Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sbabu
Staff
Staff

Created on ‎09-19-2024 11:44 AM

Article Id 342518

Technical Tip: How an IPv6 SLAAC address gets generated in a LAN network when the FortiGate LAN interface acts as an IPv6 router

Description

 

This article describes how an IPv6 SLAAC address gets generated in a LAN network when the FortiGate LAN interface acts as an IPv6 router.

 

Scope

 

FortiGate.

 

Solution

 

Topology:

 

SLAAC1.jpg

 

  • On FortiGate's LAN interface, a submet has been configured, and the FortiGate LAN interface will act as a router for the LAN network.

config system interface

edit "port10"

config ipv6

set ip6-address fd01:adb8:d0c:1::1/64

set ip6-send-adv enable

config ip6-prefix-list

edit fd01:adb8:d0c:1::/64

next

end

end

next

end

 

Step 1:

Link Local Address calculation:

  • When a PC is enabled with IPv6 address, The first thing it does is to auto-configure a link-local address.
  • The link local address is combination of link-local prefix i.e 'FE80::/64' and EUI-64 Interface identifier.

 

EUI-64 Identifier calculation:

  • For example, a PC MAC address is 08:92:04:F1:48:35.
  • Now, insert 'FF:FE' in the middle of the MAC address. For example, '08:92:04:FF:FE:F1:48:35'.
  • Now, flip the 7th bit of the MAC address. Convert the 08 to binary - 00001000. Now, flip the 7th bit to 1 - 00001010. This will become 0A.
  • The EUI-64 identifier will be 0A92:04FF:FEF1:4835.
  • Now combine the link-local prefix with EUI-64 to get the link-local address. For example, FF80::0A92:04FF:FEF1:4835/64.
  • To make sure the PC has a unique address in the local network, it will start a Duplicate Address Detection process to check for address conflicts.

 

Step 2:

  • The PC has a link-local address will now start the process of auto-configuring a global address.
  • The PC sends a Router Solicitation (RS) message to all IPv6 routers, where dst addr will be the multicast address of routers 'FF02::2'.
  • Only routers accept this message and all other hosts will drop these packets.
  • As the informed FortiGate is acting as a router for the IPv6 LAN, it will send a Router Advertisement(RA) Message to the PC.
  • The RA message includes a global IPv6 prefix on the link and prefix length. For example, 2001:adb8:d0c:1::1/64.
  • Once the PC receives the Router Advertisement from the FortiGate firewall, it combines the global prefix with its EUI-64 interface identifier.
    For example, 2001:adb8:d0c:1:0A92:04FF:FEF1:4835/64.
  • As FortiGate sends its Router Advertisement, the PC sets its IPv6 default gateway as the FortiGate link local address.
  • As the default gateway is set in the PC, it will now send all the IPv6 traffic to the FortiGate firewall and, based on router and policy, it will forward the packets to its destination.
185
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.