the MAC address is complemented, which usually means the bit is originally set to 0 and is changed to 1. This indicates a globally unique IPv6 interface identifier.
For example:
MAC Address IPv6 I/F Identifier Full Link-Local Unicast Address
00-15-60-7a-ad-c0 215:60ff:fe7a:adc0 fe80::215:60ff:fe7a:adc0/64
09-c1-8a-44-b4-9d 11c1:8aff:fe44:b49d fe80::11c1:8aff:fe44:b49d/64
00-1a-73-5a-7e-57 21a:73ff:fe5a:7e57 fe80::21a:73ff:fe5a:7e57/64
For related information, refer to:
- RFC 2373: “IP Version 6 Addressing Architecture”
- RFC 2464: “Transmission of IPv6 Packets Over Ethernet Networks”
The problem:
The EUI method of generating a link-local address is automatically implemented on the Paloalto firewall when it’s not manually inserted, but it doesn’t generate a unique address on each VLAN that is on the same port.
We are having 2 external interfaces on two different VLAN’s on port 1 and 15 interfaces on 15 VLAN's on port 2.
One of the errors that we receive from the config when we press Commit is:
“routed: Identical interface IDs used to generate IPv6 link-local address for interface ethernet1/2.12 and ethernet1/2.10. Management via link-local address on these interfaces is disabled.”
“routed: Identical interface IDs used to generate IPv6 link-local address for interface ethernet1/1.200 and ethernet1/1.100. Management via link-local address on these interfaces is disabled.”
If Palo Alto can’t generate 64-bit EUI’s that is different on each VLAN’s on the same ethernet interface how can we manually generate unique 64-bit EUI’s?
BTW I'm running version 4.0.4 of the software in HA Active-passive.
08-08-2011 03:54 PM
Hi Hankim,
One way to work around this is to specify the full IPv6 address including the host portion. You can do this by leaving the "prefix" checkbox unchecked and specifying the full IPv6 address in the interface configuration.
Thanks,
Nick
08-09-2011 01:03 PM
Hi Phil,
I already done this by a partner. The case id is:00045013
- Kim
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
