Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1350
Views
0
Helpful
5
Replies

ASA 5520 - Sub-interfaces with IPv6 Prefix

Go to solution
brianhill88
Level 1
Level 1

‎06-01-2011 10:07 AM - edited ‎03-11-2019 01:41 PM

Hello,

We have been testing out IPv6 configurations on a 5520 running 8.2(4).  We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly.   I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work.  I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes.  But using the two methods yields two different interface configurations:

1.

interface GigabitEthernet0/1.40

vlan 40

nameif test

security-level 100

no ip address

ipv6 address fdc4:7b5a:1112:5::1/64

ipv6 nd prefix fdc4:7b5a:1112:5::/64

2.

interface GigabitEthernet0/1.50

vlan 50

nameif test2

security-level 100

no ip address

ipv6 address fdc4:7b5a:1112:1::1/64

ipv6 address Network_Ghost/64 eui-64

Is there an actual difference to how these behave?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-01-2011 11:57 AM

Hi,

IPv6 nd prefix is the prefix you advertise in your router advertisment (RA).

It's a way for other nodes on the network to know how to configure themselves.

The second command is just a way to configure another IPv6 address on same interface - it will use EUI-64

By default all configured prefixes should be advertised in RA.

Have a look at commend reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i3.html#wp1917192

Marcin

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-01-2011 11:57 AM

Hi,

IPv6 nd prefix is the prefix you advertise in your router advertisment (RA).

It's a way for other nodes on the network to know how to configure themselves.

The second command is just a way to configure another IPv6 address on same interface - it will use EUI-64

By default all configured prefixes should be advertised in RA.

Have a look at commend reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i3.html#wp1917192

Marcin

0 Helpful

Go to solution
brianhill88
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-01-2011 04:03 PM

Thanks for the quick response.  Interesting.


In our setup I have a switch trunked to that ASA physical interface with the two subinterfaces.  On the switch I have two VLANs (40 and 50) with a PC in each VLAN.  With that configuration the PC in each VLAN gets the correct corresponding prefix (fdc4:7b5a:1112:5:...., fdc4:7b5a:1112:1.......)

So with the "ipv6 address Network_Ghost/64 eui-64" configured on interface gi0/1.50 and a PC in VLAN 50 it is receiving the prefix fdc4:7b5a:1112:1 and auto configuring the rest.


As a sanity check I configured another subinterface similar to VLAN 50 on the ASA.  The PC on that VLAN is not getting an address.

I can't explain how the PC in VLAN 50 is getting it's address.  Even after a reboot the PC in VLAN 50 still gets the correct address.

Regardless.  The point is mostly moot as I do see that the correct way to configure this is with the "nd prefix" command.  And it works.  Thanks for the help.

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to brianhill88

‎06-02-2011 02:47 AM

Brian,

Strictly speaking if you have only one prefix assigned via IPv6 address there is no need to specify ND prefix.

In certain scenarios it might be desirable to advertise only certain prefix(es) out of multiple configured on interface.

Regarding the not working situation. It would be interested to sniff the traffic, check if ASA is generating RAs and if the host in non-working vlan is receiving those. These sort of problems are usually more down-to-earth :-)

HTH,

Marcin

0 Helpful

Go to solution
brianhill88
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-02-2011 09:16 AM

So the end goal is to have approximately 20 sub-interfaces off of the inside physical

interface of the ASA.  Each sub-interface responsible for handing out a seperate IPv6 prefix to the 20 VLANs that live on the connected switch.  At this time we don't want to dual stack the switch.  This is a way of getting around that issue.

So in this scenario, the ND prefix on each sub-interface would be the correct implementation correct?

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to brianhill88

‎06-15-2011 09:00 AM

Brian,

Sorry for late-late-late reply. I was out of office.

In scenario you mention you do not need to specify the prefixes manually, it will be derived from the IPv6 address assigned to interface.

Marcin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card