Getting started with IPv6 in the FortiOS operating system
Introduction and some theory.
The origin of IP protocol version 6 dates back to 1998 to RFC 2460, which describes IPv6 as the successor protocol for version 4. This transition is associated with predictable exhaustion of the address space in IPv4. The transition from 32-bit to 128-bit addresses allowed to increase the address space in IPv6 to a limit of 2 to 128 degrees of the number of addresses. However, in addition to increasing the address space, there are a lot of innovations in the implementation of IPv6, designed to save this protocol from the problems of its predecessor. These innovations include the lack of broadcast, SLAAC, NDP.
SLAAC or stateless auto-configuration can be used to automatically configure IP addresses without state if the hosts do not need a specific IP address. SLAAC automatically configures addresses using NDP and a router. Unlike DHCPv6, no additional servers are required to implement SLAAC technology.
')
The NDP protocol in turn comes to replace ARP, ICMP router discovery and ICMP redirect. In IPv6, the NDP is responsible for auto-tuning the addresses of network endpoints, detecting other nodes on the line, detecting addresses of other nodes at the link level, detecting address conflicts, finding available paths and DNS servers, detecting subnets and maintaining the availability of information about paths to other active neighbors. knots.
What about DHCP? DHCP for IPv6 can be used if you need to control the assignment of IP addresses or provide DNS settings. DHCPv6 can also provide other parameters, poll network nodes and change their addresses. This is a stateful DHCPv6. Stateless DHCPv6 can provide additional information (for example, DNS) to hosts that obtained their IPv6 addresses using automatic configuration (SLAAC) or manual addressing.
The FortiOS operating system is fully supported by the IPv6 protocol and, starting with FortiOS 5.4, it supports the quite interesting DHCP delegation function, which allows the device interface to receive addresses from the subnets that the DHCP server provides, which is located behind another interface. In other words, once the DHCP server has delegated the prefixes to the client, the interface that is connected to the local area network (LAN) has an IPv6 address using the received prefix block and the addresses used in the received prefix can be transferred to other clients on the local network.
Practice.
To configure this functionality, a real case will be played when the provider gives a specific IPv6 prefix to the client.
Simplified Topology:
The Cisco router is used as the DHCPv6 server, as the edge device that performs the DHCPv6 delegation — the FortiGate firewall as a virtual machine with the operating system version 5.4.4. For the client part, FortiGate is also used.
Below are excerpts from the configuration with comments.
Cisco:
# ipv6 dhcp pool dhcpv6
Use a DHCP pool called dhcpv6
# prefix-delegation pool dhcpv6-pool1 lifetime 1800 600
The name of the pool that is used to delegate prefixes is dhcpv6-pool1
#interface Ethernet0 / 0
#no ip address
# ipv6 address 2010: AB8: 0: 1 :: 1/64 - assign the address for the interface e0 / 0
# ipv6 enable
# ipv6 dhcp server dhcpv6 - enable DHCPv6 server on the interface
#exit
The next command determines the name of the pool of prefixes for delegation. The address pool 2001: DB8: 1200 :: / 48 will be used, from which we delegate to the client sub-prefixes / 64
# ipv6 local pool dhcpv6-pool1 2001: DB8: 1200 :: / 48 64
After that go to the configuration of the border FortiGate.
FortiGate-VM64-KVM # config system interface
Go to the network interface configuration mode
FortiGate-VM64-KVM (interface) # edit port1
Entering the port1 interface editing mode
FortiGate-VM64-KVM (port1) # config ipv6
Getting started to configure IPv6
FortiGate-VM64-KVM (ipv6) # set dhcp6-prefix-delegation enable
This command enables the functional of delegation of prefixes received from the provider to the downstream interfaces of the firewall.
The interface in the direction of the provider is configured, proceed to configure the interface of the local network. By analogy with the settings for port1, we enter the IPv6 configuration mode for the port2 interface.
