FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cgustave
Staff
Staff
Article Id 192543
Purpose
This technical note explains with an example how RIPnG should be configured on a FortiGate unit.
The architecture chosen includes RIPnG over inter-vdom links as well as redistribution filtering either with distribute list or route-map.
Useful commands to verify and troubleshoot RIPnG using FortiGates is covered in this article.

Scope
  • Nat/route mode

Diagram
cgustave_30205_diagram.jpg

Expectations, Requirements

Expectations:

Based on  the diagram above, the following rules are defined :
  • FGT620B-2 :
    • runs RIPnG on 2 vdoms "root" and "traffic":
      • vdom 'root' :
        • redistributes static route [fed1::/126]
        • injects the default route
        • runs RIPnG on inter-vdom link interface (vdl0) towards vdom 'traffic'
      • vdom 'traffic' :
        • redistributes connected subnets
        • runs RIPng on inter-vdom link interface (vdl1) towards vdom 'root'
  • FGT300A-7:
    • redistributes static routes with filtering applied:
      • general filtering via a route-map to deny static route fec2::228:0000/119 globally from being redistributed
      • specific filtering on (port6) to deny static route fec2::230:0000/119 from being redistributed to FGT110C-2
    • runs RIPnG on interfaces (port5) and (port6)
  • FGT110C-2:
    • redistributes connected routes


Requirement:

Firmware version should be 4.0 MR1 or higher.

Configuration

FGT620B-2


config vdom
edit root
end

config vdom
edit traffic
end

config global
config system global
    set vdom-admin enable
end

config system vdom-link
    edit "vdl"
    next
end

config system interface
    edit "port17"
        set vdom "traffic"
        set allowaccess ping https ssh http telnet
        set type physical
            config ipv6
                set ip6-address fec0::147:16c/119
                set ip6-allowaccess ping
            end
    next
    edit "vdl0"
        set vdom "root"
        set type vdom-link
            config ipv6
                set ip6-address fe80::218:8bff:fe84:4223/64
                set ip6-allowaccess ping
            end
    next
    edit "vdl1"
        set vdom "traffic"
        set type vdom-link
            config ipv6
                set ip6-address fe80::218:8bff:fe84:4133/64
                set ip6-allowaccess ping
            end
    next
    edit "port2-v208"
        set vdom "traffic"
            config ipv6
                set ip6-address fec1::208:16c/119
                set ip6-allowaccess ping
            end
        set interface "port2"
        set vlanid 208
    next
    edit "port2-v18"
        set vdom "root"
            config ipv6
                set ip6-address fec0::18:16c/119
                set ip6-allowaccess ping
            end
        set interface "port2"
        set vlanid 18
    next
end


config vdom
edit root
config router ripng
   
set default-information-originate enable            (#1)
        config interface
            edit "vdl0"
            next
        end
        config redistribute "connected"
        end
        config redistribute "static"
            set status enable
        end
        config redistribute "ospf"
        end
        config redistribute "bgp"
        end
end
config router static6
    edit 1
        set device "port2-v18"
        set gateway fec0::18:101
    next
    edit 2
        set device "port2-v18"
        set dst fed1::/126
        set gateway fec0::18:101
    next
end


config vdom
edit traffic
config router ripng
        config interface
            edit "port17"
            next
            edit "vdl1"
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute "static"
        end
        config redistribute "ospf"
        end
        config redistribute "bgp"
        end
end


#1 : Inject the ipv6 default route to RIPnG

Important information regarding inter-vdom link ipv6 addresses :

As RIPnG is using the next-hop interface local scope ipv6 address for routing, each interface used as next-hop must have a local scope ipv6 address configured. This is automatically the case for physical ports or vlan interfaces for which a MAC address is always existing (local scope ipv6 address is derivated from the underlaying port MAC address). However, because a vdom-link does not have such MAC address as it is a point-to-point type of connection, it is mandatory to configured an ipv6 address which is part of the local scope on vdom-link interfaces.
This is the reason why in this setup, (vdl0) and (vdl1) are configured respectively with fe80::218:8bff:fe84:4223/64 and fe80::218:8bff:fe84:4133/64.

If the inter vdom-link interfaces are not configured with local scope ipv6 address, RIPnG would not work.


