FortiWLC – IPv6 Client Support

IPv6 Client Support

FortiWLC (SD) supports both bridge and tunnel mode ESS profile for wireless and wired clients connected to Fortinet access points (APs). The IPv6 client support provides the following:

  • “Basic IPv6 Forwarding” on page 98
  • “IPv6 forwarding in dynamic VLAN deployment” on page 99
  • “High Performance IPv6 Forwarding” on page 100
  • “IPv6 Security” on page 100
  • “IPv6 Multicast Optimization” on page 101
  • “IPv6 Prioritization” on page 101
  • “IPv6 Network Management Enhancements” on page 101
Basic IPv6 Forwarding

FortiWLC (SD) acts as an L2 switch for IPv6 clients connected in the tunnel and bridge mode. The IPv6 specification (RFC 2460) defines IPv6 router and IPv6 host subclasses of IPv6 modes. The controllers and the APs act as IPv6 hosts which forward the IPv6 packets at layer

IPv6 Client Support

2 and not as IPv6 router. The ESS profile supports IPv4, Dual Stack (IPv4 and IPv6) and IPv6only clients simultaneously. The following modes of IPv6 address configuration for clients are supported:

  • Stateless Address Auto Configuration (SLAAC)
  • DHCPv6
  • Static IPv6 Configuration (Manual)
  • Link local address

The VLAN profile for wireless clients will use IPv4 address and does not require IPv6. The Allow Multicast Flag option in ESS is used to allow or block multicast traffic in ESS. If this is set to Off, then all IPv6 multicast traffic is blocked except for the Router Advertisements, Router Solicitations, Neighbor Solicitations, Neighbor Discovery Messages and DHCPv6 packets.

You can configure the Bridging, Allow Multicast, and Multi-To-Unicast field in the ESS profile configuration. See the chapter “Configuring an ESS.” for more details.

For the wired networks connected to the AP, configure the Allow Multicast and IPv6 bridging in Port profile, see “Configuring Port Profiles” on page 202 for more details.

The Neighbor Discovery Optimization field of IPv6 parameter can be configured via Configuration > Devices > Controller > IPv6 Parameter.

The IPv6 related CLI commands are as follows:

  • show station – this command displays the IP address type in a new column IP Mode. The valid values for this column are IPv4, IPv6, and IPv4v6.
  • sh station multiple-ip – this command displays one row for each IPv4 address and one row for each IPv6 address of the station. The IPv6 address type column is added which displays one of the following values if the address is a IPv6 address – Global Unicast, Global Unicast DHCP, Link Local, Temporary.

See the Fortinet Command Reference Guide for more information on the CLI commands.

IPv6 forwarding in dynamic VLAN deployment

In the previous releases of FortiWLC (SD), for dynamic VLAN (multiple VLANs in one ESS) deployment, FortiWLC (SD) forwards multicast packets to all stations irrespective of their assigned VLAN. This was supported for IPv4 in the previous release and in FortiWLC (SD) 6.0-2-0 onwards, IPv6 is supported. Router advertisements are multicast messages that provide the router prefix information used by IPv6 stations to auto-configure their IPv6 address.

The following diagram explains the router advertisement filtering behavior:

IPv6 Client Support

Figure 17: Router Advertisement Filtering

Three wireless stations are connected to an ESS profile configured with RADIUS assigned VLANs. Two stations belong to VLAN 200 and one belongs to VLAN100. Router advertisement by the router in VLAN 100 is not sent to stations assigned to VLAN 200.

When an AP forwards router advertisements on an ESS profile configured for dynamic VLAN, RAs for one VLAN is not sent to stations in other VLANs. They are converted to unicast packets and sent only to wireless stations which are assigned to that particular VLAN. This behavior is supported for all RF virtualization modes and overrides the multicast-unicast conversion settings.

The Multicast-To-Unicast field has to be set to Only Router Advertisement (Perform Conversion only for RAs) in the ESS profile for the conversion to take place. This will ensure that the APs Multicast-To-Unicast conversion happens for RA packets to send it to only those stations which belong to that VLAN ID.

