The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the readability of a neighbor, and keep track of neighboring routers.
Nodes (hosts) use neighbor discovery to determine the link-layer addresses for neighbors known to reside on attached links and to quickly purge cached values that become invalid. Hosts also use neighbor discovery to find neighboring routers that are willing to forward packets on their behalf. In addition, nodes use the protocol to actively keep track of which neighbors are reachable and which are not, and to detect changed link-layer addresses. When a router or the path to a router fails, a host actively searches for functioning alternates.
Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to discover the link-layer addresses of other nodes on the local link. After receiving a neighbor solicitation message, the destination node replies by sending a neighbor advertisement message (ICPMv6 Type 136) on the local link.
After the source node receives the neighbor advertisement, the source node and destination node can communicate. Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer address of a neighbor is identified. When a node wants to verifying the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor.
Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node on a local link.
During the stateless autoconfiguration process, Duplicate Address Detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces.
When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not used, and the following error message is generated:
325002: Duplicate address ipv6_address/MAC_address on interface
If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface. If the duplicate address is a global address, the address is not used.
The ASA uses neighbor solicitation messages to perform Duplicate Address Detection. By default, the number of times an interface performs Duplicate Address Detection is 1.
The ASA can participate in router advertisements so that neighboring devices can dynamically learn a default router address. Router advertisement messages (ICMPv6 Type 134) are periodically sent out each IPv6 configured interface of the ASA.
Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133). Router solicitation messages are sent by hosts at system startup so that the host can immediately autoconfigure without needing to wait for the next scheduled router advertisement message.
You can manually define a neighbor in the IPv6 neighbor cache. If an entry for the specified IPv6 address already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery process—the entry is automatically converted to a static entry. Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery process.
Configure IPv6 addressing according to Configure IPv6 Addressing.
The following IPv6 neighbor discovery commands are not supported in transparent firewall mode, because they require router capabilities:
The interval value is included in all IPv6 router advertisements that are sent out of this interface.
The configured time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.
The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if the ASA is configured as a default router by using the ipv6 nd ra-lifetime command. To prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20 percent of the specified value.
The ipv6 nd prefix command allows control over the individual parameters per prefix, including whether or not the prefix should be advertised.
By default, prefixes configured as addresses on an interface using the ipv6 address command are advertised in router advertisements. If you configure prefixes for advertisement using the ipv6 nd prefix command, then only these prefixes are advertised.
The default keyword can be used to set default parameters for all prefixes.
A date can be set to specify the expiration of a prefix. The valid and preferred lifetimes are counted down in real time. When the expiration date is reached, the prefix will no longer be advertised.
When onlink is on (by default), the specified prefix is assigned to the link. Nodes sending traffic to such addresses that contain the specified prefix consider the destination to be locally reachable on the link.
When autoconfig is on (by default), it indicates to hosts on the local link that the specified prefix can be used for IPv6 autoconfiguration.
For stateless autoconfiguration to work correctly, the advertised prefix length in router advertisement messages must always be 64 bits.
The router lifetime value is included in all IPv6 router advertisements sent out of the interface. The value indicates the usefulness of the ASA as a default router on this interface.
Setting the value to a non-zero value indicates that the ASA should be considered a default router on this interface. The non-zero value for the router lifetime value should not be less than the router advertisement interval.
The following guidelines and limitations apply for configuring a static IPv6 neighbor:
The ipv6 neighbor command is similar to the arp command. If an entry for the specified IPv6 address already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery process—the entry is automatically converted to a static entry. These entries are stored in the configuration when the copy command is used to store the configuration.
Use the show ipv6 neighbor command to view static entries in the IPv6 neighbor discovery cache.
The clear ipv6 neighbor command deletes all entries in the IPv6 neighbor discovery cache except static entries. The no ipv6 neighbor command deletes a specified static entry from the neighbor discovery cache; the command does not remove dynamic entries—entries learned from the IPv6 neighbor discovery process—from the cache. Disabling IPv6 on an interface by using the no ipv6 enable command deletes all IPv6 neighbor discovery cache entries configured for that interface except static entries (the state of the entry changes to INCMP [Incomplete]).
Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery process.
The clear ipv6 neighbor command does not remove static entries from the IPv6 neighbor discovery cache; it only clears the dynamic entries.
