Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wmichael
Staff
Staff

Created on ‎01-23-2024 07:08 AM Edited on ‎01-23-2024 09:14 PM By Community Manager

Article Id 295631

Technical Tip: Neighbor Discovery Protocol (NDP) and configuring ND Proxy

Description This article describes how to use ND Proxy for bridging Layer 2 segments.
Scope FortiGate.
Solution

The Neighbor Discovery Protocol (NDP) consists of five different ICMPv6 message types that support various functions in IPv6, similar to IPv4 protocols ICMP, ARP, Router Discovery, and Router Redirect. Some of its functions include Stateless Address Auto-Configuration (SLAAC), address resolution, Neighbor Unreachability Detection (NUD), and Duplicate Address Detection (DAD).

 

In NDP, the message types Neighbor Solicitation (NS) and Neighbor Advertisement (NA) are used for address resolution, performing a similar function to ARP in IPv4. A host uses the Neighbor Solicitation (NS) message type to determine the Layer 2 address (MAC address) of another host or to verify if the host is still reachable. The Neighbor Advertisement (NA) message type is used by hosts to reply to the NS message and provide the Layer 2 address of the host or to notify of a network change.

 

ND Proxy is similar to Proxy ARP. It provides bridging network segments within a subnet prefix when bridging cannot be done at Layer 2.

 

To configure ND Proxy the syntax is as follows:

 

config system nd-proxy
    set status {enable|disable}
    set member <interface> <interface> [<interface>...]
end

 

Example:

 
 

NDProxy-diagram.jpg

 

In IPv6 it is common to use Global Unicast addresses (similar to IPv4 public addresses) on internal networks, which means NAT is not required for Internet traffic.

 

The subnet 2001:db8:abcd:1234::/64 is contained in the subnet 2001:db8:abcd::/48. Normally the NDP NS message would not reach the client as it is in a different Layer 2 segment. ND Proxy can be used to bridge the networks.

 

In this example, if the ISP router at IP address 2001:db8:abcd::1/48 sends out a Neighbor Solicitation (NS) message to resolve the Layer 2 address of the client at IP address 2001:db8:abcd:1234::2/64, with ND Proxy configured the FortiGate will reply to the message on Port1 substituting the MAC address of Port1 in the Neighbor Advertisement (NA). This will allow the ISP router to communicate with the client by forwarding the traffic to the FortiGate.


In this example, ND Proxy would be configured on the FortiGate for interfaces port1 and port10:

 

config system nd-proxy
    set status enable
    set member "port1" "port10"
end
293
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.