High Performance IPv6 Forwarding

FastPath feature is supported for IPv6 clients in tunnel mode. This feature is used for increasing the throughput of the controller only for UDP and TCP data flow for IPv4 and IPv6. If the FastPath field for the controller is On, then the throughput increases.

IPv6 Security

The IPv6 security is designed to secure IPv6 link operation and they are applied to both tunnel and bridge modes. The IPv6 security is supported by the following filtering methods:

IPv6 Client Support

  • RA Guard –This is supported to block or reject the RA guard messages that arrive at the network device platform.
  • DHCPv6 Guard – This is supported to block DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients.
IPv6 Multicast Optimization

The IPv6 multicast optimization reduces the multicast traffic generated by neighbor discovery and router advertisements. This support is provided only in the tunnel mode.

IPv6 Prioritization

The IPv6 QoS support is provided by prioritizing IPv6 packets based on the traffic class field in the IPv6 header.

IPv6 Network Management Enhancements

The IPv6 client support feature provides the NMS enhancement to store multiple IPv6 addresses. The controller supports maximum of 8 addresses per client which includes:

  • Global unicast addresses (DHCP and Autoconfigured)
  • Link-local address
  • Temporary address

FortiWLC – Using Fortinet Service Control

Using Fortinet Service Control

Fortinet’s Service Control feature is designed to allow clients in the enterprise network to access and communicate with devices that are advertising service via a protocol such as Bonjour. The limitation for Bonjour-enabled devices is that they were largely designed for smallscale use; however, they are growing increasingly prevalent in the enterprise-level environment. The nature of the service makes scaling for larger deployments challenging because the wireless traffic communications for these protocols cannot travel across various subnets; as such, users on VLAN1 will be unable to access a device operating on VLAN2 (for example).

Service Control addresses this problem by providing a framework by which Fortinet will direct traffic from clients on different subnets over to the Bonjour-capable devices (and vice versa), allowing seamless communication between the two. Additionally, users can specify which services should be available to specific users, SSIDs, or VLANs, allowing a fine control to be exercised over the deployment.

To enable Service Control:

  1. Navigate to Configuration > Service Control. By default, you land on the Service Control Dashboard, which currently displays no information (as the service is disabled).
  2. Click the Settings tab to access the Global Settings tab
  3. Check Enable Service Control. The page will automatically refresh.

Refer to the sections below for configuration instructions.

Modifying Service Control Global Configuration

Once Service Control has been enabled, the Settings tab displays two new tables: Discovery Criteria and Advanced Options. The Discovery Criteria allows the user to specify the types of services that may be discovered. By default, all AirPlay and AirPrint services configured in the system will be set for discovery across all SSIDs and APs and on Controller native VLAN by controller on the wired side. To modify this, click the pencil icon under the Services column to access the Discovery Criteria dialog.

Figure 12: Discovery Criteria

  1. As shown above, the All Services box is checked, ensuring that all configured services will automatically be detected by the system. Uncheck this box and select the desired service(s) if you wish to restrict the types of services provided.
  2. The Select Wireless Network section allows the user to customize which SSIDs/APs can access the services; by default, all of them are permitted. These options control how wireless devices access the services provided.
  3. The Select Wired Network section controls how wired devices access the services; enter the VLAN(s) that should be allowed access. To add wired gateways, click the Add button and specify the desired options from the resulting list of devices.
  4. Click Save to save your changes.
Wired Service Discovery using AP and Controller

Follow these steps for the wired service discovery using AP and Controller:

  1. The APs and Controller wired interface is used for discovering services. Add APs and/or Controller to wired gateway list.
  2. Ensure that the APs or Controller wired interface is tagged with VLAN on which services needs to be discovered and also the VLAN should be added to VLAN list.
Adding or Removing Services

The Services tab allows the user to modify the services that may be detected via Service Control; by default, several services are pre-configured in the system. However, users can expand this list by clicking the Add button to create a new service.

Figure 13: Adding a New Service

Fill in the required fields as described below:

  • Name—Enter a name for the service
  • Description—Enter a brief description
  • Service Type—Enter the service type string(s). If multiple entries are needed, enter them one at a time, clicking Add after each one. They will display in the Added Service Types table.