FGT300A-7


config system interface
    edit "port2"
        set vdom "root"
        set ip 192.168.100.99 255.255.255.0
        set allowaccess ping
        set type physical
            config ipv6
                set ip6-address fec2::224:72/119
                set ip6-allowaccess ping
            end
    next
    edit "port5"
        set vdom "root"
        set allowaccess ping
        set type physical
            config ipv6
                set ip6-address fec0::147:72/119
                set ip6-allowaccess ping
            end
    next
    edit "port6"
        set vdom "root"
        set allowaccess ping
        set type physical
            config ipv6
                set ip6-address fec0::146:72/119
                set ip6-allowaccess ping
            end
    next
end
config router prefix-list6
    edit "
pl6_select_static6"
            config rule
                edit 1
                    set prefix6 "fec2::0226:0000/119"
                    unset ge
                    unset le
                next
                edit 2
                    set prefix6 "fec2::0230:0000/119"
                    unset ge
                    unset le
                next
            end
    next
    edit "
pl6_selective_static6_distrib"
            config rule
                edit 1
                    set action deny
                    set prefix6 "fec2::230:0/119"
                    unset ge
                    unset le
                next
                edit 2
                    set prefix6 "any"           
(#1)
                    unset ge
                    unset le
                next
            end
    next
    edit "2"
    next
end
config router route-map
    edit "
rm_select_static6"
            config rule
                edit 1
                    set match-ip6-address "
pl6_select_static6"
                next
            end
    next
end
config router ripng
        config distribute-list                   
(#2)
            edit 1
                set interface "port6"
                set listname "
pl6_selective_static6_distrib"
                set status enable
            next
        end
        config interface
            edit "port5"
            next
            edit "port6"
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute "static"
            set status enable
            set routemap "
rm_select_static6"      (#3)
        end
        config redistribute "ospf"
        end
        config redistribute "bgp"
        end
end
config router static6
    edit 1
        set device "port2"
        set dst fec2::226:0/119
        set gateway fec2::224:1fe
    next
    edit 2
        set device "port2"
        set dst fec2::228:0/119
        set gateway fec2::224:1fe
    next
    edit 3
        set device "port2"
        set dst fec2::230:0/119
        set gateway fec2::224:1fe
    next
end


Notes:

#1 : using 'any' as prefix is a valid keyword which is equivalent to :

set prefix6 "::0/0"
set ge 128

meaning all the prefixes including the default route.

#2 : In this case, the distribute-list configured is specific to (port6), this second filtering level comes after the initial global filtering performed in  #3.

#3 : A general filtering level applied to static routes (applied to all RIPnG interfaces)

FGT110C-2


config system interface
    edit "wan2"
        set vdom "root"
        set allowaccess ping
        set type physical
            config ipv6
                set ip6-address fec0::146:127/119
                set ip6-allowaccess ping
            end
    next
end
config router ripng
        config interface
            edit "wan2"
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute "static"
        end
        config redistribute "ospf"
        end
        config redistribute "bgp"
        end
end



Verification
The following commands are used for verification :
  • ipv6 address list : Useful to get the local scope IPv6 addresses used as next-hop by RIPnG
  • diagnose ipv6 route list :   Ipv6 routes installed in the kernel
  • get router info6 rip database : View of the RIPng database (prefix, next-hop, interface, time)
  • get router info6 routing-table : ipv6 routing table
  • get router info6 rip interface <Interface_name> : Details on the RIPnG interface configuration
  • diagnose ipv6 neighbor-cache list : Get the IPv6/MAC address mapping

Output from this commands from the FortiGates in this setup :

FGT620B-2 [root]



FGT620B-2 (root) # diagnose ipv6 address list
dev=33 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1
dev=31 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1
dev=29 devname=port2-v208 flag=P scope=200 prefix=119 addr=fec1::208:16c
dev=25 devname=traffic flag=P scope=254 prefix=128 addr=::1
dev=23 devname=root flag=P scope=254 prefix=128 addr=::1
dev=30 devname=port2-v18 flag=P scope=200 prefix=119 addr=fec0::18:16c
dev=2 devname=port17 flag=P scope=253 prefix=10 addr=fe80::209:fff:feb7:3c88
dev=28 devname=vdl1 flag=P scope=253 prefix=64 addr=fe80::218:8bff:fe84:4133
dev=2 devname=port17 flag=P scope=200 prefix=119 addr=fec0::147:16c
dev=27 devname=vdl0 flag=P scope=253 prefix=64 addr=fe80::218:8bff:fe84:4223
dev=30 devname=port2-v18 flag=P scope=253 prefix=10 addr=fe80::209:fff:feb7:3c79
dev=29 devname=port2-v208 flag=P scope=253 prefix=10 addr=fe80::209:fff:feb7:3c79


FGT620B-2 (root) # diagnose ipv6 route list
vf=0 type=02 protocol=unspec flag=00200001 oif=23(root) dst:::1/128 gwy::: prio=0
vf=0 type=02 protocol=unspec flag=00200001 oif=23(root) dst:fe80::209:fff:feb7:3c79/128 gwy::: prio=0
vf=0 type=02 protocol=unspec flag=00200001 oif=23(root) dst:fe80::218:8bff:fe84:4223/128 gwy::: prio=0
vf=0 type=01 protocol=kernel flag=00040001 oif=27(vdl0) dst:fe80::/64 prio=100
vf=0 type=07 protocol=boot flag=00200200 oif=23(root) dst:fe80::/10 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=30(port2-v18) dst:fe80::/10 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=27(vdl0) dst:fe80::/10 prio=100
vf=0 type=02 protocol=unspec flag=00200001 oif=23(root) dst:fec0::18:16c/128 gwy::: prio=0
vf=0 type=01 protocol=kernel flag=00040001 oif=30(port2-v18) dst:fec0::18:0/119 prio=100
vf=0 type=01 protocol=zebra flag=00000003 oif=27(vdl0) dst:fec0::146:0/119 gwy:fe80::218:8bff:fe84:4133 prio=400
vf=0 type=01 protocol=zebra flag=00000003 oif=27(vdl0) dst:fec0::147:0/119 gwy:fe80::218:8bff:fe84:4133 prio=400
vf=0 type=01 protocol=zebra flag=00000003 oif=27(vdl0) dst:fec1::208:0/119 gwy:fe80::218:8bff:fe84:4133 prio=400
vf=0 type=01 protocol=zebra flag=00000003 oif=27(vdl0) dst:fec2::224:0/119 gwy:fe80::218:8bff:fe84:4133 prio=400
vf=0 type=01 protocol=zebra flag=00000003 oif=27(vdl0) dst:fec2::226:0/119 gwy:fe80::218:8bff:fe84:4133 prio=400
vf=0 type=01 protocol=zebra flag=00000003 oif=27(vdl0) dst:fec2::230:0/119 gwy:fe80::218:8bff:fe84:4133 prio=400
vf=0 type=01 protocol=zebra flag=00000003 oif=30(port2-v18) dst:fed1::/126 gwy:fec0::18:101 prio=1
vf=0 type=01 protocol=kernel flag=01040001 oif=27(vdl0) dst:ff02::9/128 gwy:ff02::9 prio=0
vf=0 type=07 protocol=boot flag=00200200 oif=23(root) dst:ff00::/8 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=30(port2-v18) dst:ff00::/8 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=27(vdl0) dst:ff00::/8 prio=100
vf=0 type=01 protocol=zebra flag=00000003 oif=30(port2-v18) gwy:fec0::18:101 prio=1


