IPv6 Link-Local vs Global Unicast – Address Types, Scope, and Configuration

1. Overview — IPv6 Address Scopes

Every IPv6 interface carries multiple addresses simultaneously — at minimum one link-local address, and usually one or more global unicast addresses. Understanding the difference between them is one of the most fundamental IPv6 concepts on the CCNA exam and in real-world deployments.

The key distinction is scope — how far an address is meaningful and reachable. A link-local address is only meaningful on the single physical or logical link where it was created; a router will never forward a packet whose destination is a link-local address. A global unicast address is globally unique and can be routed anywhere across the IPv6 internet.

  ┌─────────────────────────────────────────────────────────────────┐
  │  IPv6 Interface (e.g. GigabitEthernet0/0)                       │
  │                                                                 │
  │  Link-Local:     FE80::1A2B:3C4D:5E6F:7A8B   ← always present  │
  │  Global Unicast: 2001:0DB8:ACAD:1::10/64     ← for internet    │
  │  (+ solicited-node multicast addresses per unicast)             │
  └─────────────────────────────────────────────────────────────────┘

2. Link-Local Addresses — Definition and Scope

A link-local address is an IPv6 address that is valid only on the single physical or logical link to which the interface is directly connected. It cannot be routed — a router that receives a packet with a link-local destination address must drop it rather than forward it.

Link-local addresses are mandatory: every IPv6-enabled interface automatically generates one before any other IPv6 configuration takes place. This happens without any DHCP, without any router, and without any manual input. The moment IPv6 is enabled on an interface, a link-local address exists.

  Link-Local prefix: FE80::/10
  ─────────────────────────────
  Binary: 1111 1110 10xx xxxx   ← first 10 bits fixed as 1111111010
  Range:  FE80:: to FEBF::FFFF:FFFF:FFFF:FFFF

  Typical appearance:
  FE80::1                          ← manually set (common on Cisco routers)
  FE80::20C:29FF:FE4B:A8E3        ← EUI-64 derived from MAC 00:0C:29:4B:A8:E3
  FE80::F412:29A1:BCC3:7D91       ← randomly generated (privacy/Windows default)

Link-local addresses are used for all on-link IPv6 operations — Neighbor Discovery Protocol (NDP), router discovery, routing protocol hello messages, and default gateway identification. These functions require a stable, always-present address that works before any global addressing is configured, making link-local the essential foundation of all IPv6 communication.

Zone ID (Scope ID): Because the same link-local address (e.g. FE80::1) could legitimately exist on multiple interfaces of the same host, you must specify which interface to use when pinging a link-local address. The syntax uses a % separator:

  Linux:   ping6 FE80::1%eth0          ← %eth0 = zone ID specifying the interface
  Windows: ping FE80::1%12             ← %12 = interface index from ipconfig
  Cisco:   ping FE80::1 source Gi0/0   ← source interface specified separately

3. Global Unicast Addresses — Definition and Scope

A global unicast address (GUA) is a globally unique, globally routable IPv6 address — the functional equivalent of a public IPv4 address. GUAs are used for all inter-network and internet communication.

  Global Unicast prefix: 2000::/3
  ─────────────────────────────────
  Binary: 001x xxxx   ← first 3 bits fixed as 001
  Range:  2000:: to 3FFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

  Structure of a typical /64 GUA:
  ┌──────────────┬─────────────┬──────────────────────────────────┐
  │ Global Routing│  Subnet ID  │     Interface Identifier (IID)   │
  │   Prefix      │             │                                  │
  │   (48 bits)   │  (16 bits)  │          (64 bits)               │
  └──────────────┴─────────────┴──────────────────────────────────┘
  │◄──────── Network Portion (64 bits) ────────►│◄── Host (64 bits) ──►│

  Example: 2001:0DB8:ACAD:0001:020C:29FF:FE4B:A8E3
           ├──────────────┤├─────┤├───────────────────────────────┤
           Global Routing    Subnet        Interface Identifier
           Prefix (ISP)       ID           (EUI-64 from MAC)

The Global Routing Prefix (typically 48 bits) is assigned by the ISP or Regional Internet Registry (RIR). The Subnet ID (16 bits) is used by the organisation to subdivide its allocation into up to 65,535 subnets. The Interface Identifier (64 bits) uniquely identifies the host within the subnet — derived via EUI-64, SLAAC, or DHCPv6.

