Fortinet white logo
Fortinet white logo

Administration Guide

IPv6 prefix delegation

IPv6 prefix delegation

IPv6 prefix delegation allows the dynamic assignment of an address prefix and DNS server address to an upstream interface. An upstream interface is typically the interface that is connected to an Internet Service Provider (ISP). This process also automates the assignment of prefixes to downstream interfaces. A downstream interface is any interface that is not an upstream interface and uses delegated addressing mode. Downstream interfaces can be configured to request specific IPv6 subnets from the upstream interface. Once a downstream interface receives the IPv6 address, other devices connected to the downstream interface can obtain an IPv6 address by using DHCPv6 or by configuring their own IP address using auto-configuration.

In this example, the Enterprise Core FortiGate is connected to a DHCPv6 server provided by the ISP through an upstream interface (port1). The Enterprise Core FortiGate is configured with a delegate interface (port5) to receive the IPv6 prefix and DNS server address from the upstream interface.

A downstream interface (port5) connects the First Floor FortiGate to the Enterprise Core FortiGate. The First Floor FortiGate interface (port5) is configured to receive the IPv6 address and DNS server address from the Enterprise Core FortiGate using DHCP addressing mode or auto-configuration.

Configuring a downstream FortiGate to obtain the IPv6 and DNS server address from a delegated interface using DHCP mode requires the following steps:

  1. Configure the following items on the Enterprise Core FortiGate:

    • Upstream interface
    • Downstream interface
    • DHCPv6 server on the downstream interface.
  2. Configure the First Floor FortiGate to receive an IPv6 prefix and DNS from the delegated interface.

Instead of configuring a DHCPv6 server on the downstream interface of the Enterprise Core FortiGate, you can configure SLAAC. See IPv6 prefix delegation with SLAAC.

To configure the Enterprise Core FortiGate:
  1. Configure the upstream interface on the Enterprise Core FortiGate:

    config system interface edit "port1" config ipv6 set dhcp6-prefix-delegation enable set prefix-hint ::/48 end next end

  2. Verify that the upstream interface obtained a prefix delegation and DNS server address:

    config system interface edit port1 config ipv6 Enterprise Core FortiGate # get ip6-mode : static … dhcp6-prefix-delegation: enable delegated-prefix iaid 1 : 2001:db8:d0c::/48 preferred-life-time : 4294967295 valid-life-time : 4294967295 delegated-DNS1 : 2001:db8::35 delegated-DNS2 : :: … dhcp6-iapd-list: == [ 1 ] iaid: 1 prefix-hint: ::/48 prefix-hint-plt: 604800 prefix-hint-vlt: 2592001

  3. Configure the downstream interface on the Enterprise Core FortiGate:

    config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-upstream-interface "port1" end next end

  4. Verify that the downstream interface obtained an IPv6 address/prefix:

    config system interface edit "port5" config ipv6 Enterprise Core FortiGate # get ip6-mode : delegated nd-mode : basic ip6-address : 2001:db8:d0c::/48ip6-delegated-prefix-iaid: 1 ip6-upstream-interface: port1 ip6-subnet : ::/0

  5. Configure the DHCPv6 server on the downstream interface:

    config system dhcp6 server edit 1 set dns-service delegated set interface "port5" set upstream-interface "port1" set ip-mode delegated next end

To configure the First Floor FortiGate:
  1. Configure the First Floor FortiGate interface to use DHCP mode:

    config system interface edit "port5" config ipv6 set ip6-mode dhcp end next end

  2. Verify that the First Floor FortiGate obtained an IPv6 address and the DNS server address from the delegated interface:

    # diagnose ipv6 address list | grep port5 dev=7 devname=port5 flag=P scope=0 prefix=128 addr=2001:db8:d0c::1 preferred=4294967295 valid=4294967295 cstamp=43208325 tstamp=43208325 # dia test application dnsproxy 3 worker idx: 0 VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1 dns64 is disabled DNS servers: 2001:db8::35:53 vrf=0 tz=0 encrypt=none req=3 to=2 res=0 rt=1046 ready=1 timer=0 probe=0 failure=2 last_failed=65131

IPv6 prefix delegation with SLAAC

A downstream FortiGate can be configured to obtain the IPv6 address and DNS server address from a delegated interface using SLAAC instead of DHCPv6. Following is a summary of the configuration steps:

  1. Configure the following items on the Enterprise Core FortiGate:

    • Upstream interface
    • Downstream interface
    • SLAAC on the downstream interface
  2. Configure the First Floor FortiGate to receive an IPv6 prefix and DNS from the delegated interface.

