Hello
Anoynone know how to show the DHCPv6 IAID and DHCPv6 Client DUID on a fortigate ?
The device is configured to get IPV6 address via DHCP on WAN1 port from the ISP.
I want to know what IAID and DUID the fortigate is presenting to the ISP's DHCP server via the WAN port.
Sniffing is not an option.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Fortigate as the DHCPv6 client correctly uses the DHCP Unique Identifier (DUID) -LLT for all the interfaces.
This enables the firewall to accept default routes from router advertisements.
DUID Based on Link-layer Address Plus Time [DUID-LLT] This type of DUID consists of a two octet type field containing the value 1, a two octet hardware type code, four octets containing a time value, followed by link-layer address of any one network interface that is connected to the DHCP device at the time that the DUID is generated. The time value is the time that the DUID is generated represented in seconds since midnight (UTC), January 1, 2000, modulo 2^32. The hardware type MUST be a valid hardware type assigned by the IANA as described in RFC 826 [14]. Both the time and the hardware type are stored in network byte order. The link-layer address is stored in canonical form, as described in RFC 2464 [2].
Local network prefix length and default router must be learned on FGT from RA(Router advertisement) packets.
For debugging on Fortigate please run the below command:-
diag debug reset
diag deb app dhcp6c -1
dia debug en
To stop debug type:- dia debug dis
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Fortigate as the DHCPv6 client correctly uses the DHCP Unique Identifier (DUID) -LLT for all the interfaces.
This enables the firewall to accept default routes from router advertisements.
DUID Based on Link-layer Address Plus Time [DUID-LLT] This type of DUID consists of a two octet type field containing the value 1, a two octet hardware type code, four octets containing a time value, followed by link-layer address of any one network interface that is connected to the DHCP device at the time that the DUID is generated. The time value is the time that the DUID is generated represented in seconds since midnight (UTC), January 1, 2000, modulo 2^32. The hardware type MUST be a valid hardware type assigned by the IANA as described in RFC 826 [14]. Both the time and the hardware type are stored in network byte order. The link-layer address is stored in canonical form, as described in RFC 2464 [2].
Local network prefix length and default router must be learned on FGT from RA(Router advertisement) packets.
For debugging on Fortigate please run the below command:-
diag debug reset
diag deb app dhcp6c -1
dia debug en
To stop debug type:- dia debug dis
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Thank You!
Looks Like the Fortigate is sending both DUID-LL and DUID-LLT
[debug]dhcp6_get_options() get DHCP option client ID, len 10
[debug] DUID: 00:03:00:01:xx:xx:26:6f:xx:93
[debug]dhcp6_get_options() get DHCP option server ID, len 14
[debug] DUID: 00:01:00:01:19:af:60:56:00:xx:xx:a8:xx:40
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.