Is it Possible to Configure a Custom IPv6 Link Local Address?
9141
Created On 09/25/18 17:46 PM - Last Modified 06/23/21 02:30 AM
Symptom
In a scenario where migration or replacement of the Firewall is done, one may prefer to keep using the same IPv6 link-local address as previously used. This article explains how to configure the same.
Environment
- Palo Alto Firewall.
- PAN-OS 8.1 and above.
- IPv6 Configuration.
Resolution
When using IPv6 a link-local address is based on the MAC address of the interface and starts with the prefix fe80::/10.
One can choose the custom 64-bit interface-ID which will be used as the interface portion of link-local.
To do this, When configuring the interface for IPv6, For the selection of Interface ID, enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format. If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable the Use interface ID as host portion option when adding an address, the firewall uses the Interface ID as the host portion of that address
An example of such a configuration is displayed below. (GUI: Network > Interfaces > Ethernet > Ethernet x/y > IPv6)
Show interface displays the configured interface ID.
admin@Lab> show interface ethernet1/7
...... (output omittted)
Name: ethernet1/7, ID: 22
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IPv6 address: fe80::fb:2023:3103/64
192:1::fb:2023:3103/64
DAD: disabled
NDP Monitoring: disabled
......
When using the default (EUI64), then the interface-id is derived from the MAC address of the interface.
admin@Lab> show interface ethernet1/7
...
MAC address:
Port MAC address 00:50:56:81:40:01
...
Name: ethernet1/7, ID: 22
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IPv6 address: fe80::250:56ff:fe81:4001/64
192:1::250:56ff:fe81:4001/64
DAD: disabled
...
The system's link-local address can be retrieved using the following command:
admin@Lab> show system info | match link-local
ipv6-link-local-address: fe80::250:56ff:fe81:7924/64
Additional Information
Configure Layer 3 Interfaces
Attachments