To configure the Enterprise Core FortiGate:
  1. Configure the upstream interface on the Enterprise Core FortiGate:

    config system interface edit "port1" config ipv6 set dhcp6-prefix-delegation enable set prefix-hint ::/48 end next end

  2. Verify that the upstream interface obtained a prefix delegation and DNS server address:

    config system interface edit port1 config ipv6 Enterprise Core FortiGate # get ip6-mode : static … dhcp6-prefix-delegation: enable delegated-prefix iaid 1 : 2001:db8:d0c::/48 preferred-life-time : 4294967295 valid-life-time : 4294967295 delegated-DNS1 : 2001:db8::35 delegated-DNS2 : :: … dhcp6-iapd-list: == [ 1 ] iaid: 1 prefix-hint: ::/48 prefix-hint-plt: 604800 prefix-hint-vlt: 2592001

  3. Configure the downstream interface on the Enterprise Core FortiGate:

    config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-upstream-interface "port1" end next end

  4. Verify that the downstream interface obtained an IPv6 address/prefix:

    config system interface edit "port5" config ipv6 Enterprise Core FortiGate # get ip6-mode : delegated nd-mode : basic ip6-address : 2001:db8:d0c::/48ip6-delegated-prefix-iaid: 1 ip6-upstream-interface: port1 ip6-subnet : ::/0

  5. Configure SLAAC on the downstream interface:

    config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-send-adv enable set ip6-upstream-interface "port1" config ip6-delegated-prefix-list edit 1 set upstream-interface "port1" set subnet 0:0:0:1::/64 set rdnss-service delegated next end end next end

To configure the First Floor FortiGate:
  1. Configure the First Floor FortiGate interface using auto-configure:

    config system interface edit "port5" config ipv6 set autoconf enable end next end

  2. Verify that the First Floor FortiGate automatically generated an IPv6 address and obtained the DNS server address from the delegated interface:

    # diagnose ipv6 address list | grep port5 dev=4 devname=port5 flag= scope=0 prefix=64 addr=2000:db8:d0c:1:20c:29ff:fe4d:f847 preferred=4294967295 valid=4294967295 cstamp=17203697 tstamp=17225377

Note

FortiGate can send DNS server addresses using Router Advertisement (RA), which allows any device that is capable of receiving DNS server addresses by using RA to obtain DNS server addresses.

Additionally, FortiGate can receive DNS server addresses through the use of SLAAC with a DHCPv6 stateless server, even though it is currently unable to receive DNS server addresses using RA due to RFC 4862 implementation. See SLAAC with DHCPv6 stateless server for more information.

IPv6 prefix delegation

IPv6 prefix delegation

IPv6 prefix delegation allows the dynamic assignment of an address prefix and DNS server address to an upstream interface. An upstream interface is typically the interface that is connected to an Internet Service Provider (ISP). This process also automates the assignment of prefixes to downstream interfaces. A downstream interface is any interface that is not an upstream interface and uses delegated addressing mode. Downstream interfaces can be configured to request specific IPv6 subnets from the upstream interface. Once a downstream interface receives the IPv6 address, other devices connected to the downstream interface can obtain an IPv6 address by using DHCPv6 or by configuring their own IP address using auto-configuration.

In this example, the Enterprise Core FortiGate is connected to a DHCPv6 server provided by the ISP through an upstream interface (port1). The Enterprise Core FortiGate is configured with a delegate interface (port5) to receive the IPv6 prefix and DNS server address from the upstream interface.

A downstream interface (port5) connects the First Floor FortiGate to the Enterprise Core FortiGate. The First Floor FortiGate interface (port5) is configured to receive the IPv6 address and DNS server address from the Enterprise Core FortiGate using DHCP addressing mode or auto-configuration.

Configuring a downstream FortiGate to obtain the IPv6 and DNS server address from a delegated interface using DHCP mode requires the following steps:

  1. Configure the following items on the Enterprise Core FortiGate:

    • Upstream interface
    • Downstream interface
    • DHCPv6 server on the downstream interface.
  2. Configure the First Floor FortiGate to receive an IPv6 prefix and DNS from the delegated interface.

Instead of configuring a DHCPv6 server on the downstream interface of the Enterprise Core FortiGate, you can configure SLAAC. See IPv6 prefix delegation with SLAAC.