FGT620B-2 (root) # get router info6 rip database

Codes: R - RIP, Rc - RIP connected, Rs - RIP static, Ra - RIP aggregated,
       Rcx - RIP connect suppressed, Rsx - RIP static suppressed,
       K - Kernel, C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP

   Network                     Next Hop                  If     Met Tag  Time
S  ::/0                        fec0::18:101              port2-v18   1   0
R  fec0::146:0/119             fe80::218:8bff:fe84:4133  vdl0     3   0 02:31
R  fec0::147:0/119             fe80::218:8bff:fe84:4133  vdl0     2   0 02:31
R  fec1::208:0/119             fe80::218:8bff:fe84:4133  vdl0     2   0 02:31
R  fec2::224:0/119             fe80::218:8bff:fe84:4133  vdl0     3   0 02:31
R  fec2::226:0/119             fe80::218:8bff:fe84:4133  vdl0     3   0 02:31
R  fec2::230:0/119             fe80::218:8bff:fe84:4133  vdl0     3   0 02:31
S  fed1::/126                  fec0::18:101              port2-v18   1   0


FGT620B-2 (root) # get router info6 routing-table
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - IS-IS, B - BGP
Timers: Uptime

S   ::/0 [1/0] via fec0::18:101, port2-v18, 00:27:24
C   ::1/128 via ::, root, 00:27:29
C   fe80::/10 via ::, port2-v18, 00:27:29
C   fe80::/64 via ::, vdl0, 00:27:29
C   fec0::18:0/119 via ::, port2-v18, 00:27:29
R   fec0::146:0/119 [120/3] via fe80::218:8bff:fe84:4133, vdl0, 00:27:22
R   fec0::147:0/119 [120/2] via fe80::218:8bff:fe84:4133, vdl0, 00:27:22
R   fec1::208:0/119 [120/2] via fe80::218:8bff:fe84:4133, vdl0, 00:27:22
R   fec2::224:0/119 [120/3] via fe80::218:8bff:fe84:4133, vdl0, 00:27:22
R   fec2::226:0/119 [120/3] via fe80::218:8bff:fe84:4133, vdl0, 00:27:22
R   fec2::230:0/119 [120/3] via fe80::218:8bff:fe84:4133, vdl0, 00:27:22
S   fed1::/126 [1/0] via fec0::18:101, port2-v18, 00:27:24


FGT620B-2 (root) # get router info6 rip interface vdl0
vdl0 is up, line protocol is up
  Routing Protocol: RIPng
    Passive interface: Disabled
    Split horizon: Enabled with Poisoned Reversed
    IPv6 interface address:
      fe80::218:8bff:fe84:4223/64


FGT620B-2 (root) # diagnose ipv6 neighbor-cache list
ifindex=2 ifname=port17 ff02::9 33:33:00:00:00:09 state=00000040 use=1562 confirm=178162 update=172162 ref=1
ifindex=23 ifname=root :: 00:00:00:00:00:00 state=00000040 use=173774 confirm=179774 update=173774 ref=4
ifindex=25 ifname=traffic :: 00:00:00:00:00:00 state=00000040 use=173773 confirm=179773 update=173773 ref=6
ifindex=31 ifname=vsys_ha :: 00:00:00:00:00:00 state=00000040 use=173482 confirm=179482 update=173482 ref=1
ifindex=33 ifname=vsys_fgfm :: 00:00:00:00:00:00 state=00000040 use=173174 confirm=179174 update=173174 ref=1
ifindex=27 ifname=vdl0 ff02::9  state=00000040 use=16562 confirm=22562 update=16562 ref=1
ifindex=28 ifname=vdl1 ff02::9  state=00000040 use=16562 confirm=22562 update=16562 ref=1
ifindex=30 ifname=port2-v18 fec0::18:101 state=00000000 use=172265 confirm=178265 update=172265 ref=2
ifindex=2 ifname=port17 fe80::209:fff:fe85:b7a9 00:09:0f:09:0e:04 state=00000004 use=172162 confirm=178162 update=172162 ref=4
ifindex=27 ifname=vdl0 fe80::218:8bff:fe84:4133  state=00000040 use=172162 confirm=178162 update=172162 ref=6
ifindex=28 ifname=vdl1 fe80::218:8bff:fe84:4223  state=00000040 use=172162 confirm=178162 update=172162 ref=2


