This article explains how to manually configure an IPv6 link-local address.
FortiGate and FortiOS.
By default, FortiOS uses the EUI-64 method to assign link-local addresses to its IPv6 enabled interfaces:
This address is used for on-link communication and for traffic generated by the device, such as Neighbor Discovery Protocol and Dynamic Routing Protocol updates.
The Fortigate in the above example is configured to send on-link Router Advertisements, including ICMPv6 Options with Prefix Information, on-link flag, and autonomous address-configuration flag. It's therefore possible to connect a host to this port and use SLAAC for host IPv6 configuration.
Upon connecting a Windows host to this link and doing a packet capture, it becomes clear that the Advertisements are sent using the EUI-64 generated link-local address of the FortiGate. The Windows host uses SLAAC to generate an IPv6 GUA address based on the /64 prefix and uses the link local address of the FortiGate as a default Gateway:
Manually specifying the link-local address for IPv6 enabled interfaces on FortiOS allows for quick identification of traffic generated by the device. The address can be similar to the GUA for that particular interface.
It's possible to use the same IPv6 link local address for every enabled IPv6 interface on a single device. Because the link local address has a local scope, it is cannot be routed and it does not pass through the link. Using the same address for every link makes it easier to quickly identify traffic sent by the device within a network.
The example in this article will manually specify the IPv6 link-local address using the config ip6-extra-addr command.
Here, the same GUA is used, and the first hextet is replaced with fe80 (from 2001):
After applying this change, there are two link local addresses for this interface, but only the one specified will be used:
In pcap and the Windows host:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.