IPv6 prefix delegation
IPv6 prefix delegation allows the dynamic assignment of an address prefix and DNS server address to an upstream interface. An upstream interface is typically the interface that is connected to an Internet Service Provider (ISP). This process also automates the assignment of prefixes to downstream interfaces. A downstream interface is any interface that is not an upstream interface and uses delegated addressing mode. Downstream interfaces can be configured to request specific IPv6 subnets from the upstream interface. Once a downstream interface receives the IPv6 address, other devices connected to the downstream interface can obtain an IPv6 address by using DHCPv6 or by configuring their own IP address using auto-configuration.
In this example, the Enterprise Core FortiGate is connected to a DHCPv6 server provided by the ISP through an upstream interface (port1). The Enterprise Core FortiGate is configured with a delegate interface (port5) to receive the IPv6 prefix and DNS server address from the upstream interface.
A downstream interface (port5) connects the First Floor FortiGate to the Enterprise Core FortiGate. The First Floor FortiGate interface (port5) is configured to receive the IPv6 address and DNS server address from the Enterprise Core FortiGate using DHCP addressing mode or auto-configuration.
Using the GUI or CLI to configure a downstream FortiGate to obtain the IPv6 and DNS server address from delegated interface using DHCP mode requires the following steps:
-
Configure the following items on the Enterprise Core FortiGate:
- Upstream interface
- Downstream interface
- DHCPv6 server on the downstream interface.
-
Configure First Floor FortiGate to receive IPv6 prefix and DNS from the delegated interface.
Instead of configuring a DHCPv6 server on the downstream interface of the Enterprise Core FortiGate, you can configure SLAAC. See IPv6 prefix delegation with SLAAC.
GUI configuration
To configure the Enterprise Core FortiGate:
-
Configure the upstream interface on Enterprise Core FortiGate:
-
Go to Network > Interfaces and edit port1.
-
Enable DHCPv6 prefix delegation.
-
Select the + in the IAPD prefix hint to open the ID and prefix field.
-
Enter 1 for ID and ::/48 for prefix field. You can add two or more entries. Select the x icon in the field to remove an entry.
-
Click OK.
-
-
Verify that the upstream interface obtained the prefix delegation, see Verify upstream interface obtained prefix delegation and DNS server address.
-
Configure the downstream interface on Enterprise Core FortiGate:
-
Go to Network > Interfaces and edit port5.
-
Set IPv6 addressing mode to Delegated.
-
Enter 1 for Identity association identifier field.
-
Set IPv6 upstream interface to port1.
-
Click OK.
-
-
Verify that the downstream interface obtained an IPv6 address/prefix:
-
Go to Network > Interfaces and edit port5. The IPv6 Address/Prefix field is prepopulated.
-
-
Configure the DHCPv6 server on the downstream interface:
-
Go to Network > Interfaces and edit port5
-
Enable DHCPv6 Server.
-
Set DNS service to Delegated.
-
From the Upstream interface dropdown list, select port1.
-
Input the following commands from the CLI:
config system dhcp6 server edit 1 set delegated-prefix-iaid 1 next end
-
Enable Stateful server.
-
Set IP mode to Delegated.
-
Click OK.
-
To configure the First Floor FortiGate:
-
Configure the First Floor FortiGate interface using DHCP mode:
-
Go to Network > Interfaces and edit the port5.
-
Set IPv6 addressing mode to DHCP. This allows the First Floor FortiGate to obtain the IPv6 prefix and DNS from the delegated interface.
-
Click OK.
-
-
Verify that the First Floor FortiGate obtained an IPv6 address and the DNS server address from the delegated interface:
-
Go to Network > Interfaces and edit port5. The Obtained IP/Netmask and Acquired DNS fields are prepopulated with an IPv6 address.