Documentation prefix: 2001:DB8::/32 is reserved for documentation and examples (RFC 3849) — the same role as 192.0.2.0/24 in IPv4. You will see this prefix throughout CCNA materials and exam questions.

4. Address Formats and Prefixes Reference

Address Type	Prefix	Prefix Length	Scope	Routable?	Notes
Link-Local	`FE80::/10`	10 bits	Single link	No — dropped by routers	Mandatory on every IPv6 interface; range FE80:: to FEBF::
Global Unicast	`2000::/3`	3 bits	Global	Yes — globally routable	Currently allocated from `2000::` to `3FFF::`; starts with hex digit 2 or 3
Unique Local	`FC00::/7`	7 bits	Organisation / site	Not intended for internet routing	IPv6 equivalent of RFC 1918 private addresses (10.x.x.x, 172.16.x.x, 192.168.x.x); uses `FD00::/8` in practice
Multicast	`FF00::/8`	8 bits	Defined per group	Scope-dependent	Replaces IPv4 broadcast; used for NDP, routing protocols, all-nodes (`FF02::1`), all-routers (`FF02::2`)
Loopback	`::1/128`	128 bits	Host only	No	IPv6 equivalent of IPv4 `127.0.0.1`
Unspecified	`::/128`	128 bits	N/A	No	Used as source address before an address is assigned (e.g. during DAD); IPv6 equivalent of `0.0.0.0`

5. Interface Identifier (IID) — EUI-64 and Random Generation

The Interface Identifier (IID) occupies the lower 64 bits of an IPv6 address and uniquely identifies the interface within a subnet. There are three methods for generating it.

EUI-64 Method

EUI-64 derives the IID from the interface's 48-bit MAC address using a deterministic algorithm:

  MAC address:  00:0C:29:4B:A8:E3

  Step 1 — Split the MAC in half and insert FF:FE in the middle:
            00:0C:29 | FF:FE | 4B:A8:E3
            → 00:0C:29:FF:FE:4B:A8:E3

  Step 2 — Flip bit 7 (the Universal/Local bit) of the first byte:
            00 in binary = 0000 0000
            Bit 7 flipped: 0000 0010 = 02
            → 02:0C:29:FF:FE:4B:A8:E3

  Step 3 — Express as four 16-bit groups (IID):
            020C:29FF:FE4B:A8E3

  Full link-local address:
  FE80:: + 020C:29FF:FE4B:A8E3 = FE80::020C:29FF:FE4B:A8E3

Privacy concern: Because EUI-64 embeds the MAC address in the IPv6 address, it allows a device to be tracked across networks. This led to RFC 4941 Privacy Extensions, which use a randomly generated IID that changes periodically — the default on Windows and modern Linux.

Random / Privacy Extensions (RFC 4941)

The OS generates a random 64-bit IID. A new random IID is generated periodically (typically every 24 hours) and the old address is deprecated gracefully. This is the default on Windows Vista and later, and most modern Linux distributions.

Manual Assignment

An administrator explicitly configures the IID. Common on Cisco routers where a simple, memorable link-local address is preferred (e.g. FE80::1 on the router side, FE80::2 on the next-hop). See IPv6 Basic Configuration Lab for step-by-step IOS commands.

6. Address Configuration Methods

Link-local and global unicast addresses are assigned through different mechanisms. Understanding which method applies to which address type is a common CCNA exam topic.

Method	Applies To	How It Works	DHCP Server Needed?
Automatic (SLAAC link-local)	Link-local only	OS combines the `FE80::/64` prefix with an IID (EUI-64 or random) the moment IPv6 is enabled on the interface. No external input required.	No
SLAAC (Stateless Address Autoconfiguration)	Global unicast	Host receives a Router Advertisement (RA) containing the network prefix (e.g. `2001:DB8:ACAD:1::/64`). Host combines that prefix with its own IID to form a full /128 GUA. No DHCP server involved — the router alone provides the prefix. See SLAAC.	No — router provides prefix only
Stateless DHCPv6	Global unicast (address via SLAAC) + other options	Host uses SLAAC for its IP address but queries a DHCPv6 server for additional information (DNS server addresses, domain search list). The RA sets the O-flag (Other) to indicate this.	Yes — for DNS/options only, not the address
Stateful DHCPv6	Global unicast	A DHCPv6 server assigns the full IPv6 address, prefix length, DNS, and other parameters — analogous to IPv4 DHCP. The RA sets the M-flag (Managed) to direct hosts to use DHCPv6. The server maintains a binding table of leases.	Yes — full address assignment
Manual / Static	Both (usually GUA on routers and servers)	Administrator explicitly configures the full address. Common on routers, servers, and network infrastructure devices where address stability and predictability matter.	No