#config system interface
#edit "port1"
#config ipv6
#set ip6-mode delegated - specify that the delegated prefix will be used
#set ip6-upstream-interface "port1" - the interface behind which there is a DHCPv6 server
#set ip6-subnet 2001: db8: 1200 :: 1/64
#set ip6-send-adv enable
#config ipv6-delegated-prefix-list
#edit 1
#set upstream-interface "port10"
#set autonomous-flag enable
#set onlink-flag enable
#set subnet 2001: db8: 1200 :: / 64 - we specify the delegation prefix
#end
#end
#end
Separately, it will stop at the Ip6-send-adv command - turning on or turning off this option indicates whether the system should periodically send Router Advertisements and listen to Router Solicitations. When this parameter is enabled, the address of this interface will be added to the multicast group All Routers (FF02 :: 02) and included in the Multi Listener Discovery (MLD) report. By default, ip6-send-adv is in the disable state. In this case, with the autoconf option enabled, FortiGate will function as an SLAAC client.
We check on the client with enabled SLAAC.
We enable autoconf for the port1 interface on the client firewall according to the topology.
ip6-client # config system interface
ip6-client (interface) # edit port1
ip6-client (port1) # config ipv6
ip6-client (ipv6) # set autoconf enable
ip6-client (ipv6) # end
With a separate command, we check that everything is configured correctly and the device received an IP address.
This completes the basic setup. Additionally, you can configure a DHCPv6 server on the FortiGate Edge and use the delegated IPv6 prefix as a pool of addresses on the end clients.
It is configured quite simply:
#config system dhcp6 server - switch to the DHCPv6 server configuration mode
#edit 1
#set interface "port2" - an interface that will provide a DHCP service
#set upstream-interface "port1" - an interface towards the provider, through which we receive our prefix
#set ip-mode delegated - optionally specify that the configured DHCPv6 server will use the delegated prefix.
#end
And finally, there are several commands for basic network diagnostics in FortiOS:
# execute interface dhcp6client-renew - update DHCPv6 lease on the specified interface
#get router info6 routing-table database - output routing table for IPv6
#exec ping6 & #exec ping6-options - ping for IPv6 and setting certain parameters, such as packet size, number of retries, source IP, TTL, etc.
The origin of IP protocol version 6 dates back to 1998 to RFC 2460, which describes IPv6 as the successor protocol for version 4. This transition is associated with predictable exhaustion of the address space in IPv4. The transition from 32-bit to 128-bit addresses allowed to increase the address space in IPv6 to a limit of 2 to 128 degrees of the number of addresses. However, in addition to increasing the address space, there are a lot of innovations in the implementation of IPv6, designed to save this protocol from the problems of its predecessor. These innovations include the lack of broadcast, SLAAC, NDP.
SLAAC or stateless auto-configuration can be used to automatically configure IP addresses without state if the hosts do not need a specific IP address. SLAAC automatically configures addresses using NDP and a router. Unlike DHCPv6, no additional servers are required to implement SLAAC technology.
')
The NDP protocol in turn comes to replace ARP, ICMP router discovery and ICMP redirect. In IPv6, the NDP is responsible for auto-tuning the addresses of network endpoints, detecting other nodes on the line, detecting addresses of other nodes at the link level, detecting address conflicts, finding available paths and DNS servers, detecting subnets and maintaining the availability of information about paths to other active neighbors. knots.
What about DHCP? DHCP for IPv6 can be used if you need to control the assignment of IP addresses or provide DNS settings. DHCPv6 can also provide other parameters, poll network nodes and change their addresses. This is a stateful DHCPv6. Stateless DHCPv6 can provide additional information (for example, DNS) to hosts that obtained their IPv6 addresses using automatic configuration (SLAAC) or manual addressing.
The FortiOS operating system is fully supported by the IPv6 protocol and, starting with FortiOS 5.4, it supports the quite interesting DHCP delegation function, which allows the device interface to receive addresses from the subnets that the DHCP server provides, which is located behind another interface. In other words, once the DHCP server has delegated the prefixes to the client, the interface that is connected to the local area network (LAN) has an IPv6 address using the received prefix block and the addresses used in the received prefix can be transferred to other clients on the local network.
Practice.
To configure this functionality, a real case will be played when the provider gives a specific IPv6 prefix to the client.