Note: To remove an added service, check the box alongside it and click Delete.

Click Save to save the new service.

Configuring Locations

The Locations tab allows you to specify locations where services should be discovered and advertised; by default, no locations are configured, so click Add to create one.

Figure 14: Adding a Location

A Location consists of three main components: the location’s name, description, and member APs. Enter the Name and Description in the fields provided, then select the AP(s) that belong to the desired location from the list. Click the button pointing to the right to add the selected AP(s) to the new location.

After clicking Save, the new location will appear in the Location Table. The AP(s) specified in the Location definition will now provide access to the service.

Creating User Groups

User Groups segregates Subscriber and Advertisers under a group. User Groups define which users/Advertisers (grouped by either VLAN for wired clients or SSID and Location for wireless) can access the advertised service or advertise the services. As no groups are present by default, click Add to create one.

Figure 15: Creating a User Group

A User Group consists of four main components: the group’s name, description, Role, and wireless/wired users with wired gateway list. These fields will allow you to customize which users can access the defined services.

  1. Enter the Name and Description in the fields provided.
  2. Select one of the Role for the user group. The options are Advertiser, Subscriber, or Both.
  3. Select the User Group Type. The options are Wireless or Wired.
  4. If you have selected Wireless user group type, then Select Wireless Section is displayed. From the Select Wireless Users section, select the SSIDs that should be allowed access. To select multiple options, click and drag across them. Ctrl+click to select or de-select items individually.
  5. If you have selected Wired user group type, then the Select Wired Users section is displayed. Enter the VLAN(s) that should be allowed to access advertised services.
  6. Click Save to create the group. The devices contained within the group’s parameters will now be able to access the advertised services.
Defining Service Control Policies

Service Control policies determine which user groups can access specific advertised services. Thus, the policies table allows you to define routes between the subscriber (i.e., the device that seeks the service) and the advertiser (i.e., the device that provides access to the service).

 

  1. From the Policies tab, click Add to access the Create Service Control Policy window. Figure 16: Creating a Policy
  2. Enter a name for the policy to be created in the Policy Name field.
  3. Enter the description of the policy.
  4. Use the Select Subscriber drop-down to specify the group that should be granted access.
  5. Select the desired services from the list supplied in the Choose Services section. Note that if all services should be included, simply check the All services box.
  6. Finally, use the Select Advertiser drop-down to select the group that supplies access to the services.
  7. Click Save to save the new policy.

FortiWLC – Configuring the Controller-Based DHCP Server

Configuring the Controller-Based DHCP Server

In FortiWLC (SD) release 5.1 and later, users have the ability to configure a DHCP server that can be operated directly from the controller. This configuration is ideal for relatively small

AP Groups

deployments that do not require a separate server to handle DHCP duties. This can be particularly useful for deployments that require a DHCP sever for a separate VLAN (such as one used for a guest network) but also would prefer not to allow that traffic to impact the corporate DHCP server.

The internal DHCP server does not support using Option 43 for multiple subnets. Use an external DHCP sever that supports Option 43 for multiple subnets.

The controller-based DHCP server requires that the DHCP Relay Passthrough option (in the Global Controller Parameters) be set to On for the controller. To verify or adjust this, access the WebUI and navigate to Configuration > Devices > Controller.

It is recommended that you do not user internal DHCP server in an enterprise deployment.

Creating a DHCP Server

The controller can have multiple different DHCP servers configured on it at any given time. A DHCP server can be associated to only one VLAN. The steps below can be repeated in order to configure different DHCP servers for separate VLANs or Virtual Interface Profiles as needed.

To create a DHCP Server:

  1. From the WebUI, navigate to Configuration > DHCP and click the DHCP Server tab to view the current configured DHCP servers. Note that if no servers have been configured, the page will be blank.
  2. Click Add to begin configuring the DHCP server parameters.

