|
A simple analogy for an IPv6 subnet-router anycast address is that it looks like a 'network address' for IPv4 as it is the first address in a subnet.
For example, if the prefix for the subnet is 2600:5000:9830::28/126, the subnet-router anycast address for that subnet is 2600:5000:9830::28.
Additionally for the example above, the address range for that subnet is:
2600:5000:9830::28
2600:5000:9830::29
2600:5000:9830::2a
2600:5000:9830::2b
It is not recommended to have an interface address set to a subnet-router anycast address, but it is possible that some ISP's would deliver a subnet as above and have their device set to the subnet-router anycast address; therefore, the next hop/gateway for FortiGate would be 2600:5000:9830::28.
In order to prevent this issue, starting with FortiOS 7.2.2, it is not allowed to set a subnet-router anycast address as the gateway address of an IPv6 static route. In previous FortiOS versions it is possible to set it, but gateway will not be reachable as in the example below for directly connected devices:
FortiGate (port2) ==> ISP Router ==> Internet
FortiGate port2 IPv6: 2600:5000:9830::29/126
FortiGate port2 link-local: fe80::20c:29ff:fe42:dc8d
FortiGate port2 MAC: 00:0c:29:42:dc:8d
ISP Router IPv6: 2600:5000:9830::28/126
ISP Router link-local: fe80::20c:29ff:fe01:3ff2
ISP Router MAC: 00:0c:29:01:3f:f2
# config system interface
edit "port2"
config ipv6
set ip6-address 2600:5000:9830::29/126
set ip6-allowaccess ping https http
end
next
end
# config router static6
edit 1
set gateway 2600:5000:9830::28
set device "port2"
next
end
With the above configuration, gateway is not reachable and next hop device is not listed in neighbor cache as shown below:
FGT1-A # execute ping6 2600:5000:9830::28
PING 2600:5000:9830::28(2600:5000:9830::28) 56 data bytes
--- 2600:5000:9830::28 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss, time 0ms
FGT1-A # di ipv6 neighbor-cache list | grep 00:0c:29:01:3f:f2
Due to the fact that 2600:5000:9830::28 is a subnet-router anycast address, and it should not be used as gateway because FortiGate is a router already and owns the anycast address, the workaround, if the ISP cannot reconfigure the address in their end, is to make use of /127 subnet as detailed in the RFC6164 below.
https://datatracker.ietf.org/doc/html/rfc6164
With the configuration changed to /127 as below, gateway is now reachable and it is shown in the neighbor cache list.
# config system interface
edit "port2"
config ipv6
set ip6-address 2600:5000:9830::29/127
set ip6-allowaccess ping https http
end
next
end
# config router static6
edit 1
set gateway 2600:5000:9830::28
set device "port2"
next
end
FGT1-A # execute ping6 2600:5000:9830::28
PING 2600:5000:9830::28(2600:5000:9830::28) 56 data bytes
64 bytes from 2600:5000:9830::28: icmp_seq=1 ttl=255 time=0.232 ms
--- 2600:5000:9830::28 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.232/0.232/0.232/0.000 ms
FGT1-A # di ipv6 neighbor-cache list | grep 00:0c:29:01:3f:f2
ifindex=4 ifname=port2 fe80::20c:29ff:fe01:3ff2 00:0c:29:01:3f:f2 state=00000002 use=1441 confirm=1941 update=1441 ref=1
ifindex=4 ifname=port2 2600:5000:9830::28 00:0c:29:01:3f:f2 state=00000002 use=446 confirm=2324 update=2443 ref=3
|