Simplified Topology:
The Cisco router is used as the DHCPv6 server, as the edge device that performs the DHCPv6 delegation — the FortiGate firewall as a virtual machine with the operating system version 5.4.4. For the client part, FortiGate is also used.
Below are excerpts from the configuration with comments.
Cisco:
# ipv6 dhcp pool dhcpv6
Use a DHCP pool called dhcpv6
# prefix-delegation pool dhcpv6-pool1 lifetime 1800 600
The name of the pool that is used to delegate prefixes is dhcpv6-pool1
#interface Ethernet0 / 0
#no ip address
# ipv6 address 2010: AB8: 0: 1 :: 1/64 - assign the address for the interface e0 / 0
# ipv6 enable
# ipv6 dhcp server dhcpv6 - enable DHCPv6 server on the interface
#exit
The next command determines the name of the pool of prefixes for delegation. The address pool 2001: DB8: 1200 :: / 48 will be used, from which we delegate to the client sub-prefixes / 64
# ipv6 local pool dhcpv6-pool1 2001: DB8: 1200 :: / 48 64
After that go to the configuration of the border FortiGate.
FortiGate-VM64-KVM # config system interface
Go to the network interface configuration mode
FortiGate-VM64-KVM (interface) # edit port1
Entering the port1 interface editing mode
FortiGate-VM64-KVM (port1) # config ipv6
Getting started to configure IPv6
FortiGate-VM64-KVM (ipv6) # set dhcp6-prefix-delegation enable
This command enables the functional of delegation of prefixes received from the provider to the downstream interfaces of the firewall.
The interface in the direction of the provider is configured, proceed to configure the interface of the local network. By analogy with the settings for port1, we enter the IPv6 configuration mode for the port2 interface.
#config system interface
#edit "port1"
#config ipv6
#set ip6-mode delegated - specify that the delegated prefix will be used
#set ip6-upstream-interface "port1" - the interface behind which there is a DHCPv6 server
#set ip6-subnet 2001: db8: 1200 :: 1/64
#set ip6-send-adv enable
#config ipv6-delegated-prefix-list
#edit 1
#set upstream-interface "port10"
#set autonomous-flag enable
#set onlink-flag enable
#set subnet 2001: db8: 1200 :: / 64 - we specify the delegation prefix
#end
#end
#end
Separately, it will stop at the Ip6-send-adv command - turning on or turning off this option indicates whether the system should periodically send Router Advertisements and listen to Router Solicitations. When this parameter is enabled, the address of this interface will be added to the multicast group All Routers (FF02 :: 02) and included in the Multi Listener Discovery (MLD) report. By default, ip6-send-adv is in the disable state. In this case, with the autoconf option enabled, FortiGate will function as an SLAAC client.
We check on the client with enabled SLAAC.
We enable autoconf for the port1 interface on the client firewall according to the topology.
ip6-client # config system interface
ip6-client (interface) # edit port1
ip6-client (port1) # config ipv6
ip6-client (ipv6) # set autoconf enable
ip6-client (ipv6) # end
With a separate command, we check that everything is configured correctly and the device received an IP address.
This completes the basic setup. Additionally, you can configure a DHCPv6 server on the FortiGate Edge and use the delegated IPv6 prefix as a pool of addresses on the end clients.
It is configured quite simply:
#config system dhcp6 server - switch to the DHCPv6 server configuration mode
#edit 1
#set interface "port2" - an interface that will provide a DHCP service
#set upstream-interface "port1" - an interface towards the provider, through which we receive our prefix
#set ip-mode delegated - optionally specify that the configured DHCPv6 server will use the delegated prefix.
#end
And finally, there are several commands for basic network diagnostics in FortiOS:
# execute interface dhcp6client-renew - update DHCPv6 lease on the specified interface
#get router info6 routing-table database - output routing table for IPv6
#exec ping6 & #exec ping6-options - ping for IPv6 and setting certain parameters, such as packet size, number of retries, source IP, TTL, etc.
Source: https://habr.com/ru/post/329702/
All Articles