Figure 11: DHCP Server Configuration

  1. Provide the necessary information as described in Table 8.

Configuring the Controller-Based DHCP Server

 

TABLE 8: DHCP Options

Option Description
DHCP Server Pool

Name

Enter a name to be ascribed to the DHCP Server.
VLAN Name This drop-down list allows you to select a VLAN to which the server should be applied. Note that this is only available if the controller is operating in Layer 2 routing mode.
State Set to Enabled in order to activate the DHCP server, Disabled to deactivate it.
Lease Time The duration of IP leases that are assigned by the DHCP server. This value is displayed in seconds.
IP Pool Start/End The start and end IP addresses of the IP pool that may be assigned by the DHCP server.
Domain Name The domain on which the DHCP server will be active.
Primary/Secondary DNS Server The primary and secondary DNS servers to be used by the DHCP server.
Primary/Secondary Netbios Server The primary and secondary Netbios servers to be used by the DHCP server.
DHCP Option 43 Option 43 allows you to manually specify the primary and secondary controllers to be used by the server. Enter the primary and secondary controller IP addresses (separated by a comma) in this field.
  1. Click OK to save the server.
Viewing DHCP Leases

After the DHCP server has been configured and is active, it can begin providing IP addresses to clients. These assignments will appear in the DHCP Lease table. To view it, open the WebUI and navigate to Configuration > DHCP. The DHCP Lease table appears automatically.

FortiWLC – AP Groups

AP Groups

Create AP groups with list of APs associated in this controller. The AP groups can be mapped to feature groups to easily deploy configurations to the associated APs.

You can create a maximum 128 AP groups. The maximum number APs in an AP group is same as the maximum supported by the controller. An AP can be part of only one AP group or one feature group at any pont of time.

The default page, lists available AP groups with the following details about each of the AP groups:

  • AP Group ID: A unique number associated with the AP group.
  • AP Group Name: Name of the AP group.
  • Description: Descriptive text about the AP group.
  • Default AP Group: Specifies if an AP group is set as default. If set as default, all APs that join the controller will be associated with this AP group. You can have only one default group.

NOTE: The default AP group takes precedence even if you have a default feature group.

Creating an AP Group

Click the Add button and specify name (special characters and spaces cannot be used), description and also select if this group is the default AP group. Click OK to complete this step.

FortiWLC – Feature Group

Feature Group

Feature group makes it easier to deploy and manage configuration for large number of APs. Traditionally, you could apply a configuration to an AP or an AP group. Using feature groups, you can instantly apply a ESS Profile, DPI Policies, Port Profile, ARRP, and Radio Interfaces to one or more APs or AP Groups . You can create a maximum of 10 feature groups.

The default page, lists available feature groups with the following details about each of the feature groups:

  • Feature Group ID: A unique number associated with the feature group.
  • Feature Group Name: Name of the feature group.
  • Feature Group Description: Descriptive text about the feature group.
  • Default Feature Group: Specifes if a feature group is set as default. If set as default, all APs that join the controller will be associated with this feature group. You can have only one default group.

NOTE: If you have a default AP group, then this takes precedence and all APs that join the controller will be associate with the default AP group.

Creating a Feature Group

Click the Add button and specify name (special characters and spaces cannot be used), description and also select if this group is the default feature group. Click OK to complete this step.

After the feature group name is selected, you can now add configurations to this group. These configurations can be instantly applied to one or more APs.

  • APs – Select this option to add AP Groups and individual APs to this feature group.
  • ARRP – ARRP profiles are local to the group. Select this option to add ARRP configurations. For more information, See “Automatic Radio Resource Provisioning (ARRP)” on page 360.
  • Radio – Select this option to specify the radio interface and its antenna settings.
  • ESS – Select this option to select and associate ESS profiles at the interface level.

Feature Group

  • Port Profiles – Select port profile to associate at the interface level.
  • DPI – Create DPI policies for this feature group. Each feature group can contain a maximum of 25 DPI policies. DPI policies are local to group but this must be enabled at Configuration > Access Control > Application > Settings (tab)

Other options include, deleting and cloning a feature group.

Cloning a Feature Group

To clone a feature group, select the feature group and click the CLONE button. Specify a new name and description for this cloned feature group. The cloned feature group will not carry the list of mapped APs, AP groups, and DPI policies.

