This chapter covers a NEW objective in the CCNA v2 exam (200-301 v2.0, 2026 blueprint): troubleshooting Modified EUI-64 addressing for IPv6. Cisco added this to reflect real-world IPv6 deployment challenges, where misconfigured EUI-64 addresses cause connectivity issues that are notoriously hard to debug. Mastering this topic will help you diagnose why a router's IPv6 link-local address doesn't match expectations, why global unicast addresses conflict, or why SLAAC fails. This is exam objective 1.4 under 'Network Infrastructure and Connectivity' (25% of the blueprint).
Jump to a section
Imagine a city where every car's license plate is derived from its Vehicle Identification Number (VIN). The VIN is a unique 17-character code that includes the manufacturer, model, and serial number. The city's Department of Motor Vehicles (DMV) has a rule: to create a license plate, take the VIN, flip the 6th and 7th characters, and insert 'FF' in the middle. This is exactly how Modified EUI-64 works — it takes a 48-bit MAC address, flips the 7th bit (the U/L bit), and inserts FFFE in the middle to form a 64-bit interface ID. Now, some car owners don't like their assigned plate because it reveals their VIN. They go to a custom plate shop and request a different plate, say 'CUSTOM1'. But the DMV database still has the original plate in the system. When a traffic camera reads 'CUSTOM1', it checks the database and finds no match — the car's official plate is still the EUI-64-derived one. This is like manually configuring an IPv6 address on an interface: the router will use that address, but if you check the interface's link-local or global address derived via EUI-64, it will be different. Troubleshooting means understanding why the 'automatic' plate differs from the 'custom' one. In networking, if you manually set an IPv6 address, the router still generates a link-local address via EUI-64 (unless you override it). If you later assign a static global address, the interface may have multiple addresses — the EUI-64-derived one and the static one. Confusion arises when engineers assume the address they configured is the only one present. The DMV analogy teaches: the automatic plate (EUI-64) always exists unless you explicitly disable it; the custom plate (manual config) is separate. Troubleshooting means checking both.
What is Modified EUI-64 and Why Does It Exist?
Modified EUI-64 (Extended Unique Identifier) is a method for generating a 64-bit interface identifier from a 48-bit MAC address. It is defined in RFC 4291 and is used by IPv6 Stateless Address Autoconfiguration (SLAAC) to create link-local and global unicast addresses automatically. The purpose is to provide a globally unique, stable interface ID without manual configuration. However, it has privacy and security implications because the MAC address can be tracked across networks. Therefore, Cisco also supports privacy extensions (RFC 4941) and manual override.
How Modified EUI-64 Works: Step-by-Step
Take the 48-bit MAC address – Example: 00:1A:2B:3C:4D:5E.
Split the MAC into two 24-bit halves – First half: 001A2B, second half: 3C4D5E.
Insert `FFFE` in the middle – This creates a 64-bit string: 001A2BFFFE3C4D5E.
Flip the 7th bit (the U/L bit) – The U/L bit is the second-least significant bit of the first byte. In binary, the first byte 00 becomes 02 (since flipping the 7th bit from 0 to 1 changes 00000000 to 00000010). For 02, it becomes 00? Wait, careful: The 7th bit is the bit that indicates whether the address is universally (0) or locally (1) administered. Flipping it means if it's 0, it becomes 1; if it's 1, it becomes 0. For 00 (binary 00000000), the 7th bit (counting from left? Actually RFC 4291 says the U/L bit is the second-lowest-order bit of the first octet. That is bit position 1 (0-indexed from LSB). In 00 hex = 00000000 binary, the second-lowest bit (bit 1) is 0. Flipping it gives 1, so the first octet becomes 02 hex. If the first octet were 02 (binary 00000010), flipping bit 1 gives 00000000 = 00. So the result is 021A2BFFFE3C4D5E.
The resulting 64-bit interface ID is then combined with a 64-bit prefix to form a full IPv6 address. For link-local, the prefix is FE80::/10 (so FE80::021A:2BFF:FE3C:4D5E).