7. Neighbor Discovery Protocol (NDP) and Link-Local Addresses

NDP (RFC 4861) is the IPv6 replacement for ARP. It runs entirely over ICMPv6 and relies exclusively on link-local addresses — not global unicast addresses — for all its operations. This is why link-local addresses must exist before any other IPv6 communication is possible.

NDP Message Type	ICMPv6 Type	Purpose	Address Used
Neighbor Solicitation (NS)	Type 135	Resolves an IPv6 address to a MAC address (replaces ARP Request); also used for Duplicate Address Detection (DAD)	Sent to the solicited-node multicast address of the target
Neighbor Advertisement (NA)	Type 136	Responds to an NS with the sender's MAC address (replaces ARP Reply)	Sent from the responder's link-local address
Router Solicitation (RS)	Type 133	Host asks routers on the link to identify themselves and send an RA immediately (instead of waiting for the periodic interval)	Sent to the all-routers multicast `FF02::2`
Router Advertisement (RA)	Type 134	Router periodically announces its presence, the on-link prefix(es), M/O flags, default gateway (router's link-local address), and MTU	Sent from router's link-local address to `FF02::1` (all-nodes multicast)
Redirect	Type 137	Router informs a host of a better first-hop router for a specific destination	Uses link-local addresses throughout

Key point for the CCNA: The default gateway in IPv6 is always the link-local address of the router — not its global unicast address. When a host runs SLAAC and receives an RA, it stores the router's link-local address as its default gateway. This is why show ipv6 route shows the next-hop as an FE80:: address.

  Router Gi0/0: link-local FE80::1, global 2001:DB8:ACAD:1::1/64

  Host default gateway entry:
  ::/0 via FE80::1, Gi0/0    ← next-hop is always the link-local address

8. Duplicate Address Detection (DAD)

Before using any newly generated IPv6 address — link-local or global unicast — a host runs Duplicate Address Detection (DAD) to verify the address is not already in use on the link. DAD uses NDP Neighbor Solicitation messages.

  Host generates candidate address (e.g. FE80::020C:29FF:FE4B:A8E3)

  Step 1: Address is placed in "Tentative" state — cannot send or
          receive normal traffic yet

  Step 2: Host sends Neighbor Solicitation to the solicited-node
          multicast address of the candidate:
          FF02::1:FF4B:A8E3  (last 24 bits of candidate address)

          Source: :: (unspecified — host doesn't own the address yet)
          Target: FE80::020C:29FF:FE4B:A8E3

  Step 3a: No response within DAD timeout →
           Address is UNIQUE — host marks it "Preferred" and uses it ✓

  Step 3b: Another host sends Neighbor Advertisement →
           Address is DUPLICATE — host marks it "Duplicate" and cannot
           use it. Manual intervention required. ✗

DAD runs automatically and silently for every new address. On Cisco IOS, the number of NS messages sent during DAD can be configured: ipv6 nd dad attempts <0-600>. Setting it to 0 disables DAD entirely (useful in some point-to-point link scenarios to speed up convergence).

9. Solicited-Node Multicast Addresses

IPv6 eliminates broadcast traffic entirely. Instead of sending an ARP broadcast to all hosts on a segment, NDP uses solicited-node multicast addresses — multicast groups that typically contain only one or a very small number of interfaces. This dramatically reduces unnecessary interrupt traffic compared to IPv4 ARP broadcasts.

  Solicited-node multicast address format:
  FF02::1:FF00:0000/104  +  last 24 bits of the unicast address

  Example:
  Interface has IPv6 address: 2001:DB8::020C:29FF:FE4B:A8E3
  Last 24 bits of IID:                              4B:A8:E3

  Solicited-node multicast: FF02::1:FF4B:A8E3

  ─────────────────────────────────────────────────────────────────
  Each IPv6 address (link-local AND global unicast) on an interface
  generates its OWN solicited-node multicast address.
  The interface joins both multicast groups simultaneously.
  ─────────────────────────────────────────────────────────────────

When a host wants to find the MAC address for a target IPv6 address, it sends a Neighbor Solicitation to that target's solicited-node multicast address. Only the host(s) whose addresses share the last 24 bits receive and process the NS — all other hosts on the segment ignore it at the hardware level. This is far more efficient than a broadcast.