FGT620B-2 [traffic]



FGT620B-2 (traffic) # diagnose ipv6 address list
dev=33 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1
dev=31 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1
dev=29 devname=port2-v208 flag=P scope=200 prefix=119 addr=fec1::208:16c
dev=25 devname=traffic flag=P scope=254 prefix=128 addr=::1
dev=23 devname=root flag=P scope=254 prefix=128 addr=::1
dev=30 devname=port2-v18 flag=P scope=200 prefix=119 addr=fec0::18:16c
dev=2 devname=port17 flag=P scope=253 prefix=10 addr=fe80::209:fff:feb7:3c88
dev=28 devname=vdl1 flag=P scope=253 prefix=64 addr=fe80::218:8bff:fe84:4133
dev=2 devname=port17 flag=P scope=200 prefix=119 addr=fec0::147:16c
dev=27 devname=vdl0 flag=P scope=253 prefix=64 addr=fe80::218:8bff:fe84:4223
dev=30 devname=port2-v18 flag=P scope=253 prefix=10 addr=fe80::209:fff:feb7:3c79
dev=29 devname=port2-v208 flag=P scope=253 prefix=10 addr=fe80::209:fff:feb7:3c79


FGT620B-2 (traffic) # diagnose ipv6 route list
vf=1 type=02 protocol=unspec flag=00200001 oif=25(traffic) dst:::1/128 gwy::: prio=0
vf=1 type=02 protocol=unspec flag=00200001 oif=25(traffic) dst:fe80::209:fff:feb7:3c79/128 gwy::: prio=0
vf=1 type=02 protocol=unspec flag=00200001 oif=25(traffic) dst:fe80::209:fff:feb7:3c88/128 gwy::: prio=0
vf=1 type=02 protocol=unspec flag=00200001 oif=25(traffic) dst:fe80::218:8bff:fe84:4133/128 gwy::: prio=0
vf=1 type=01 protocol=kernel flag=00040001 oif=28(vdl1) dst:fe80::/64 prio=100
vf=1 type=07 protocol=boot flag=00200200 oif=25(traffic) dst:fe80::/10 prio=100
vf=1 type=01 protocol=kernel flag=00040001 oif=29(port2-v208) dst:fe80::/10 prio=100
vf=1 type=01 protocol=kernel flag=00040001 oif=2(port17) dst:fe80::/10 prio=100
vf=1 type=01 protocol=kernel flag=00040001 oif=28(vdl1) dst:fe80::/10 prio=100
vf=1 type=01 protocol=zebra flag=00000003 oif=2(port17) dst:fec0::146:0/119 gwy:fe80::209:fff:fe85:b7a9 prio=400
vf=1 type=02 protocol=unspec flag=00200001 oif=25(traffic) dst:fec0::147:16c/128 gwy::: prio=0
vf=1 type=01 protocol=kernel flag=00040001 oif=2(port17) dst:fec0::147:0/119 prio=100
vf=1 type=02 protocol=unspec flag=00200001 oif=25(traffic) dst:fec1::208:16c/128 gwy::: prio=0
vf=1 type=01 protocol=kernel flag=00040001 oif=29(port2-v208) dst:fec1::208:0/119 prio=100
vf=1 type=01 protocol=zebra flag=00000003 oif=2(port17) dst:fec2::224:0/119 gwy:fe80::209:fff:fe85:b7a9 prio=400
vf=1 type=01 protocol=zebra flag=00000003 oif=2(port17) dst:fec2::226:0/119 gwy:fe80::209:fff:fe85:b7a9 prio=400
vf=1 type=01 protocol=zebra flag=00000003 oif=2(port17) dst:fec2::230:0/119 gwy:fe80::209:fff:fe85:b7a9 prio=400
vf=1 type=01 protocol=zebra flag=00000003 oif=28(vdl1) dst:fed1::/126 gwy:fe80::218:8bff:fe84:4223 prio=400
vf=1 type=01 protocol=kernel flag=01040001 oif=2(port17) dst:ff02::9/128 gwy:ff02::9 prio=0
vf=1 type=01 protocol=kernel flag=01040001 oif=28(vdl1) dst:ff02::9/128 gwy:ff02::9 prio=0
vf=1 type=07 protocol=boot flag=00200200 oif=25(traffic) dst:ff00::/8 prio=100
vf=1 type=01 protocol=kernel flag=00040001 oif=29(port2-v208) dst:ff00::/8 prio=100
vf=1 type=01 protocol=kernel flag=00040001 oif=2(port17) dst:ff00::/8 prio=100
vf=1 type=01 protocol=kernel flag=00040001 oif=28(vdl1) dst:ff00::/8 prio=100
vf=1 type=01 protocol=zebra flag=00000003 oif=28(vdl1) gwy:fe80::218:8bff:fe84:4223 prio=400