-
CLI configuration
Using the CLI to configure a downstream FortiGate to obtain the IPv6 and DNS server address from delegated interface using DHCP mode requires the following steps:
To configure the Enterprise Core FortiGate:
-
Configure the upstream interface on the Enterprise Core FortiGate:
config system interface edit "port1" config ipv6 set dhcp6-prefix-delegation enable config dhcp6-iapd-list edit 1 set prefix-hint ::/48 next end end next end
-
Verify that the upstream interface obtained a prefix delegation and DNS server address:
config system interface edit port1 config ipv6 Enterprise Core FortiGate # get ip6-mode : static … dhcp6-prefix-delegation: enable delegated-prefix iaid 1 : 2001:db8:d0c::/48 preferred-life-time : 4294967295 valid-life-time : 4294967295 delegated-DNS1 : 2001:db8::35 delegated-DNS2 : :: … dhcp6-iapd-list: == [ 1 ] iaid: 1 prefix-hint: ::/48 prefix-hint-plt: 604800 prefix-hint-vlt: 2592001
-
Configure the downstream interface on the Enterprise Core FortiGate:
config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-delegated-prefix-iaid 1 set ip6-upstream-interface "port1" end next end
-
Verify that the downstream interface obtained an IPv6 address/prefix:
config system interface edit "port5" config ipv6 Enterprise Core FortiGate # get ip6-mode : delegated nd-mode : basic ip6-address : 2001:db8:d0c::/48 … ip6-delegated-prefix-iaid: 1 ip6-upstream-interface: port1 ip6-subnet : ::/0
-
Configure the DHCPv6 server on the downstream interface:
config system dhcp6 server edit 1 set dns-service delegated set interface "port5" set upstream-interface "port1" set delegated-prefix-iaid 1 set ip-mode delegated next end
To configure the First Floor FortiGate:
-
Configure the First Floor FortiGate interface to use DHCP mode:
config system interface edit "port5" config ipv6 set ip6-mode dhcp end next end
-
Verify that the First Floor FortiGate obtained an IPv6 address and DNS server address from the delegated interface:
# diagnose ipv6 address list | grep port5 dev=7 devname=port5 flag=P scope=0 prefix=128 addr=2001:db8:d0c::1 preferred=4294967295 valid=4294967295 cstamp=43208325 tstamp=43208325 # dia test application dnsproxy 3 worker idx: 0 VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1 dns64 is disabled DNS servers: 2001:db8::35:53 vrf=0 tz=0 encrypt=none req=3 to=2 res=0 rt=1046 ready=1 timer=0 probe=0 failure=2 last_failed=65131
IPv6 prefix delegation with SLAAC
A downstream FortiGate can be configured to obtain the IPv6 address and DNS server address from a delegated interface using SLAAC instead of DHCPv6. Following is a summary of the configuration steps:
-
Configure the following items on the Enterprise Core FortiGate:
- Upstream interface
- Downstream interface
- SLAAC on the downstream interface
-
Configure the First Floor FortiGate to receive an IPv6 prefix and DNS server address from the delegated interface.
To configure the Enterprise Core FortiGate:
-
Configure the upstream interface on Enterprise Core FortiGate:
-
Go to Network > Interfaces and edit port1.
-
Enable DHCPv6 prefix delegation.
-
Select the + in the IAPD prefix hint to open the ID and prefix field.
-
Enter 1 for ID and ::/48 for prefix field. You can add two or more entries. Select the x icon in the field to remove an entry.
-
Click OK.
-
-
Verify that the upstream interface obtained the prefix delegation, see Verify upstream interface obtained prefix delegation and DNS server address.
-
Configure the downstream interface on Enterprise Core FortiGate:
-
Go to Network > Interfaces and edit port5.
-
Set IPv6 addressing mode to Delegated.
-
Enter 1 for Identity association identifier field.
-
Set IPv6 upstream interface to port1.
-
Click OK.
-
-
Verify that the downstream interface obtained an IPv6 address/prefix:
-
Go to Network > Interfaces and edit port5. The IPv6 Address/Prefix field is prepopulated.
-
-
Configure SLAAC on the downstream interface:
config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-send-adv enable set ip6-delegated-prefix-iaid 1 set ip6-upstream-interface "port1" config ip6-delegated-prefix-list edit 1 set upstream-interface "port1" set delegated-prefix-iaid 1 set subnet 0:0:0:1::/64 set rdnss-service delegated next end end next end
To configure the First Floor FortiGate:
-
Configure the First Floor FortiGate interface using auto-configure:
config system interface edit "port5" config ipv6 set autoconf enable end next end
-
Verify that the First Floor FortiGate automatically generated an IPv6 address and obtained the DNS server address from the delegated interface:
# diagnose ipv6 address list | grep port5 dev=4 devname=port5 flag= scope=0 prefix=64 addr=2000:db8:d0c:1:20c:29ff:fe4d:f847 preferred=4294967295 valid=4294967295 cstamp=17203697 tstamp=17225377
FortiGate can send DNS server addresses using Router Advertisement (RA), which allows any device that is capable of receiving DNS server addresses by using RA to obtain DNS server addresses. Additionally, FortiGate can receive DNS server addresses through the use of SLAAC with a DHCPv6 stateless server, even though it is currently unable to receive DNS server addresses using RA due to RFC 4862 implementation. See SLAAC with DHCPv6 stateless server for more information. |