10. Routing and Forwarding Behaviour

The routing behaviour difference between link-local and global unicast addresses is absolute and non-configurable — it is defined by the IPv6 specification itself.

Feature	Link-Local (FE80::/10)	Global Unicast (2000::/3)
Router forwarding	Never forwarded — dropped at every router interface	Forwarded globally across the IPv6 internet
Appears in routing table?	Only as a directly connected route on the local interface	Yes — static, OSPF, BGP, and other routes use GUAs
Used as next-hop in routes?	Yes — routing protocol next-hops always use link-local addresses	Rarely — only in some static route configurations
Routing protocol hellos	Yes — OSPFv3, EIGRP for IPv6, RIPng all use link-local as source	No — routing protocol packets use link-local as source
Internet reachability	None — not reachable from any other link	Full — reachable from anywhere on the IPv6 internet
Zone ID required?	Yes — must specify interface when pinging link-local from a multi-interface host	No — globally unique, no ambiguity

11. Security Considerations

IPv6 introduces security considerations that did not exist in IPv4 — many of them centred on the fact that NDP operates via link-local addresses and relies on trust within the link.

Threat	How It Works	Mitigation
Rogue Router Advertisement (RA)	An attacker sends fake RA messages claiming to be the default gateway, redirecting all IPv6 traffic through their device. Equivalent to ARP poisoning in IPv4.	RA Guard (RFC 6105) — configured on access-layer switches to drop RA messages arriving on ports that should only have hosts (not routers)
NDP Spoofing / Neighbor Cache Poisoning	Attacker sends fake Neighbor Advertisement messages mapping a legitimate host's IPv6 address to the attacker's MAC address — equivalent to ARP cache poisoning.	Dynamic ND Inspection (similar to Dynamic ARP Inspection for IPv4) — switch validates NA messages against a trusted binding table (DHCP snooping or static entries)
DAD DoS Attack	Attacker responds to every DAD Neighbor Solicitation with a fake NA, preventing any host from successfully completing DAD and obtaining an address.	RA Guard + ND Inspection; SEND (Secure Neighbor Discovery, RFC 3971) — cryptographically signs NDP messages using RSA keys
Global Unicast Scanning	Attacker attempts to enumerate hosts by scanning the /64 subnet. With 2⁶⁴ possible host addresses, sequential scanning is infeasible — but predictable EUI-64 addresses are easier to target.	Use random/privacy IIDs (RFC 4941) instead of EUI-64 for client devices; ACLs at network boundaries to filter inbound traffic to GUAs

12. Cisco IOS Configuration

On Cisco routers, IPv6 addressing is configured per interface. Both link-local and global unicast addresses can be set manually; the link-local is auto-generated but can be overridden for readability. For a complete step-by-step walkthrough, see IPv6 Basic Configuration Lab.

Enabling IPv6 and Configuring a Global Unicast Address

  Router(config)# ipv6 unicast-routing              ! Enable IPv6 routing globally

  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# ipv6 address 2001:DB8:ACAD:1::1/64   ! Assign GUA
  Router(config-if)# no shutdown

  ! The router automatically generates a link-local address (EUI-64)
  ! Verify with: show ipv6 interface GigabitEthernet0/0

Manually Setting the Link-Local Address

  Router(config-if)# ipv6 address FE80::1 link-local
  ! Override the auto-generated link-local with a memorable address
  ! Common practice: FE80::1 on one side, FE80::2 on the other

Enabling SLAAC on an Interface (for hosts)

  ! On the router — enable RA sending (on by default when ipv6 unicast-routing is on)
  Router(config-if)# ipv6 nd prefix 2001:DB8:ACAD:1::/64
  ! Hosts on this segment will auto-configure a GUA using SLAAC

  ! Force stateful DHCPv6 (set M-flag in RA):
  Router(config-if)# ipv6 nd managed-config-flag

  ! Point to other-config (DNS via DHCPv6, address via SLAAC — set O-flag):
  Router(config-if)# ipv6 nd other-config-flag