FGT620B-2 (traffic) # get router info6 rip database

Codes: R - RIP, Rc - RIP connected, Rs - RIP static, Ra - RIP aggregated,
       Rcx - RIP connect suppressed, Rsx - RIP static suppressed,
       K - Kernel, C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP

   Network                     Next Hop                  If     Met Tag  Time
R  ::/0                        fe80::218:8bff:fe84:4223  vdl1     2   0 02:30
R  fec0::146:0/119             fe80::209:fff:fe85:b7a9   port17   2   0 02:57
C  fec0::147:0/119             ::                        port17   1   0
C  fec1::208:0/119             ::                        port2-v208   1   0
R  fec2::224:0/119             fe80::209:fff:fe85:b7a9   port17   2   0 02:57
R  fec2::226:0/119             fe80::209:fff:fe85:b7a9   port17   2   0 02:57
R  fec2::230:0/119             fe80::209:fff:fe85:b7a9   port17   2   0 02:57
R  fed1::/126                  fe80::218:8bff:fe84:4223  vdl1     2   0 02:30


FGT620B-2 (traffic) # get router info6 routing-table
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - IS-IS, B - BGP
Timers: Uptime

R   ::/0 [120/2] via fe80::218:8bff:fe84:4223, vdl1, 00:34:47
C   ::1/128 via ::, traffic, 00:34:53
C   fe80::/10 via ::, port2-v208, 00:34:53
              via ::, port17, 00:34:53
C   fe80::/64 via ::, vdl1, 00:34:53
R   fec0::146:0/119 [120/2] via fe80::209:fff:fe85:b7a9, port17, 00:34:47
C   fec0::147:0/119 via ::, port17, 00:34:53
C   fec1::208:0/119 via ::, port2-v208, 00:34:53
R   fec2::224:0/119 [120/2] via fe80::209:fff:fe85:b7a9, port17, 00:34:47
R   fec2::226:0/119 [120/2] via fe80::209:fff:fe85:b7a9, port17, 00:34:47
R   fec2::230:0/119 [120/2] via fe80::209:fff:fe85:b7a9, port17, 00:34:47
R   fed1::/126 [120/2] via fe80::218:8bff:fe84:4223, vdl1, 00:34:47


FGT620B-2 (traffic) # diagnose ipv6 neighbor-cache list
ifindex=2 ifname=port17 ff02::9 33:33:00:00:00:09 state=00000040 use=1418 confirm=215118 update=209118 ref=1
ifindex=23 ifname=root :: 00:00:00:00:00:00 state=00000040 use=210730 confirm=216730 update=210730 ref=4
ifindex=25 ifname=traffic :: 00:00:00:00:00:00 state=00000040 use=210729 confirm=216729 update=210729 ref=6
ifindex=31 ifname=vsys_ha :: 00:00:00:00:00:00 state=00000040 use=210438 confirm=216438 update=210438 ref=1
ifindex=33 ifname=vsys_fgfm :: 00:00:00:00:00:00 state=00000040 use=210130 confirm=216130 update=210130 ref=1
ifindex=27 ifname=vdl0 ff02::9  state=00000040 use=6023 confirm=12023 update=6023 ref=1
ifindex=28 ifname=vdl1 ff02::9  state=00000040 use=6023 confirm=12023 update=6023 ref=1
ifindex=30 ifname=port2-v18 fec0::18:101 state=00000000 use=209221 confirm=215221 update=209221 ref=2
ifindex=2 ifname=port17 fe80::209:fff:fe85:b7a9 00:09:0f:09:0e:04 state=00000004 use=209118 confirm=215118 update=209118 ref=4
ifindex=27 ifname=vdl0 fe80::218:8bff:fe84:4133  state=00000040 use=209118 confirm=215118 update=209118 ref=6
ifindex=28 ifname=vdl1 fe80::218:8bff:fe84:4223  state=00000040 use=209118 confirm=215118 update=209118 ref=2


FGT620B-2 (traffic) # get router info6 rip interface vdl1
vdl1 is up, line protocol is up
  Routing Protocol: RIPng
    Passive interface: Disabled
    Split horizon: Enabled with Poisoned Reversed
    IPv6 interface address:
      fe80::218:8bff:fe84:4133/64


FGT620B-2 (traffic) # get router info6 rip interface port17
port17 is up, line protocol is up
  Routing Protocol: RIPng
    Passive interface: Disabled
    Split horizon: Enabled with Poisoned Reversed
    IPv6 interface address:
      fe80::209:fff:feb7:3c88/10
      fec0::147:16c/119



FGT310A-7


FGT300A-7 # diagnose ipv6 address list
dev=6 devname=port6 flag=P scope=253 prefix=10 addr=fe80::209:fff:fe85:b7aa
dev=13 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1
dev=11 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1
dev=3 devname=port2 flag=P scope=200 prefix=119 addr=fec2::224:72
dev=9 devname=root flag=P scope=254 prefix=128 addr=::1
dev=7 devname=port5 flag=P scope=253 prefix=10 addr=fe80::209:fff:fe85:b7a9
dev=6 devname=port6 flag=P scope=200 prefix=119 addr=fec0::146:72
dev=7 devname=port5 flag=P scope=200 prefix=119 addr=fec0::147:72
dev=3 devname=port2 flag=P scope=253 prefix=10 addr=fe80::209:fff:fe85:b7a6