The ICMP syslogs generated are caused by a regular refresh of IPv6 neighbor entries. The ASA default timer for IPv6 neighbor entry is 30 seconds, so the ASA would generate ICMPv6 neighbor discovery and response packets about every 30 seconds. If the ASA has both failover LAN and state interfaces configured with IPv6 addresses, then every 30 seconds, ICMPv6 neighbor discovery and response packets will be generated by both ASAs for both configured and link-local IPv6 addresses. In addition, each packet will generate several syslogs (ICMP connection and local-host creation or teardown), so it may appear that constant ICMP syslogs are being generated. The refresh time for IPV6 neighbor entry is configurable on the regular data interface, but not configurable on the failover interface. However, the CPU impact for this ICMP neighbor discovery traffic is minimal.
The following table lists the default settings for IPv6 Neighbor Discovery.
To configure the interval between IPv6 neighbor solicitation retransmissions on an interface perform the following steps.
Step 1 | Choose . |
Step 2 | Choose the interface on which to configure the neighbor solicitation interval. The interface must have been configured with an IPv6 address. See Configure IPv6 Addressing for more information. |
Step 3 | Click Edit. The Edit Interface dialog box appears. |
Step 4 | Click the IPv6 tab. |
Step 5 | Enter the time interval, in the NS Interval field. |
Step 6 | Click OK. |
Step 7 | Click Apply to save the running configuration. |
The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly, however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.
Step 1 | Choose . |
Step 2 | Choose the interface for which you want to configure the time. The interface must have been configured with an IPv6 address. For more information, see Configure IPv6 Addressing. |
Step 3 | Click Edit. The Edit Interface dialog box appears. |
Step 4 | Click the IPv6 tab. |
Step 5 | Enter a valid value in the Reachable Time field. |
Step 6 | Click OK. |
Step 7 | Click Apply to save the running configuration. |
To configure the interval between IPv6 router advertisement transmissions on an interface, perform the following steps:
Step 1 | Choose . |
Step 2 | Select the interface for which you want to configure the time.
The interface must have been configured with an IPv6 address. For more information, see Configure IPv6 Addressing. |
Step 3 | Click Edit. The Edit Interface dialog box appears. |
Step 4 | Click the IPv6 tab. |
Step 5 | Enter a valid transmission interval value, in the RA Interval field,. |
Step 6 | Click OK. |
Step 7 | Click Apply to save the running configuration. |
To configure the router lifetime value in IPv6 router advertisements on an interface perform the following steps.
To specify DAD settings on the interface, perform the following steps.
Step 1 | Choose . |
Step 2 | Select the interface you want to configure.
The interface must have been configured with an IPv6 address. For more information, see Configure IPv6 Addressing. |
Step 3 | Click Edit. |
Step 4 | Click the IPv6 tab. |
Step 5 | Enter the number of allowed DAD attempts.
This setting configures the number of consecutive neighbor solicitation messages that are sent on an interface while DAD is performed on IPv6 addresses. |
Router advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the ASA to supply the IPv6 prefix (for example, the outside interface).
To suppress the router lifetime value in IPv6 router advertisements on an interface, perform the following steps.
You can add a flag to IPv6 router advertisements to inform IPv6 autoconfiguration clients to use DHCPv6 to obtain an IPv6 address and/or additional information such as the DNS server address.
To configure the which IPv6 prefixes are included in IPv6 router advertisements, perform the following steps:
Make sure that IPv6 is enabled on at least one interface before trying to add a neighbor, or ASDM returns an error message indicating that the configuration failed.
To add an IPv6 static neighbor, perform the following steps.
When a host or node communicates with a neighbor, the neighbor is added to the neighbor discovery cache. The neighbor is removed from the cache when there is no longer any communication with that neighbor.
To view dynamically discovered neighbors and clear these neighbors from the IPv6 neighbor discovery cache, perform the following steps:
Step 1 | Choose
Monitoring >
Interfaces
>
IPv6 Neighbor Discovery
Cache.
You can view all static and dynamically discovered neighbors from the IPv6 Neighbor Discovery Cache pane. | ||
Step 2 | To clear all dynamically discovered
neighbors from the cache, click
Clear Dynamic Neighbor
Entries.
The dynamically discovered neighbor is removed from the cache.
|
We introduced the following screens: Monitoring > Interfaces > IPv6 Neighbor Discovery Cache. Configuration > Device Management > Advanced > IPv6 Neighbor Discovery Cache. Configuration > Device Setup > Interface Settings > Interfaces > IPv6. |
||
We modified the following screen: Configuration > Device Setup > Interfaces > IPv6. |