Verification Commands

  show ipv6 interface brief          ! All interfaces — IPv6 addresses and state
  show ipv6 interface Gi0/0          ! Full detail for one interface
  show ipv6 neighbors                ! NDP neighbor cache (IPv6 equivalent of ARP table)
  show ipv6 route                    ! IPv6 routing table
  show ipv6 route local              ! Only local (host) routes — all /128 entries
  debug ipv6 nd                      ! Live NDP message debug (use with care)
  ping ipv6 2001:DB8:ACAD:1::2       ! Ping a GUA
  ping ipv6 FE80::2 source Gi0/0    ! Ping a link-local (must specify source interface)

13. Troubleshooting IPv6 Connectivity

Symptom	Possible Cause	Diagnostic Command / Action
Interface has no IPv6 address at all	IPv6 not enabled on the interface; `ipv6 unicast-routing` not configured globally	`show ipv6 interface brief` — check for "IPv6 is enabled" line; add `ipv6 enable` on the interface or configure an IPv6 address
Link-local exists but no global unicast	No RA received (SLAAC), no DHCPv6 server, no static GUA configured	`show ipv6 interface` — verify RA prefix received; check router is sending RAs (`ipv6 unicast-routing` must be on); verify SLAAC/DHCPv6 flags in RA
Can ping link-local neighbour but not GUA	GUA not configured; wrong prefix; routing issue beyond the local segment	`show ipv6 neighbors` — confirms Layer 2 reachability is OK; `show ipv6 route` — check for correct prefix and next-hop entries
IPv6 ping to link-local fails with "% Specify source interface"	Zone ID not specified — OS cannot determine which interface to use for a link-local destination	Add zone ID: `ping ipv6 FE80::1 source Gi0/0` (Cisco) or `ping6 FE80::1%eth0` (Linux)
Address stuck in Tentative/Duplicate state	DAD detected a duplicate address on the link; possible NDP attack or genuine duplicate MAC	`show ipv6 interface` — look for "Duplicate" state; identify the conflicting device via `show ipv6 neighbors`; manually assign a different IID or investigate rogue devices
Hosts get SLAAC addresses but no DNS	DHCPv6 O-flag not set in RA; no DHCPv6 server; DNS not pushed via RDNSS option	Check RA flags with `show ipv6 interface` (look for "Other stateful config" flag); configure `ipv6 nd other-config-flag` and a DHCPv6 server pool with DNS options

14. Example Scenario — End-to-End IPv6 Address Assignment

A new Linux host connects to a router-connected segment for the first time. Here is the complete address assignment sequence from link-up to full connectivity.

  ── Host powers up, network interface comes UP ──────────────────────

  Step 1: Link-Local address generation
  ─────────────────────────────────────
  Host MAC: 00:0C:29:4B:A8:E3
  EUI-64:   020C:29FF:FE4B:A8E3
  Candidate link-local: FE80::020C:29FF:FE4B:A8E3
  Address state: TENTATIVE

  Step 2: Duplicate Address Detection (DAD)
  ──────────────────────────────────────────
  Host sends NS to FF02::1:FF4B:A8E3 (solicited-node multicast)
  Source: :: (unspecified)
  → No response received within 1 second
  Address state: PREFERRED ✓

  Step 3: Router Solicitation
  ────────────────────────────
  Host sends RS to FF02::2 (all-routers multicast)
  Source: FE80::020C:29FF:FE4B:A8E3

  Step 4: Router Advertisement received
  ───────────────────────────────────────
  Router responds from FE80::1:
    - Prefix: 2001:DB8:ACAD:1::/64
    - M-flag: 0 (use SLAAC for address)
    - O-flag: 1 (use DHCPv6 for DNS)
    - Router lifetime: 1800s
    - Default gateway: FE80::1

  Step 5: Global Unicast address formation (SLAAC)
  ──────────────────────────────────────────────────
  Prefix:   2001:DB8:ACAD:1::/64
  IID:      020C:29FF:FE4B:A8E3
  GUA:      2001:DB8:ACAD:1:020C:29FF:FE4B:A8E3/64
  DAD runs again for this address → no conflict → PREFERRED ✓

  Step 6: DHCPv6 for DNS (O-flag set)
  ──────────────────────────────────────
  Host sends DHCPv6 Information-Request to FF02::1:2 (all-DHCP-relay-agents)
  DHCPv6 server responds with DNS: 2001:4860:4860::8888 (Google)