FGT300A-7 # diagnose ipv6 route list
vf=0 type=02 protocol=unspec flag=00200001 oif=9(root) dst:::1/128 gwy::: prio=0
vf=0 type=02 protocol=unspec flag=00200001 oif=9(root) dst:fe80::209:fff:fe85:b7a6/128 gwy::: prio=0
vf=0 type=02 protocol=unspec flag=00200001 oif=9(root) dst:fe80::209:fff:fe85:b7a9/128 gwy::: prio=0
vf=0 type=02 protocol=unspec flag=00200001 oif=9(root) dst:fe80::209:fff:fe85:b7aa/128 gwy::: prio=0
vf=0 type=07 protocol=boot flag=00200200 oif=9(root) dst:fe80::/10 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=3(port2) dst:fe80::/10 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=7(port5) dst:fe80::/10 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=6(port6) dst:fe80::/10 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=15(havdlink1) dst:fe80::/10 prio=100
vf=0 type=02 protocol=unspec flag=00200001 oif=9(root) dst:fec0::146:72/128 gwy::: prio=0
vf=0 type=01 protocol=kernel flag=00040001 oif=6(port6) dst:fec0::146:0/119 prio=100
vf=0 type=02 protocol=unspec flag=00200001 oif=9(root) dst:fec0::147:72/128 gwy::: prio=0
vf=0 type=01 protocol=kernel flag=00040001 oif=7(port5) dst:fec0::147:0/119 prio=100
vf=0 type=01 protocol=zebra flag=00000003 oif=7(port5) dst:fec1::208:0/119 gwy:fe80::209:fff:feb7:3c88 prio=400
vf=0 type=02 protocol=unspec flag=00200001 oif=9(root) dst:fec2::224:72/128 gwy::: prio=0
vf=0 type=01 protocol=kernel flag=00040001 oif=3(port2) dst:fec2::224:0/119 prio=100
vf=0 type=01 protocol=zebra flag=00000003 oif=3(port2) dst:fec2::226:0/119 gwy:fec2::224:1fe prio=1
vf=0 type=01 protocol=zebra flag=00000003 oif=3(port2) dst:fec2::228:0/119 gwy:fec2::224:1fe prio=1
vf=0 type=01 protocol=zebra flag=00000003 oif=3(port2) dst:fec2::230:0/119 gwy:fec2::224:1fe prio=1
vf=0 type=01 protocol=zebra flag=00000003 oif=7(port5) dst:fed1::/126 gwy:fe80::209:fff:feb7:3c88 prio=400
vf=0 type=07 protocol=boot flag=00200200 oif=9(root) dst:ff00::/8 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=3(port2) dst:ff00::/8 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=7(port5) dst:ff00::/8 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=6(port6) dst:ff00::/8 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=15(havdlink1) dst:ff00::/8 prio=100
vf=0 type=01 protocol=zebra flag=00000003 oif=7(port5) gwy:fe80::209:fff:feb7:3c88 prio=400


FGT300A-7 # get router info6 rip database

Codes: R - RIP, Rc - RIP connected, Rs - RIP static, Ra - RIP aggregated,
       Rcx - RIP connect suppressed, Rsx - RIP static suppressed,
       K - Kernel, C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP

   Network                     Next Hop                  If     Met Tag  Time
R  ::/0                        fe80::209:fff:feb7:3c88   port5    3   0 02:37
C  fec0::146:0/119             ::                        port6    1   0
C  fec0::147:0/119             ::                        port5    1   0
R  fec1::208:0/119             fe80::209:fff:feb7:3c88   port5    2   0 02:37
C  fec2::224:0/119             ::                        port2    1   0
S  fec2::226:0/119             fec2::224:1fe             port2    1   0
S  fec2::230:0/119             fec2::224:1fe             port2    1   0
R  fed1::/126                  fe80::209:fff:feb7:3c88   port5    3   0 02:37


FGT300A-7 # get router info6 routing-table
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - IS-IS, B - BGP
Timers: Uptime

R   ::/0 [120/3] via fe80::209:fff:feb7:3c88, port5, 00:42:56
C   ::1/128 via ::, root, 01:44:09
C   fe80::/10 via ::, port5, 01:44:09
              via ::, port6, 01:44:09
              via ::, port2, 01:44:09
C   fec0::146:0/119 via ::, port6, 01:44:09
C   fec0::147:0/119 via ::, port5, 01:44:09
R   fec1::208:0/119 [120/2] via fe80::209:fff:feb7:3c88, port5, 00:42:56
C   fec2::224:0/119 via ::, port2, 01:44:09
S   fec2::226:0/119 [1/0] via fec2::224:1fe, port2, 01:43:45
S   fec2::228:0/119 [1/0] via fec2::224:1fe, port2, 01:43:45
S   fec2::230:0/119 [1/0] via fec2::224:1fe, port2, 01:43:45
R   fed1::/126 [120/3] via fe80::209:fff:feb7:3c88, port5, 00:42:56


FGT300A-7 # get router info6 rip interface port5
port5 is up, line protocol is up
  Routing Protocol: RIPng
    Passive interface: Disabled
    Split horizon: Enabled with Poisoned Reversed
    IPv6 interface address:
      fe80::209:fff:fe85:b7a9/10
      fec0::147:72/119


