Configure a Global IPv6 Address

To configure a global IPv6 address for any routed mode interface and for the transparent or routed mode BVI, perform the following steps.

Note

Configuring the global address automatically configures the link-local address, so you do not need to configure it separately. For bridge groups, configuring the global address on the BVI automatically configures link-local addresses on all member interfaces.

For subinterfaces defined on the threat defense, we recommend that you also set the MAC address manually, because they use the same burned-in MAC address of the parent interface. IPv6 link-local addresses are generated based on the MAC address, so assigning unique MAC addresses to subinterfaces allows for unique IPv6 link-local addresses, which can avoid traffic disruption in certain instances on the threat defense. See Configure the MAC Address.

Before you begin

For IPv6 neighbor discovery for bridge groups, you must explicitly allow Neighbor Solicitation (ICMPv6 type 135) and Neighbor Advertisement (ICMPv6 type 136) packets through the threat defense bridge group member interfaces using a bidirectional access rule.

Procedure

Step 1

Select Devices > Device Management and click Edit (edit icon) for your threat defense device. The Interfaces page is selected by default.

Step 2

Click Edit (edit icon) for the interface you want to edit.

Step 3

Click the IPv6 page.

For routed mode, the Basic page is selected by default. For transparent mode, the Address page is selected by default.

Step 4

(Optional) On the Basic page, check Enable IPv6.

Use this option if you want to only configure the link-local addresses. Otherwise, configuring an IPv6 address enabled IPv6 processing automatically.

Step 5

Configure the global IPv6 address using one of the following methods.

For failover and clustering, and for loopback interfaces, you must set the IP address manually. For clustering, manually configuring the link-local address is also not supported.

  • (Routed interface) Stateless autoconfiguration—Check the Autoconfiguration check box.

    Enabling stateless autoconfiguration on the interface configures IPv6 addresses based upon prefixes received in Router Advertisement messages. A link-local address, based on the Modified EUI-64 interface ID, is automatically generated for the interface when stateless autoconfiguration is enabled.

    Although RFC 4862 specifies that hosts configured for stateless autoconfiguration do not send Router Advertisement messages, the threat defense device does send Router Advertisement messages in this case. Uncheck the IPv6 > Settings > Enable RA check box to suppress messages.

  • Manual configuration—To manually configure a global IPv6 address:

    1. Click the Address page, and click (add icon)Add Address.

      The Add Address dialog box appears.

    2. In the Address field, enter either a full global IPv6 address, including the interface ID, or enter the IPv6 prefix, along with the IPv6 prefix length. (Routed Mode) If you only enter the prefix, then be sure to check the Enforce EUI 64 check box to generate the interface ID using the Modified EUI-64 format. For example, 2001:0DB8::BA98:0:3210/48 (full address) or 2001:0DB8::/48 (prefix, with EUI 64 checked).

      For High Availability (if you did not set Enforce EUI 64), set the standby IP address on the Devices > Device Management > High Availability page in the Monitored Interfaces area. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.

  • (Routed interface) Obtain an address using DHCPv6—To use DHCPv6:

    Enable the DHCPv6 Client
    Enable the DHCPv6 Client

    1. Click the DHCP page.

    2. Check the check box of Enable DHCP Client.

    3. (Optional) Check the check box of Enable default route using DHCP to obtain a default route from Router Advertisements.

  • (Routed interface) Use a delegated prefix—To assign an IPv6 address using the delegated prefix:

    This feature requires the threat defense to have the DHCPv6 Prefix Delegation client enabled on a different interface. See Enable the IPv6 Prefix Delegation Client.

    1. Click the DHCP page.

    2. Click Add (add icon).

      Use a Delegated Prefix
      Use a Delegated Prefix

    3. Enter the Prefix Name that you specified for the Prefix Delegation client (see Enable the IPv6 Prefix Delegation Client) on another interface.

      Specify the Prefix Name and Address
      Specify the Prefix Name and Address

    4. Enter the IPv6 address and Prefix Length.

      Typically, the delegated prefix will be /60 or smaller so you can subnet to multiple /64 networks. /64 is the supported subnet length if you want to support SLAAC for connected clients. You should specify an address that completes the /60 subnet, for example ::1:0:0:0:1. Enter :: before the address in case the prefix is smaller than /60. For example, if the delegated prefix is 2001:DB8:1234:5670::/60, then the global IP address assigned to this interface is 2001:DB8:1234:5671::1/64. The prefix that is advertised in router advertisements is 2001:DB8:1234:5671::/64. In this example, if the prefix is smaller than /60, the remaining bits of the prefix will be 0's as indicated by the leading ::. For example, if the prefix is 2001:DB8:1234::/48, then the IPv6 address will be 2001:DB8:1234::1:0:0:0:1/64.

    5. Click OK.

      Prefix Delegation Table
      Prefix Delegation Table

    6. Optionally enable the DHCPv6 stateless server on this interface (see Enable the DHCPv6 Stateless Server). If you do so, we recommend that you also check the Enable DHCP for non-address config option.

Step 6

For Routed interfaces, you can optionally set the following values on the Basic page:

  • To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link, check the Enforce EUI-64 check box.

  • To manually set the link-local address, enter an address in the Link-Local address field.

    A link-local address should start with FE8, FE9, FEA, or FEB, for example fe80::20d:88ff:feee:6a82. If you do not want to configure a global address, and only need to configure a link-local address, you have the option of manually defining the link-local address. Note that we recommend automatically assigning the link-local address based on the Modified EUI-64 format. For example, if other devices enforce the use of the Modified EUI-64 format, then a manually-assigned link-local address may cause packets to be dropped.

    Clustering does not support manual link-local addresses.

Step 7

For Routed interfaces, you can optionally set the following values on the DHCP page:

  • Check the Enable DHCP for address config check box to set the Managed Address Config flag in the IPv6 router advertisement packet.

    This flag in IPv6 router advertisements informs IPv6 autoconfiguration clients that they should use DHCPv6 to obtain addresses, in addition to the derived stateless autoconfiguration address.

  • Check the Enable DHCP for non-address config check box to set the Other Address Config flag in the IPv6 router advertisement packet.

    This flag in IPv6 router advertisements informs IPv6 autoconfiguration clients that they should use DHCPv6 to obtain additional information from DHCPv6, such as the DNS server address. Use this option when using the DHCPv6 stateless server with DHCPv6 prefix delegation.

Step 8

For Routed interfaces, see Configure IPv6 Neighbor Discovery to configure settings on the Prefixes and Settings pages. For BVI interfaces, see the following parameters on the Settings page:

  • DAD attempts—The maximum number of DAD attempts, between 1 and 600. Set the value to 0 to disable duplicate address detection (DAD) processing. This setting configures the number of consecutive neighbor solicitation messages that are sent on an interface while DAD is performed on IPv6 addresses. 1 attempt is the default.

  • NS Interval—The interval between IPv6 neighbor solicitation retransmissions on an interface, between 1000 and 3600000 ms. The default value is 1000 ms.

  • Reachable Time—The amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, between 0 and 3600000 ms. The default value is 0 ms. When 0 is used for the value, the reachable time is sent as undetermined. It is up to the receiving devices to set and track the reachable time value. The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly, however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.

Step 9

Click OK.

Step 10

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.