  ── Host is now fully configured ────────────────────────────────────
  Link-local:     FE80::020C:29FF:FE4B:A8E3 (NDP, routing protocol)
  Global Unicast: 2001:DB8:ACAD:1:020C:29FF:FE4B:A8E3/64 (internet)
  Default Gateway: FE80::1 via eth0
  DNS:            2001:4860:4860::8888

15. Exam Tips & Key Points

Link-local addresses (FE80::/10) are mandatory on every IPv6-enabled interface — they are generated automatically before any other IPv6 configuration and require no DHCP or router.
Routers never forward packets with a link-local destination — this is absolute and cannot be configured otherwise.
The default gateway in IPv6 is always the link-local address of the router, not its global unicast address. show ipv6 route will always show an FE80:: next-hop.
EUI-64 derives the 64-bit IID from the MAC address by splitting it, inserting FF:FE in the middle, and flipping bit 7. Know the steps — this is frequently tested.
SLAAC allows a host to auto-configure a global unicast address using only the prefix from a Router Advertisement combined with its own IID — no DHCP server required for the address itself.
DAD (Duplicate Address Detection) runs for every new IPv6 address — link-local and global unicast — before it is used. Uses NDP Neighbor Solicitation with the unspecified address (::) as source.
NDP replaces ARP in IPv6. Neighbor Solicitation (NS) = ARP Request. Neighbor Advertisement (NA) = ARP Reply. Both use ICMPv6 and link-local addresses.
Solicited-node multicast addresses replace IPv4 broadcast for address resolution. Formed by appending the last 24 bits of the unicast address to the prefix FF02::1:FF00:0/104.
The documentation prefix 2001:DB8::/32 is reserved for examples and exam questions — it is never routed on the real internet.
When pinging a link-local address from a multi-interface host, always specify the source interface — e.g. ping6 FE80::1%eth0 (Linux) or ping ipv6 FE80::1 source Gi0/0 (Cisco).

16. Summary

Aspect	Link-Local	Global Unicast
Prefix	`FE80::/10`	`2000::/3`
Scope	Single link only — never forwarded by routers	Global — fully routable across the internet
Mandatory?	Yes — always auto-generated on every IPv6 interface	No — must be configured (SLAAC, DHCPv6, or static)
IID Generation	EUI-64, random (RFC 4941), or manual	EUI-64 (via SLAAC), DHCPv6-assigned, or manual
Used for	NDP, routing protocol hellos, default gateway, DAD	All internet and inter-network communication
Default gateway role	Yes — always the link-local address of the router	No — GUA is not used as the default gateway
Zone ID required?	Yes — when pinging from a multi-interface host	No — globally unique
IPv4 equivalent	169.254.x.x (APIPA) — conceptually similar non-routable range	Public IPv4 address

IPv6 Link-Local vs Global Unicast Quiz

1. What is an IPv6 link-local address and what is its defining characteristic?

A. An address used for internet-wide communication, equivalent to a public IPv4 address B. An address manually configured by an administrator for routing between sites C. An address that is valid only on the single physical or logical link where it was created — routers never forward packets with a link-local destination D. An address reserved exclusively for multicast group communication

Correct answer is C. An IPv6 link-local address (prefix FE80::/10) is scoped to a single link — the physical or logical network segment directly connected to the interface. This is not a configuration choice; it is mandated by the IPv6 specification (RFC 4291). Any router that receives a packet with a link-local destination address must drop it, never forward it. Link-local addresses are mandatory: every IPv6-enabled interface automatically generates one without any DHCP, router, or manual configuration. They serve as the foundation for NDP, router discovery, and routing protocol operation on the local link.

2. Which prefix range is reserved for IPv6 link-local addresses?

A. FE80::/10 — covers FE80:: through FEBF:: and is always the link-local range B. 2000::/3 — the global unicast range covering addresses starting with hex 2 or 3 C. FC00::/7 — the unique local address (ULA) range, similar to RFC 1918 private IPv4 addresses D. FF00::/8 — the IPv6 multicast range used for group communication

Correct answer is A. IPv6 link-local addresses always begin with the 10-bit prefix 1111 1110 10 in binary, which corresponds to the hex range FE80:: through FEBF::. In practice, virtually all link-local addresses you encounter will start with FE80:: because the remaining 54 bits of the first 64 bits are set to zero, leaving only the 64-bit IID to vary. The other options are: 2000::/3 = global unicast; FC00::/7 = unique local (IPv6 private addresses, used as FD00::/8); FF00::/8 = multicast.