To configure the Enterprise Core FortiGate:
  1. Configure the upstream interface on the Enterprise Core FortiGate:

    config system interface edit "port1" config ipv6 set dhcp6-prefix-delegation enable set prefix-hint ::/48 end next end

  2. Verify that the upstream interface obtained a prefix delegation and DNS server address:

    config system interface edit port1 config ipv6 Enterprise Core FortiGate # get ip6-mode : static … dhcp6-prefix-delegation: enable delegated-prefix iaid 1 : 2001:db8:d0c::/48 preferred-life-time : 4294967295 valid-life-time : 4294967295 delegated-DNS1 : 2001:db8::35 delegated-DNS2 : :: … dhcp6-iapd-list: == [ 1 ] iaid: 1 prefix-hint: ::/48 prefix-hint-plt: 604800 prefix-hint-vlt: 2592001

  3. Configure the downstream interface on the Enterprise Core FortiGate:

    config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-upstream-interface "port1" end next end

  4. Verify that the downstream interface obtained an IPv6 address/prefix:

    config system interface edit "port5" config ipv6 Enterprise Core FortiGate # get ip6-mode : delegated nd-mode : basic ip6-address : 2001:db8:d0c::/48ip6-delegated-prefix-iaid: 1 ip6-upstream-interface: port1 ip6-subnet : ::/0

  5. Configure the DHCPv6 server on the downstream interface:

    config system dhcp6 server edit 1 set dns-service delegated set interface "port5" set upstream-interface "port1" set ip-mode delegated next end

To configure the First Floor FortiGate:
  1. Configure the First Floor FortiGate interface to use DHCP mode:

    config system interface edit "port5" config ipv6 set ip6-mode dhcp end next end

  2. Verify that the First Floor FortiGate obtained an IPv6 address and the DNS server address from the delegated interface:

    # diagnose ipv6 address list | grep port5 dev=7 devname=port5 flag=P scope=0 prefix=128 addr=2001:db8:d0c::1 preferred=4294967295 valid=4294967295 cstamp=43208325 tstamp=43208325 # dia test application dnsproxy 3 worker idx: 0 VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1 dns64 is disabled DNS servers: 2001:db8::35:53 vrf=0 tz=0 encrypt=none req=3 to=2 res=0 rt=1046 ready=1 timer=0 probe=0 failure=2 last_failed=65131

IPv6 prefix delegation with SLAAC

A downstream FortiGate can be configured to obtain the IPv6 address and DNS server address from a delegated interface using SLAAC instead of DHCPv6. Following is a summary of the configuration steps:

  1. Configure the following items on the Enterprise Core FortiGate:

    • Upstream interface
    • Downstream interface
    • SLAAC on the downstream interface
  2. Configure the First Floor FortiGate to receive an IPv6 prefix and DNS from the delegated interface.

To configure the Enterprise Core FortiGate:
  1. Configure the upstream interface on the Enterprise Core FortiGate:

    config system interface edit "port1" config ipv6 set dhcp6-prefix-delegation enable set prefix-hint ::/48 end next end

  2. Verify that the upstream interface obtained a prefix delegation and DNS server address:

    config system interface edit port1 config ipv6 Enterprise Core FortiGate # get ip6-mode : static … dhcp6-prefix-delegation: enable delegated-prefix iaid 1 : 2001:db8:d0c::/48 preferred-life-time : 4294967295 valid-life-time : 4294967295 delegated-DNS1 : 2001:db8::35 delegated-DNS2 : :: … dhcp6-iapd-list: == [ 1 ] iaid: 1 prefix-hint: ::/48 prefix-hint-plt: 604800 prefix-hint-vlt: 2592001

  3. Configure the downstream interface on the Enterprise Core FortiGate:

    config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-upstream-interface "port1" end next end

  4. Verify that the downstream interface obtained an IPv6 address/prefix:

    config system interface edit "port5" config ipv6 Enterprise Core FortiGate # get ip6-mode : delegated nd-mode : basic ip6-address : 2001:db8:d0c::/48ip6-delegated-prefix-iaid: 1 ip6-upstream-interface: port1 ip6-subnet : ::/0

  5. Configure SLAAC on the downstream interface:

    config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-send-adv enable set ip6-upstream-interface "port1" config ip6-delegated-prefix-list edit 1 set upstream-interface "port1" set subnet 0:0:0:1::/64 set rdnss-service delegated next end end next end

To configure the First Floor FortiGate:
  1. Configure the First Floor FortiGate interface using auto-configure:

    config system interface edit "port5" config ipv6 set autoconf enable end next end

  2. Verify that the First Floor FortiGate automatically generated an IPv6 address and obtained the DNS server address from the delegated interface:

    # diagnose ipv6 address list | grep port5 dev=4 devname=port5 flag= scope=0 prefix=64 addr=2000:db8:d0c:1:20c:29ff:fe4d:f847 preferred=4294967295 valid=4294967295 cstamp=17203697 tstamp=17225377

Note

FortiGate can send DNS server addresses using Router Advertisement (RA), which allows any device that is capable of receiving DNS server addresses by using RA to obtain DNS server addresses.

Additionally, FortiGate can receive DNS server addresses through the use of SLAAC with a DHCPv6 stateless server, even though it is currently unable to receive DNS server addresses using RA due to RFC 4862 implementation. See SLAAC with DHCPv6 stateless server for more information.