Key States, Timers, and Defaults
No timers – EUI-64 is a static mapping; no timers are involved.
Default behavior: On Cisco IOS, when you enable IPv6 on an interface (e.g., ipv6 enable), the router automatically generates a link-local address using Modified EUI-64. If you configure a global unicast address using the ipv6 address prefix/64 eui-64 command, the interface ID is also derived from the MAC.
Privacy extensions: By default, Cisco IOS uses EUI-64 for link-local addresses. For global addresses, you can use ipv6 address autoconfig which may use privacy extensions (temporary addresses) if configured.
Manual override: If you assign a static IPv6 address (e.g., ipv6 address 2001:db8:1::1/64), the router does NOT generate an EUI-64 address for that prefix, but it still generates the link-local address via EUI-64 unless you also configure a manual link-local.
IOS CLI Verification Commands
To verify EUI-64 derived addresses, use:
show ipv6 interface briefExample output:
FastEthernet0/0 [up/up]
FE80::21A:2BFF:FE3C:4D5E
2001:DB8:1:1:21A:2BFF:FE3C:4D5ETo see the MAC address used:
show interfaces fa0/0 | include biaOutput:
Hardware is Gt96k FE, address is 001a.2b3c.4d5e (bia 001a.2b3c.4d5e)To see detailed IPv6 configuration:
show ipv6 interface fa0/0Interaction with Related Protocols
SLAAC: Uses EUI-64 to generate the interface ID from the prefix advertised by a router.
DHCPv6: Stateful DHCPv6 assigns addresses independent of EUI-64; the interface ID may be different.
Duplicate Address Detection (DAD): Before using an EUI-64 derived address, the router performs DAD to ensure uniqueness. If a duplicate is detected, the address is not used (and a syslog message is generated).
Privacy Extensions: RFC 4941 generates temporary random interface IDs to prevent tracking. These override EUI-64 for outgoing connections but the EUI-64 address remains as a permanent address.
Identify the MAC address
Use `show interfaces` to get the MAC address of the interface. Example: `show interfaces gigabitethernet0/0 | include bia`. The output shows the burned-in MAC address (e.g., 001a.2b3c.4d5e). This is the base for the EUI-64 calculation.
Calculate the modified EUI-64 manually
Split the MAC into two halves: 001a2b and 3c4d5e. Insert FFFE in the middle: 001a2bFFF3c4d5e. Then flip the 7th bit of the first byte: 00 hex = 00000000 binary, flip bit 1 (second least significant) to 1 => 00000010 = 02 hex. So the interface ID becomes 021a:2bff:fe3c:4d5e. Verify with `show ipv6 interface`.
Verify the derived link-local address
Use `show ipv6 interface brief` to see the link-local address. It should start with FE80:: followed by the EUI-64 interface ID. If the interface has multiple IPv6 addresses, the link-local is the one with FE80 prefix. Compare with your manual calculation.
Check for manual override
If a static IPv6 address is configured, the EUI-64 address may still exist as a separate address. Use `show ipv6 interface` to list all IPv6 addresses on the interface. Look for addresses with the same prefix but different interface IDs. If you see both a static and an EUI-64 address, that's normal.
Troubleshoot duplicate address detection (DAD)
If the EUI-64 address is not appearing, check DAD status. Use `debug ipv6 dad` to see if the address was marked duplicate. Common cause: two interfaces on the same link have the same MAC (e.g., virtual machines). The router will not use the address if DAD fails. Check `show ipv6 interface` for 'tentative' or 'duplicate' status.
Verify SLAAC operation
If the interface is using SLAAC, ensure a router advertisement (RA) is received. Use `debug ipv6 nd` or `show ipv6 routers`. The RA must include a prefix with the A flag set. The router will then generate an EUI-64 address for that prefix. If no RA, check IPv6 unicast-routing and interface configuration.