3. How are global unicast IPv6 addresses best described?

A. Addresses scoped to a single subnet with no routing capability beyond it B. Addresses used exclusively for multicast group membership signalling C. Addresses manually assigned to interfaces that are not routable D. Globally unique, globally routable addresses used for all internet and inter-network communication — the IPv6 equivalent of public IPv4 addresses

Correct answer is D. Global unicast addresses (GUAs) from the 2000::/3 prefix are the IPv6 equivalent of public IPv4 addresses. They are globally unique (guaranteed by the hierarchical allocation system of RIRs and ISPs), globally routable (any router on the internet can forward packets to them), and used for all communication that crosses network boundaries — including all internet traffic. A GUA has a three-part structure: the Global Routing Prefix (assigned by ISP, typically 48 bits), a Subnet ID (16 bits for organisational subnetting), and an Interface Identifier (64 bits). They can be assigned via SLAAC, DHCPv6, or static configuration.

4. A network engineer checks a router's IPv6 routing table and sees the default route listed as "::/0 via FE80::1, GigabitEthernet0/0". Why is the next-hop a link-local address?

A. This is a misconfiguration — the next-hop should always be a global unicast address B. This is correct and expected — IPv6 routing protocols and SLAAC always use the router's link-local address as the default gateway and next-hop, not its global unicast address C. This means the router has no global unicast address configured on that interface D. Link-local addresses are only used as next-hops when IPv6 unicast routing is disabled

Correct answer is B. This is expected and correct IPv6 behaviour. When a host receives a Router Advertisement via SLAAC, it records the link-local address of the sending router as its default gateway. Similarly, IPv6 routing protocols (OSPFv3, EIGRP for IPv6, RIPng) use link-local addresses as the source and next-hop for all adjacencies and routing updates. This design is intentional: link-local addresses are stable, always present, and unique per link — making them ideal identifiers for on-link routers. The next-hop is guaranteed to be reachable directly (no routing required) because it is a link-local address on the same segment. This is why show ipv6 route always shows FE80:: next-hops.

5. Which method derives the 64-bit Interface Identifier by splitting the MAC address and inserting FF:FE in the middle?

A. EUI-64 — a deterministic algorithm that converts a 48-bit MAC into a 64-bit IID and also flips the Universal/Local bit (bit 7) of the first byte B. Manual configuration — the administrator types the full 64-bit value explicitly C. DHCPv6 — the DHCP server generates and assigns the IID D. IPv4-mapped conversion — the IPv4 address is embedded in the lower 32 bits of the IID

Correct answer is A. EUI-64 is the standard algorithm for converting a 48-bit MAC address into a 64-bit Interface Identifier. The process has three steps: (1) split the MAC address in half at the 24-bit boundary; (2) insert the 16-bit value FF:FE between the two halves, expanding the address from 48 to 64 bits; (3) flip bit 7 (the Universal/Local bit) of the first byte — if it was 0 (universally administered MAC) it becomes 1, indicating a modified EUI-64. For example, MAC 00:0C:29:4B:A8:E3 becomes IID 020C:29FF:FE4B:A8E3. This IID is then combined with a prefix (FE80::/64 for link-local, or the SLAAC prefix for GUA) to form the full 128-bit IPv6 address.

6. How are link-local IPv6 addresses assigned to an interface, and what triggers the process?

A. Manually by the administrator — there is no automatic assignment B. Only via DHCPv6 — a DHCP server must assign the link-local address C. Through IPv4-to-IPv6 address conversion run by the router D. Automatically as soon as IPv6 is enabled on the interface — no DHCP server, no router, and no manual input is required

Correct answer is D. Link-local address assignment is entirely automatic and requires no external infrastructure. The moment IPv6 is enabled on an interface (either by configuring an IPv6 address or issuing ipv6 enable on Cisco IOS), the OS or router software generates a link-local address using the FE80::/64 prefix combined with an IID (EUI-64 or random). Duplicate Address Detection (DAD) is then run to verify uniqueness. This automatic generation is what makes NDP functional even before any global addressing is configured — the link-local address is always there as a stable foundation for on-link communication.