FGT300A-7 # get router info6 rip interface port6
port6 is up, line protocol is up
  Routing Protocol: RIPng
    Passive interface: Disabled
    Split horizon: Enabled with Poisoned Reversed
    IPv6 interface address:
      fe80::209:fff:fe85:b7aa/10
      fec0::146:72/119


FGT300A-7 # diagnose ipv6 neighbor-cache list
ifindex=9 ifname=root :: 00:00:00:00:00:00 state=00000040 use=628259 confirm=634259 update=628259 ref=7
ifindex=11 ifname=vsys_ha :: 00:00:00:00:00:00 state=00000040 use=628152 confirm=634152 update=628152 ref=1
ifindex=13 ifname=vsys_fgfm :: 00:00:00:00:00:00 state=00000040 use=628078 confirm=634078 update=628078 ref=1
ifindex=6 ifname=port6 ff02::9 33:33:00:00:00:09 state=00000040 use=707 confirm=631207 update=625207 ref=0
ifindex=7 ifname=port5 ff02::9 33:33:00:00:00:09 state=00000040 use=707 confirm=631207 update=625207 ref=0
ifindex=3 ifname=port2 fec2::224:1fe state=00000000 use=625300 confirm=631300 update=625300 ref=3
ifindex=7 ifname=port5 fe80::209:fff:feb7:3c88 00:09:0f:b7:3c:88 state=00000004 use=260508 confirm=260508 update=257747 ref=3


FGT100C-2



FG100C3G08600068 # diagnose ipv6 address list
dev=11 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1
dev=9 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1
dev=5 devname=root flag=P scope=254 prefix=128 addr=::1
dev=7 devname=wan2 flag=P scope=200 prefix=119 addr=fec0::146:127
dev=7 devname=wan2 flag=P scope=253 prefix=10 addr=fe80::209:fff:fea3:2eb


FG100C3G08600068 # diagnose ipv6 route list
vf=0 type=02 protocol=unspec flag=00200001 oif=5(root) dst:::1/128 gwy::: prio=0
vf=0 type=02 protocol=unspec flag=00200001 oif=5(root) dst:fe80::209:fff:fea3:2eb/128 gwy::: prio=0
vf=0 type=07 protocol=boot flag=00200200 oif=5(root) dst:fe80::/10 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=7(wan2) dst:fe80::/10 prio=100
vf=0 type=02 protocol=unspec flag=00200001 oif=5(root) dst:fec0::146:127/128 gwy::: prio=0
vf=0 type=01 protocol=kernel flag=00040001 oif=7(wan2) dst:fec0::146:0/119 prio=100
vf=0 type=01 protocol=zebra flag=00000003 oif=7(wan2) dst:fec0::147:0/119 gwy:fe80::209:fff:fe85:b7aa prio=400
vf=0 type=01 protocol=zebra flag=00000003 oif=7(wan2) dst:fec1::208:0/119 gwy:fe80::209:fff:fe85:b7aa prio=400
vf=0 type=01 protocol=zebra flag=00000003 oif=7(wan2) dst:fec2::224:0/119 gwy:fe80::209:fff:fe85:b7aa prio=400
vf=0 type=01 protocol=zebra flag=00000003 oif=7(wan2) dst:fec2::226:0/119 gwy:fe80::209:fff:fe85:b7aa prio=400
vf=0 type=01 protocol=zebra flag=00000003 oif=7(wan2) dst:fed1::/126 gwy:fe80::209:fff:fe85:b7aa prio=400
vf=0 type=07 protocol=boot flag=00200200 oif=5(root) dst:ff00::/8 prio=100
vf=0 type=01 protocol=kernel flag=00040001 oif=7(wan2) dst:ff00::/8 prio=100
vf=0 type=01 protocol=zebra flag=00000003 oif=7(wan2) gwy:fe80::209:fff:fe85:b7aa prio=400


FG100C3G08600068 # get router info6 rip database

Codes: R - RIP, Rc - RIP connected, Rs - RIP static, Ra - RIP aggregated,
       Rcx - RIP connect suppressed, Rsx - RIP static suppressed,
       K - Kernel, C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP

   Network                     Next Hop                  If     Met Tag  Time
R  ::/0                        fe80::209:fff:fe85:b7aa   wan2     4   0 02:51
C  fec0::146:0/119             ::                        wan2     1   0
R  fec0::147:0/119             fe80::209:fff:fe85:b7aa   wan2     2   0 02:51
R  fec1::208:0/119             fe80::209:fff:fe85:b7aa   wan2     3   0 02:51
R  fec2::224:0/119             fe80::209:fff:fe85:b7aa   wan2     2   0 02:51
R  fec2::226:0/119             fe80::209:fff:fe85:b7aa   wan2     2   0 02:51
R  fed1::/126                  fe80::209:fff:fe85:b7aa   wan2     4   0 02:51


FG100C3G08600068 # get router info6 routing-table
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - IS-IS, B - BGP
Timers: Uptime

