FortiWLC – IPv6 Client Support

IPv6 Client Support

FortiWLC (SD) supports both bridge and tunnel mode ESS profile for wireless and wired clients connected to Fortinet access points (APs). The IPv6 client support provides the following:

  • “Basic IPv6 Forwarding” on page 98
  • “IPv6 forwarding in dynamic VLAN deployment” on page 99
  • “High Performance IPv6 Forwarding” on page 100
  • “IPv6 Security” on page 100
  • “IPv6 Multicast Optimization” on page 101
  • “IPv6 Prioritization” on page 101
  • “IPv6 Network Management Enhancements” on page 101
Basic IPv6 Forwarding

FortiWLC (SD) acts as an L2 switch for IPv6 clients connected in the tunnel and bridge mode. The IPv6 specification (RFC 2460) defines IPv6 router and IPv6 host subclasses of IPv6 modes. The controllers and the APs act as IPv6 hosts which forward the IPv6 packets at layer

IPv6 Client Support

2 and not as IPv6 router. The ESS profile supports IPv4, Dual Stack (IPv4 and IPv6) and IPv6only clients simultaneously. The following modes of IPv6 address configuration for clients are supported:

  • Stateless Address Auto Configuration (SLAAC)
  • DHCPv6
  • Static IPv6 Configuration (Manual)
  • Link local address

The VLAN profile for wireless clients will use IPv4 address and does not require IPv6. The Allow Multicast Flag option in ESS is used to allow or block multicast traffic in ESS. If this is set to Off, then all IPv6 multicast traffic is blocked except for the Router Advertisements, Router Solicitations, Neighbor Solicitations, Neighbor Discovery Messages and DHCPv6 packets.

You can configure the Bridging, Allow Multicast, and Multi-To-Unicast field in the ESS profile configuration. See the chapter “Configuring an ESS.” for more details.

For the wired networks connected to the AP, configure the Allow Multicast and IPv6 bridging in Port profile, see “Configuring Port Profiles” on page 202 for more details.

The Neighbor Discovery Optimization field of IPv6 parameter can be configured via Configuration > Devices > Controller > IPv6 Parameter.

The IPv6 related CLI commands are as follows:

  • show station – this command displays the IP address type in a new column IP Mode. The valid values for this column are IPv4, IPv6, and IPv4v6.
  • sh station multiple-ip – this command displays one row for each IPv4 address and one row for each IPv6 address of the station. The IPv6 address type column is added which displays one of the following values if the address is a IPv6 address – Global Unicast, Global Unicast DHCP, Link Local, Temporary.

See the Fortinet Command Reference Guide for more information on the CLI commands.

IPv6 forwarding in dynamic VLAN deployment

In the previous releases of FortiWLC (SD), for dynamic VLAN (multiple VLANs in one ESS) deployment, FortiWLC (SD) forwards multicast packets to all stations irrespective of their assigned VLAN. This was supported for IPv4 in the previous release and in FortiWLC (SD) 6.0-2-0 onwards, IPv6 is supported. Router advertisements are multicast messages that provide the router prefix information used by IPv6 stations to auto-configure their IPv6 address.

The following diagram explains the router advertisement filtering behavior:

IPv6 Client Support

Figure 17: Router Advertisement Filtering

Three wireless stations are connected to an ESS profile configured with RADIUS assigned VLANs. Two stations belong to VLAN 200 and one belongs to VLAN100. Router advertisement by the router in VLAN 100 is not sent to stations assigned to VLAN 200.

When an AP forwards router advertisements on an ESS profile configured for dynamic VLAN, RAs for one VLAN is not sent to stations in other VLANs. They are converted to unicast packets and sent only to wireless stations which are assigned to that particular VLAN. This behavior is supported for all RF virtualization modes and overrides the multicast-unicast conversion settings.

The Multicast-To-Unicast field has to be set to Only Router Advertisement (Perform Conversion only for RAs) in the ESS profile for the conversion to take place. This will ensure that the APs Multicast-To-Unicast conversion happens for RA packets to send it to only those stations which belong to that VLAN ID.

High Performance IPv6 Forwarding

FastPath feature is supported for IPv6 clients in tunnel mode. This feature is used for increasing the throughput of the controller only for UDP and TCP data flow for IPv4 and IPv6. If the FastPath field for the controller is On, then the throughput increases.

IPv6 Security

The IPv6 security is designed to secure IPv6 link operation and they are applied to both tunnel and bridge modes. The IPv6 security is supported by the following filtering methods:

IPv6 Client Support

  • RA Guard –This is supported to block or reject the RA guard messages that arrive at the network device platform.
  • DHCPv6 Guard – This is supported to block DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients.
IPv6 Multicast Optimization

The IPv6 multicast optimization reduces the multicast traffic generated by neighbor discovery and router advertisements. This support is provided only in the tunnel mode.

IPv6 Prioritization

The IPv6 QoS support is provided by prioritizing IPv6 packets based on the traffic class field in the IPv6 header.

IPv6 Network Management Enhancements

The IPv6 client support feature provides the NMS enhancement to store multiple IPv6 addresses. The controller supports maximum of 8 addresses per client which includes:

  • Global unicast addresses (DHCP and Autoconfigured)
  • Link-local address
  • Temporary address
This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.