7. Which protocol uses link-local addresses for neighbor address resolution, router discovery, and Duplicate Address Detection in IPv6?

A. DHCPv6 — manages address assignment and option delivery B. ICMPv4 — the IPv4 error and diagnostic protocol; does not exist in IPv6 C. Neighbor Discovery Protocol (NDP) — the IPv6 replacement for ARP, using ICMPv6 messages (NS, NA, RS, RA, Redirect) all sent from link-local addresses D. DNS — translates hostnames to IPv6 addresses using AAAA records

Correct answer is C. NDP (RFC 4861) is the IPv6 replacement for ARP and performs several functions, all using ICMPv6 messages with link-local addresses as source: Neighbor Solicitation (NS, type 135) resolves an IPv6 address to a MAC — like an ARP request; Neighbor Advertisement (NA, type 136) responds with the MAC — like an ARP reply; Router Solicitation (RS, type 133) asks routers to announce themselves; Router Advertisement (RA, type 134) carries the on-link prefix, M/O flags, default gateway (always the router's link-local address), and MTU. NDP also performs DAD by sending NS from the unspecified address (::) before using a new address.

8. Are IPv6 packets with a link-local destination address forwarded by routers?

A. Yes — routers forward link-local packets to the next-hop router just like global unicast traffic B. No — link-local packets are never forwarded beyond the local segment; a router receiving such a packet must drop it C. Only if the administrator adds a static route for the FE80::/10 prefix D. Only for multicast link-local traffic directed to FF02::1

Correct answer is B. The non-routable nature of link-local addresses is an absolute rule defined in RFC 4291 — it cannot be overridden with static routes or any other configuration. Any router that receives a packet with a destination in the FE80::/10 range must discard it. This is by design: link-local addresses are not globally unique (the same address like FE80::1 exists on millions of links simultaneously), so routing them would be ambiguous and meaningless. Their entire purpose is local-link communication — NDP, routing protocol adjacencies, and default gateway identification — all of which only need to work on the directly connected segment.

9. How is a solicited-node multicast address formed, and what problem does it solve compared to IPv4 ARP?

A. By appending the last 24 bits of the unicast IID to the prefix FF02::1:FF00:0/104 — this avoids layer-2 broadcast storms since only the targeted host(s) need to process the NDP message B. By using the full Global Unicast prefix as the multicast group identifier C. By combining the link-local prefix FE80::/10 with the interface's MAC address directly D. By using the anycast address of the subnet's router as the group identifier

Correct answer is A. A solicited-node multicast address is constructed by taking the fixed prefix FF02::1:FF00:0/104 and appending the last 24 bits of the target IPv6 address's IID. For example, if the target is 2001:DB8::020C:29FF:FE4B:A8E3, the last 24 bits of the IID are 4B:A8:E3, giving solicited-node address FF02::1:FF4B:A8E3. The key advantage over IPv4 ARP broadcasts is efficiency: in IPv4, an ARP request is a layer-2 broadcast that every host on the segment must interrupt its CPU to process. In IPv6, the Neighbor Solicitation is sent to a specific multicast group — the NIC hardware filters it, and only the host(s) whose address ends with those 24 bits ever process it. On a typical segment, that means only one device is interrupted.

10. A host generates a new link-local address but before using it, sends a Neighbor Solicitation with the source address set to "::". What process is this, and why is "::" used as the source?

A. Router Solicitation — "::" is used because the host has not yet received a Router Advertisement B. Neighbor Advertisement — "::" indicates the host is announcing its new address to all nodes on the link C. Duplicate Address Detection (DAD) — "::" (the unspecified address) is used because the host does not yet own the candidate address and cannot use it as a source until uniqueness is confirmed D. Stateless DHCPv6 Information-Request — "::" indicates no address has been assigned by a DHCP server yet

Correct answer is C. This describes Duplicate Address Detection (DAD), which is run for every new IPv6 address before it enters the Preferred state. The host places the candidate address in the Tentative state and sends a Neighbor Solicitation to the candidate's solicited-node multicast address. The source address is set to :: (the unspecified address) specifically because the host does not yet own the candidate address — using it as the source before confirming it is unique would be incorrect. If no Neighbor Advertisement is received in response (within the DAD timeout, typically 1 second), the address is declared unique and transitions to the Preferred state. If an NA is received, the address is duplicate and cannot be used — requiring manual intervention.

← Back to Home