FortiGate 7060E WebEx Issue Shenanigans

So, if you guys have a 7060E chassis and have a decent amount of traffic flowing through it I want to go ahead and warn you that WebEx may not function properly. If you are experiencing drops of video or audio and complaints of bandwidth issues chances are you are experiencing the same bug I am.

Basically, the UDP 9000 traffic that is on it’s way back to the clients is sometimes coming in on a different FPM than the one that originally processed the request. Well, apparently, the 7060E has bugs on how it shares these sessions / content tables because that causes a 10 second blip where audio, video, or both can disappear / freeze.

Very frustrating stuff that is not easily debugged.

Our work around for now until they fix the bug is a load balance flow rule that forces all UDP 9000 traffic to hit the same FPM (whichever one you choose).

Talk about pulling your hair out!

FortiWLC (SD) Communication Ports

FortiWLC (SD) Communication Ports

The tunnel between an AP and a controller uses the following ports for communication.

Traffic Port
AeroScout UDP/6091
Captive Portal (http redirection) TCP/8080
Captive Portal (https redirection) TCP/8081
NM Location Manager – Web UI TCP/443
NM Location Manager – Administrative Web UI (SSL) TCP/8003
NM Location Manager – AP Communication (Capture Packets subsystem) UDP/9177and UDP/ 37008
FTP TCP/20 and TCP/21
H.323v1 flow detection. TCP/1720
HTTP TCP/8080
HTTPS TCP/443
Fortinet L3 AP COMM UDP/5000
Licensing – for connections initiated from within the controller only for licensing purposes (e.g. wncagent -> merud) TCP/32780
Fortinet L3 AP Data UDP/9393
Fortinet L3 AP Discovery/Keepalive UDP/9292
NP1 advertisements / config UDP/9980
NTP UDP/123
RADIUS accounting 1813 / 1646
RADIUS auth 1812 / 1645
SIP UDP/TCP 5060
SSH TCP/22
SNMP UDP/161 and 162
Syslog UDP/514
TFTP UDP/69
UDP broadcast up to 5 upstream/downstream configurable UPD/xxx
TACACS+ TCP/49

FortiWLC (SD) Communication Ports

Traffic Port
Telnet TCP/23
Controller packet capture UDP/9177
WIPS UDP/9178
WireShark, OmniPeek, Newbury UDP/9177
SAM (AP and server) EtherIP 97

FortiOS 6 – FortiSwitch Troubleshooting

Troubleshooting

Troubleshooting FortiLink issues

If the FortiGate does not establish the FortiLink connection with the FortiSwitch, perform the following troubleshooting checks.

Check the FortiGate configuration

To use the FortiGate GUI to check the FortiLink interface configuration:

  1. In Network > Interfaces, double-click the interface used for FortiLink.
  2. Ensure that Dedicated to FortiSwitch is set for this interface.

To use the FortiGate CLI to verify that you have configured the DHCP and NTP settings correctly:

  1. Verify that the NTP server is enabled and that the FortiLink interface has been added to the list:

show system ntp

  1. Ensure that the DHCP server on the Fortilink interface is configured correctly:

show system dhcp

Check the FortiSwitch configuration

To use FortiSwitch CLI commands to check the FortiSwitch configuration:

  1. Verify that the switch system time matches the time on the FortiGate:

get system status

  1. Verify that FortiGate has sent an IP address to the FortiSwitch (anticipate an IP address in the range 169.254.x.x):

get system interfaces

  1. Verify that you can ping the FortiGate IP address:

exec ping x.x.x.x

To use FortiGate CLI commands to check the FortiSwitch configuration:

  1. Verify that the connections from the FortiGate to the FortiSwitch units are up:

exec switch-controller get-conn-status

  1. Verify that ports for a specific FortiSwitch stack are connected to the correct locations:

exec switch-controller get-physical-conn <FortiSwitch-Stack-ID>

  1. Verify that all the ports for a specific FortiSwitch are up:

exec switch-controller get-conn-status <FortiSwitch-device-ID>