In a large enterprise network, you deploy IPv6 using SLAAC with EUI-64 addressing for client subnets. The network has hundreds of access switches. One day, a new switch model is installed with a cloned MAC address due to a manufacturing defect. The switch's EUI-64 derived link-local address conflicts with another switch on the same VLAN. DAD detects the conflict, and the switch logs 'IPv6 address FE80::... is a duplicate address'. The interface goes down for IPv6. Troubleshooting involves checking MAC addresses with show interfaces and recalculating the EUI-64. The fix is to manually configure a unique link-local address using ipv6 address fe80::1 link-local.
Another scenario: A network engineer manually configures global IPv6 addresses on router interfaces but forgets that the router also generates a link-local address via EUI-64. When they ping the neighbor's link-local address, they use the wrong interface ID and get no response. They must verify the actual link-local address with show ipv6 interface brief.
A third scenario: An organization uses privacy extensions for client privacy. Troubleshooting EUI-64 becomes tricky because clients have multiple temporary addresses. The engineer must distinguish between the permanent EUI-64 address and temporary addresses. The show ipv6 interface command shows both. Misconfiguration occurs when someone assumes the temporary address is the only one, causing access control list (ACL) issues. In production, always verify the exact interface ID used for routing decisions.
New in CCNA v2
This objective is entirely new. In CCNA v1.1, IPv6 addressing was covered but Modified EUI-64 was not a specific troubleshooting focus. Cisco added it because real-world IPv6 deployments show that EUI-64 misconfigurations are a common source of outages. Candidates who studied v1.1 are missing the ability to diagnose why a link-local address doesn't match expectations or why SLAAC fails due to MAC conflicts.
What the Exam Tests
Objective 1.4: 'Troubleshoot IPv6 Modified EUI-64 addressing'. You must be able to: (1) Calculate the EUI-64 interface ID from a MAC address, (2) Identify when a manually configured address overrides EUI-64, (3) Recognize DAD failures, (4) Use show commands to verify EUI-64 addresses.
Common Wrong Answers
Forgetting the U/L bit flip: Many candidates think EUI-64 is just MAC + FFFE. They forget to flip the 7th bit. The exam will give a MAC and ask for the resulting interface ID. The wrong answer will be the unflipped version.
Confusing link-local and global: The exam may show an output with multiple addresses and ask which one is EUI-64 derived. Candidates might pick the static address.
Thinking manual config removes EUI-64: If you configure ipv6 address 2001:db8:1::1/64, some think the link-local address also becomes static. It does not; the link-local remains EUI-64 unless you configure a link-local manually.
Misinterpreting duplicate address message: The exam may show a syslog message 'IPv6 address FE80::... is a duplicate'. Candidates might think it's a routing problem, but it's a DAD failure.
Decision Rule
When given a MAC address and asked for the EUI-64 address: (1) Split MAC, (2) Insert FFFE, (3) Flip the 7th bit of the first byte (if the first byte is even, add 2; if odd, subtract 2). For troubleshooting, always start with show ipv6 interface brief to see all IPv6 addresses, then compare with the MAC.
[CCNA v2 NEW] Modified EUI-64 addressing is a new troubleshooting objective; you must be able to calculate the interface ID from a MAC address and diagnose DAD failures.
EUI-64 creates a 64-bit interface ID by inserting FFFE in the middle of the MAC and flipping the 7th bit (U/L bit).
The link-local address is always generated using EUI-64 unless a manual link-local address is configured.
Configuring a static global IPv6 address does not remove the EUI-64 derived link-local address; both coexist.
Duplicate Address Detection (DAD) prevents the use of a duplicate EUI-64 address; check with `show ipv6 interface` for 'tentative' or 'duplicate' status.
Key verification command: `show ipv6 interface brief` shows all IPv6 addresses on an interface.
Privacy extensions (RFC 4941) generate temporary addresses that override EUI-64 for outgoing connections but do not replace the permanent EUI-64 address.
These come up on the exam all the time. Here's how to tell them apart.
Modified EUI-64
Interface ID derived from MAC address (stable).
Always generates the same address on the same interface.
Used for link-local addresses by default.
Can be tracked across networks (privacy concern).
Flipped U/L bit indicates globally unique (but still traceable).
