: Dynamic IPv6 Address Assignment on the Management Interface
Focus
Focus

Dynamic IPv6 Address Assignment on the Management Interface

Table of Contents

Dynamic IPv6 Address Assignment on the Management Interface

The management interface can receive a dynamic IPv6 address assignment by using either stateful DHCPv6 or SLAAC with stateless DHCPv6.
The management (MGT) interface on the NGFW now supports dynamic IPv6 address assignment. Configuring the MGT interface for dynamic IPv6 address assignment (rather than a static address) makes it easier to insert and manage the firewall in an IPv6 network.
When you configure the MGT interface, you'll notice new IPv4 and IPv6 tabs to separate the configurations.
You have two types of addressing to choose from: stateful or stateless. On the network segment, you control the router where you set flags to indicate that the MGT interface will be one of the following:
  • A stateful DHCPv6 client, which receives its IPv6 address with prefix length and other configuration information from a DHCPv6 server.
  • An IPv6 stateless address autoconfiguration (SLAAC) client, which autogenerates its IPv6 address. A stateless IPv6 address avoids a DHCPv6 server having to store dynamic state information about clients; such avoidance is helpful in environments with a large number of endpoints.
The firewall uses Neighbor Discovery Protocol (NDP) to send a Router Solicitation to all routers on the link. The flags in the Router Advertisement (RA) that the sole router (or preferred router) on the link sends to the firewall control whether the firewall will use SLAAC or stateful DHCPv6 to get a dynamic address for the MGT interface.
However, the current situation is that when the Autonomous (A) flag is set in the RA message, the firewall chooses both a DHCPv6 address and a SLAC address. Ideally, the firewall should choose only the SLAAC address and shouldn't send a DHCPv6 Solicit message. As a result of this known issue, if there is a DHCPv6 server on the segment and it can assign an IPv6 address, the firewall prefers DHCPv6 address assignment over SLAAC.
You specify either a static IPv6 default gateway address or request a dynamic IPv6 default gateway address, which the firewall learns from the RA that the router sends. Even if you configure the MGT interface with a static IPv6 address, you now have this same choice for configuring the default gateway.
Therefore, you have four possible options for configuring the MGT interface and its default gateway:
  • Static IPv6 address and static IPv6 default gateway address
  • Static IPv6 address and dynamic IPv6 default gateway address
  • Dynamic IPv6 address and static IPv6 default gateway address
  • Dynamic IPv6 address and dynamic IPv6 default gateway address
Configuring the MGT interface as a DHCPv6 client involves requesting a Non-Temporary or Temporary Address, deciding on the Rapid Commit option, and specifying the DHCPv6 Unique ID type.