Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

45-30

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 45 Managing Firewall Devices

Configuring Firewall Device Interfaces

Navigation Path

You can access the IPv6 panel in the Add Interface and Edit Interface dialog boxes, which are accessed

from the ASA or FWSM Interfaces page, as described in Managing Device Interfaces, Hardware Ports,

and Bridge Groups, page 45-14.

Related Topics

• IPv6 Support in Security Manager, page 1-7

• Add/Edit Interface Dialog Box: General Tab (PIX 7.0+/ASA/FWSM), page 45-20

• Add/Edit Interface Dialog Box: Advanced Tab (ASA/PIX 7.0+), page 45-27

Field Reference

Table 45-5 IPv6 tab: Add/Edit Interface Dialog Box (ASA/FWSM)

Element Description

Enable IPv6 Check this box to enable IPv6 and configure IPv6 addresses on this

interface. You can deselect this option to disable IPv6 on the interface,

but retain the configuration information.

Enforce EUI-64 When selected, use of Modified EUI-64 format interface identifiers in

IPv6 addresses on a local link is enforced.

When this option is enabled on an interface, the source addresses of

IPv6 packets received on the interface are verified against the source

MAC addresses to ensure that the interface identifiers use the Modified

EUI-64 format. If the interface identifier in an IPv6 packet is not in the

Modified EUI-64 format, the packet is dropped and the following

system log message is generated:

%PIX|ASA-3-325003: EUI-64 source address check failed.

Address format verification is performed only when a flow is created.

Packets from an existing flow are not checked. Additionally, address

verification can be performed only for hosts on the local link. Packets

received from hosts behind a router will fail the address format

verification, and be dropped, because their source MAC address will be

the router MAC address and not the host MAC address.

The Modified EUI-64 format interface identifier is derived from the

48-bit link-layer (MAC) address by inserting the hex number FFFE

between the upper three bytes (OUI field) and the lower 3 bytes (serial

number) of the link-layer address. To ensure the chosen address is from

a unique Ethernet MAC address, the next-to-lowest order bit in the

high-order byte is inverted (universal/local bit) to indicate the

uniqueness of the 48-bit address. For example, an interface with a MAC

address of 00E0.B601.3B7A would have a 64-bit interface ID of

02E0:B6FF:FE01:3B7A.

previous next