R   ::/0 [120/4] via fe80::209:fff:fe85:b7aa, wan2, 00:44:26
C   ::1/128 via ::, root, 04:09:24
C   fe80::/10 via ::, wan2, 04:09:24
C   fec0::146:0/119 via ::, wan2, 04:09:24
R   fec0::147:0/119 [120/2] via fe80::209:fff:fe85:b7aa, wan2, 01:44:29
R   fec1::208:0/119 [120/3] via fe80::209:fff:fe85:b7aa, wan2, 00:44:26
R   fec2::224:0/119 [120/2] via fe80::209:fff:fe85:b7aa, wan2, 01:44:29
R   fec2::226:0/119 [120/2] via fe80::209:fff:fe85:b7aa, wan2, 01:44:29
R   fed1::/126 [120/4] via fe80::209:fff:fe85:b7aa, wan2, 00:44:26


FG100C3G08600068 # get router info6 rip interface wan2
wan2 is up, line protocol is up
  Routing Protocol: RIPng
    Passive interface: Disabled
    Split horizon: Enabled with Poisoned Reversed
    IPv6 interface address:
      fe80::209:fff:fea3:2eb/10
      fec0::146:127/119


FG100C3G08600068 # diagnose ipv6 neighbor-cache list
ifindex=5 ifname=root :: 00:00:00:00:00:00 state=00000040 use=1499395 confirm=1505395 update=1499395 ref=3
ifindex=9 ifname=vsys_ha :: 00:00:00:00:00:00 state=00000040 use=1498770 confirm=1504770 update=1498770 ref=1
ifindex=11 ifname=vsys_fgfm :: 00:00:00:00:00:00 state=00000040 use=1498380 confirm=1504380 update=1498380 ref=1
ifindex=7 ifname=wan2 ff02::9 33:33:00:00:00:09 state=00000040 use=2501 confirm=1503372 update=1497372 ref=1
ifindex=7 ifname=wan2 fe80::209:fff:fe85:b7aa state=00000000 use=628418 confirm=634418 update=628418 ref=6



Troubleshooting
  • Use the sniffer to capture Ipv6 packets
  • Turn on ipv6 debug using diagnose ipv6 router rip commands
Example of output from FGT300A-7 :


FGT300A-7 # diagnose debug enable

FGT300A-7 # diagnose ipv6 router rip level info
FGT300A-7 # diagnose ipv6 router rip all enable

FGT300A-7 # RIPng: RECV[port5]: Receive from [fe80::209:fff:feb7:3c88]:521
RIPng: RECV[port5]: RESPONSE version 1 packet size 164
RIPng:   ::/0 metric 2 tag 0
RIPng:   fec0::146:0/119 metric 16 tag 0
RIPng:   fec0::147:0/119 metric 16 tag 0
RIPng:   fec1::208:0/119 metric 1 tag 0
RIPng:   fec2::224:0/119 metric 16 tag 0
RIPng:   fec2::226:0/119 metric 16 tag 0
RIPng:   fec2::230:0/119 metric 16 tag 0
RIPng:   fed1::/126 metric 2 tag 0
RIPng: RECV[port6]: Receive from [fe80::209:fff:fea3:2eb]:521
RIPng: RECV[port6]: RESPONSE version 1 packet size 144
RIPng:   ::/0 metric 16 tag 0
RIPng:   fec0::146:0/119 metric 16 tag 0
RIPng:   fec0::147:0/119 metric 16 tag 0
RIPng:   fec1::208:0/119 metric 16 tag 0
RIPng:   fec2::224:0/119 metric 16 tag 0
RIPng:   fec2::226:0/119 metric 16 tag 0
RIPng:   fed1::/126 metric 16 tag 0
RIPng: UPDATE: Update timer expired!
RIPng: UPDATE[port6]: Update RIPng routes to [ff02::9]:521
RIPng: SEND[port6]: fec2::230:0/119 is filtered by prefix-list pl6_selective_static6_distribroot
RIPng: SEND[port6]: Send to [ff02::9]:521
RIPng: SEND[port6]: RESPONSE version 1 packet size 144
RIPng:   ::/0 metric 3 tag 0
RIPng:   fec0::146:0/119 metric 16 tag 0
RIPng:   fec0::147:0/119 metric 1 tag 0
RIPng:   fec1::208:0/119 metric 2 tag 0
RIPng:   fec2::224:0/119 metric 1 tag 0
RIPng:   fec2::226:0/119 metric 1 tag 0
RIPng:   fed1::/126 metric 3 tag 0
RIPng: UPDATE[port5]: Update RIPng routes to [ff02::9]:521
RIPng: SEND[port5]: Send to [ff02::9]:521
RIPng: SEND[port5]: RESPONSE version 1 packet size 164
RIPng:   ::/0 metric 16 tag 0
RIPng:   fec0::146:0/119 metric 1 tag 0
RIPng:   fec0::147:0/119 metric 16 tag 0
RIPng:   fec1::208:0/119 metric 16 tag 0
RIPng:   fec2::224:0/119 metric 1 tag 0
RIPng:   fec2::226:0/119 metric 1 tag 0
RIPng:   fec2::230:0/119 metric 1 tag 0
RIPng:   fed1::/126 metric 16 tag 0
RIPng: RECV[port5]: Receive from [fe80::209:fff:feb7:3c88]:521
RIPng: RECV[port5]: RESPONSE version 1 packet size 164



Related Articles

Technical Tip: IPv6 support

List of most popular articles related to FortiOS Routing (ECMP, STATIC ROUTE, RIP, OSPF, BGP, BFD, ...

Contributors