Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 6.4.15 Administration Guide
6.4.15
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Neighbor discovery proxy

Neighbor discovery proxy

This feature provides support for proxying the IPv6 Neighbor Discovery Protocol (NDP) to allow the following ICMP messages to be forwarded between upstream and downstream interfaces.

Message type

Function

Router Solicitation (RS)

Used by hosts to find any routers in a local segment and to request that they advertise their presence on the network.

Router Advertisement (RA)

Used by an IPv6 router to advertise its presence on the network.

Neighbor Solicitation (NS)

Sent by a host to determine a remote host’s link layer IPv6 address. Verifies the reachability of the neighbor or remote host in the Neighbor Discovery (ND) table

Neighbor Advertisement (NA)

Message used by the host to respond to an NS message. If an NS message is received by a remote host, it reciprocates with an NA message to the originating host. Additionally, this message is used by a host to announce a link layer address change.

Network Redirect

Message used by IPv6 routers to notify an originating host of a more optimal next-hop address for a specific destination. Only routers can send redirect messages. Redirect messages are exclusively processed by hosts.
Tooltip

Typically only one interface receives RA traffic, and the interface is automatically considered the upstream interface.

The Neighbor Discovery Protocol (NDP) is a layer 2 protocol that performs several tasks to improve the efficiency and consistency of data transmission across multiple networks and processes. NDP uses ICMPv6 messages to perform the following tasks:

  • Stateless auto-configuration: This enables the auto-configuration of IPv6 addresses without the need for a DHCP server. This means that each host on the network can automatically configure its unique IPv6 link-local address and global unicast address.

  • Address Resolution: NDP performs a function similar to IPv4's Address Resolution Protocol (ARP), but instead of using ARP, it uses NDP to dynamically resolve IPv6 addresses to their corresponding MAC addresses.

  • Neighbor Unreachability Detection (NUD): This function detects when a host is no longer reachable, allowing for more efficient routing and data transmission.

  • Duplicate Address Detection (DAD): This function verifies that there is no duplication of unicast IPv6 addresses in the network, ensuring that each host has a unique address.

Configure ND proxy in the CLI using the following syntax:

config system nd-proxy
    set status {enable|disable}
    set member <interface> <interface> [<interface>...]
end

Option

Description

status

Enable/disable the use of neighbor discovery proxy.

member

List of interfaces using the neighbor discovery proxy.

In this example, the client is connected to a FortiGate device that is configured as an ND (Neighbor Discovery) proxy. Port1 is the upstream interface that receives Router Advertisement (RA) traffic, and port5 is the downstream interface that connects to the client. This setup allows the FortiGate device to facilitate communication between the client and the IPv6 router.

To configure ND Proxy on FortiGate:

  1. Enable address auto-configuration on the upstream interface:

    config system interface
    edit "port1"
        config ipv6
            set autoconf enable
        end
    next
end

  2. Enable ND proxy on the interfaces:

    config system nd-proxy
   set status enable
   set member "port1" "port5"
end
Note

See RFC 4389 for more information on Neighbor Discovery Proxies (ND Proxy).
Previous
Next

Neighbor discovery proxy

This feature provides support for proxying the IPv6 Neighbor Discovery Protocol (NDP) to allow the following ICMP messages to be forwarded between upstream and downstream interfaces.

Message type

Function

Router Solicitation (RS)

Used by hosts to find any routers in a local segment and to request that they advertise their presence on the network.

Router Advertisement (RA)

Used by an IPv6 router to advertise its presence on the network.

Neighbor Solicitation (NS)

Sent by a host to determine a remote host’s link layer IPv6 address. Verifies the reachability of the neighbor or remote host in the Neighbor Discovery (ND) table

Neighbor Advertisement (NA)

Message used by the host to respond to an NS message. If an NS message is received by a remote host, it reciprocates with an NA message to the originating host. Additionally, this message is used by a host to announce a link layer address change.

Network Redirect

Message used by IPv6 routers to notify an originating host of a more optimal next-hop address for a specific destination. Only routers can send redirect messages. Redirect messages are exclusively processed by hosts.
Tooltip

Typically only one interface receives RA traffic, and the interface is automatically considered the upstream interface.

The Neighbor Discovery Protocol (NDP) is a layer 2 protocol that performs several tasks to improve the efficiency and consistency of data transmission across multiple networks and processes. NDP uses ICMPv6 messages to perform the following tasks:

  • Stateless auto-configuration: This enables the auto-configuration of IPv6 addresses without the need for a DHCP server. This means that each host on the network can automatically configure its unique IPv6 link-local address and global unicast address.

  • Address Resolution: NDP performs a function similar to IPv4's Address Resolution Protocol (ARP), but instead of using ARP, it uses NDP to dynamically resolve IPv6 addresses to their corresponding MAC addresses.

  • Neighbor Unreachability Detection (NUD): This function detects when a host is no longer reachable, allowing for more efficient routing and data transmission.

  • Duplicate Address Detection (DAD): This function verifies that there is no duplication of unicast IPv6 addresses in the network, ensuring that each host has a unique address.

Configure ND proxy in the CLI using the following syntax:

config system nd-proxy
    set status {enable|disable}
    set member <interface> <interface> [<interface>...]
end

Option

Description

status

Enable/disable the use of neighbor discovery proxy.

member

List of interfaces using the neighbor discovery proxy.

In this example, the client is connected to a FortiGate device that is configured as an ND (Neighbor Discovery) proxy. Port1 is the upstream interface that receives Router Advertisement (RA) traffic, and port5 is the downstream interface that connects to the client. This setup allows the FortiGate device to facilitate communication between the client and the IPv6 router.

To configure ND Proxy on FortiGate:

  1. Enable address auto-configuration on the upstream interface:

    config system interface
    edit "port1"
        config ipv6
            set autoconf enable
        end
    next
end

  2. Enable ND proxy on the interfaces:

    config system nd-proxy
   set status enable
   set member "port1" "port5"
end
Note

See RFC 4389 for more information on Neighbor Discovery Proxies (ND Proxy).
Previous
Next