Neighbor discovery proxy
This feature provides support for proxying the IPv6 Neighbor Discovery Protocol (NDP) to allow the following ICMP messages to be forwarded between upstream and downstream interfaces:
-
Router Advertisement (RA)
-
Neighbor Solicitation (NS)
-
Neighbor Advertisement (NA)
-
Router Solicitation (RS)
-
Redirect
Typically only one interface receives RA traffic, and the interface is automatically considered the upstream interface. |
The Neighbor Discovery Protocol (NDP) is a layer 2 protocol that performs several tasks to improve the efficiency and consistency of data transmission across multiple networks and processes. NDP uses ICMPv6 messages to perform the following tasks:
-
Stateless auto-configuration: This enables the auto-configuration of IPv6 addresses without the need for a DHCP server. This means that each host on the network can automatically configure its unique IPv6 link-local address and global unicast address.
-
Address Resolution: NDP performs a function similar to IPv4's Address Resolution Protocol (ARP), but instead of using ARP, it uses NDP to dynamically resolve IPv6 addresses to their corresponding MAC addresses.
-
Neighbor Unreachability Detection (NUD): This function detects when a host is no longer reachable, allowing for more efficient routing and data transmission.
-
Duplicate Address Detection (DAD): This function verifies that there is no duplication of unicast IPv6 addresses in the network, ensuring that each host has a unique address.
Configure ND proxy in the CLI using the following syntax:
config system nd-proxy set status {enable|disable} set member <interface> <interface> [<interface>...] end
Option |
Description |
---|---|
status |
Enable/disable the use of neighbor discovery proxy. |
member |
List of interfaces using the neighbor discovery proxy. |
In this example, the client is connected to a FortiGate device that is configured as an ND (Neighbor Discovery) proxy. Port1 is the upstream interface that receives Router Advertisement (RA) traffic, and port5 is the downstream interface that connects to the client. This setup allows the FortiGate device to facilitate communication between the client and the IPv6 router.
To configure ND Proxy on FortiGate:
-
Enable address auto-configuration on the upstream interface:
config system interface edit "port1" config ipv6 set autoconf enable end next end
-
Enable ND proxy on the interfaces:
config system nd-proxy set status enable set member "port1" "port5" end
See RFC 4389 for more information on Neighbor Discovery Proxies (ND Proxy). |