How to generate unique IPv6 I/F Identifier on L3 "VLAN" interface?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to generate unique IPv6 I/F Identifier on L3 "VLAN" interface?

Not applicable

Here is my «little» problem:

Background:
Extended Unique Identifier (EUI)
When the link-local address is automatically generated, the device identifier is derived from the switch's 48- bit (hexadecimal) MAC address to create a 64bit Extended Unique Identifier (EUI) to be appended to the fe80 link-local prefix, as follows:

- ff-fe is inserted between third and fourth bytes of MAC address
- The second low-order bit (the Universal/Local bit) in the first byte of the MAC address is complemented, which usually means the bit is originally set to 0 and is changed to 1. This indicates a globally unique IPv6 interface identifier.

For example:
MAC Address   IPv6 I/F Identifier  Full Link-Local Unicast Address
00-15-60-7a-ad-c0  215:60ff:fe7a:adc0  fe80::215:60ff:fe7a:adc0/64
09-c1-8a-44-b4-9d  11c1:8aff:fe44:b49d  fe80::11c1:8aff:fe44:b49d/64
00-1a-73-5a-7e-57 21a:73ff:fe5a:7e57 fe80::21a:73ff:fe5a:7e57/64

For related information, refer to:
- RFC 2373: “IP Version 6 Addressing Architecture”
- RFC 2464: “Transmission of IPv6 Packets Over Ethernet Networks”


The problem:
The EUI method of generating a link-local address is automatically implemented on the Paloalto firewall when it’s not manually inserted, but it doesn’t generate a unique address on each VLAN that is on the same port.

We are having 2 external interfaces on two different VLAN’s on port 1 and 15 interfaces on 15 VLAN's on port 2.
One of the errors that we receive from the config when we press Commit is:

“routed: Identical interface IDs used to generate IPv6 link-local address for interface ethernet1/2.12 and ethernet1/2.10. Management via link-local address on these interfaces is disabled.”
“routed: Identical interface IDs used to generate IPv6 link-local address for interface ethernet1/1.200 and ethernet1/1.100. Management via link-local address on these interfaces is disabled.”

If Palo Alto can’t generate 64-bit EUI’s that is different on each VLAN’s on the same ethernet interface how can we manually generate unique 64-bit EUI’s?

BTW I'm running version 4.0.4 of the software in HA Active-passive.

3 REPLIES 3

L4 Transporter

Wow! Thats off the beaten path. Can you please open a support case s that we can work directly with you on this issue.

~Phil

Palo Alto Networks Guru

Hi Hankim,

One way to work around this is to specify the full IPv6 address including the host portion.  You can do this by leaving the "prefix" checkbox unchecked and specifying the full IPv6 address in the interface configuration.

Thanks,

Nick

Hi Phil,

I already done this by a partner. The case id is:00045013

- Kim

  • 2596 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!