Privacy Extensions (RFC 4941)
Interface ID generated randomly (temporary).
Changes over time (default lifetime 1 day).
Used for global addresses when privacy extensions are enabled.
Prevents tracking by hiding MAC.
Router still has a permanent EUI-64 address for incoming connections.
Mistake
EUI-64 is just MAC address with FFFE inserted.
Correct
EUI-64 requires flipping the 7th bit (U/L bit) of the first byte after inserting FFFE. Without the flip, the interface ID would be different.
Most tutorials skip the bit flip, so candidates memorize the simpler version.
Mistake
Manually configuring an IPv6 address removes the EUI-64 derived link-local address.
Correct
The link-local address is still generated via EUI-64 unless you explicitly configure a link-local address with the `link-local` keyword.
Candidates think manual configuration overrides all automatic addressing.
Mistake
If the MAC address is 00:1A:2B:3C:4D:5E, the EUI-64 interface ID is 001A:2BFF:FE3C:4D5E.
Correct
The correct interface ID is 021A:2BFF:FE3C:4D5E because the 7th bit of the first byte (00) is flipped to 02.
The bit flip is often overlooked in study materials.
Mistake
A duplicate address message means the router has a routing loop.
Correct
A duplicate address message from DAD means another device on the same link is using the same IPv6 address, often due to identical MAC addresses.
Candidates associate 'duplicate' with routing loops rather than layer 2 conflicts.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Take the 48-bit MAC (e.g., 001a.2b3c.4d5e). Split into two halves: 001a2b and 3c4d5e. Insert FFFE in the middle: 001a2bFFFE3c4d5e. Then flip the 7th bit of the first byte. The first byte 00 hex = 00000000 binary. The 7th bit (bit 1 from LSB) is 0, flip to 1 => 00000010 = 02 hex. So the interface ID becomes 021a:2bff:fe3c:4d5e. The link-local address is FE80::021a:2bff:fe3c:4d5e. For a global address, prepend the 64-bit prefix.
Duplicate Address Detection (DAD) will detect the conflict. The router will not use the address; it will remain in 'tentative' state and then become 'duplicate'. The interface will log a message like '%IPv6_DAD-4-DUPLICATE: Duplicate address FE80::... on GigabitEthernet0/0'. The device will not be reachable via that address. To fix, either change the MAC address (if possible) or manually configure a unique link-local address.
No. The link-local address is always generated using EUI-64 unless you explicitly configure a manual link-local address with the `ipv6 address fe80::x link-local` command. The static global address is an additional address. The interface will have both. You can verify with `show ipv6 interface brief`.
EUI-64 generates a stable interface ID from the MAC address. Privacy extensions (RFC 4941) generate temporary random interface IDs for outbound connections to prevent tracking. The router will have both a permanent EUI-64 address (for incoming connections) and one or more temporary addresses (for outgoing connections). Privacy extensions are enabled by default on some OSes (Windows, Linux) but can be disabled.
Possible reasons: (1) The interface has a manually configured link-local address (e.g., `ipv6 address fe80::1 link-local`). (2) The MAC address used for EUI-64 is not the burned-in MAC; some interfaces allow MAC address assignment. (3) The router is using a virtual MAC (e.g., HSRP). (4) Privacy extensions are enabled for link-local (uncommon). Check with `show interfaces` for the actual MAC and `show ipv6 interface` for the configuration.
When a router assigns an EUI-64 derived address to an interface, it sends a Neighbor Solicitation (NS) message with the target address set to the tentative address. If it receives a Neighbor Advertisement (NA) in response, the address is duplicate and is not used. The router then logs a duplicate address message. DAD is performed for both link-local and global addresses.
You cannot disable EUI-64 for link-local addresses; they are always generated unless you override with a manual link-local. For global addresses, you can simply not use the `eui-64` keyword and assign static addresses. However, the link-local will still be EUI-64. To force a manual link-local, use `ipv6 address fe80::1 link-local`.
You've just covered Troubleshoot IPv6 Modified EUI-64 Addressing — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?