RIPng — RIP and IPv6

RIPng — RIP and IPv6

RIP next generation, or RIPng, is the version of RIP that supports IPv6.

This is an example of a typical small network configuration using RIPng routing.

Your internal R&D network is working on a project for a large international telecom company that uses IPv6. For this reason, you have to run IPv6 on your internal network and you have decided to use only IPv6 addresses.

Your network has two FortiGate units running the RIPng dynamic routing protocol. Both FortiGate units are connected to the ISP router and the internal network. This configuration provides some redundancy for the R&D internal network enabling it to reach the internet at all times.

This section includes the following topics:

l Network layout and assumptions l Configuring the FortiGate units system information l Configuring RIPng on FortiGate units l Configuring other network devices l Testing the configuration l Debugging IPv6 on RIPng

Network layout and assumptions

Basic network layout

Your internal R&D network is working on a project for a large international telecom company that uses IPv6. For this reason, you have to run IPv6 on your internal network and you have decided to use only IPv6 addresses.

Your network has two FortiGate units running the RIPng dynamic routing protocol. Both FortiGate units are connected to the ISP router and the internal network. This configuration provides some redundancy for the R&D internal network enabling it to reach the internet at all times.

All internal computers use RIP routing, so no static routing is required. And all internal computers use IPv6 addresses.

Where possible in this example, the default values will be used or the most general settings. This is intended to provide an easier configuration that will require less troubleshooting.

In this example the routers, networks, interfaces used, and IP addresses are as follows:

Rip example network topology

Network Router Interface & Alias IPv6 address
R&D Router1

Router2

port1 (internal) 2002:A0B:6565:0:0:0:0:0
port2 (ISP) 2002:AC14:7865:0:0:0:0:0
port1 (internal) 2002:A0B:6566:0:0:0:0:0
port2 (ISP) 2002:AC14:7866:0:0:0:0:0

Network topology for the IPv6 RIPng example

Assumptions

The following assumptions have been made concerning this example:

  • All FortiGate units have 5.0+ firmware, and are running factory default settings.
  • All CLI and web-based manager navigation assumes the unit is running in NAT/Route operating mode, with VDOMs disabled.
  • All FortiGate units have interfaces labeled port1 and port2 as required. l All firewalls have been configured for each FortiGate unit to allow the required traffic to flow across interfaces. l All network devices are support IPv6 and are running RIPng.

Configuring the FortiGate units system information

Each FortiGate unit needs IPv6 enabled, a new hostname, and interfaces configured.

To configure system information on Router1 – web-based manager:

  1. Go to Dashboard.
  2. For Host name, select Change.
  3. Enter “Router1”.
  4. Go to System > Feature Visibility.
  5. Enable IPv6 and click Apply.
  6. Go to Network > Interfaces.
  7. Edit port1 (internal) interface.
  8. Set the following information, and select OK.
Alias internal
IP/Netmask 2002:A0B:6565::/0
Administrative Access HTTPS SSH PING
Description Internal RnD network
Administrative Status Up
  1. Edit port2 (ISP) interface.
  2. Set the following information, and select OK.
Alias ISP
IP/Netmask 2002:AC14:7865::/0
Administrative Access HTTPS SSH PING
Description ISP and internet
Administrative Status Up

To configure system information on Router1 – CLI:

config system global set hostname Router1 set gui-ipv6 enable

end config system interface edit port1

set alias internal set allowaccess https ping ssh set description “Internal RnD network” config ipv6

set ip6-address 2002:a0b:6565::/0

end

next edit port2

set alias ISP set allowaccess https ping ssh set description “ISP and internet” config ipv6

set ip6-address 2002:AC14:7865:: end end

To configure system information on Router2 – web-based manager:

  1. Go to Dashboard.
  2. For Host name, select Change.
  3. Enter “Router2”.
  4. Go to System > Feature Visibility.
  5. Enable IPv6 and click Apply.
  6. Go to Network > Interfaces.
  7. Edit port1 (internal) interface.
  8. Set the following information, and select OK.
Alias internal
IP/Netmask 2002:A0B:6566::/0
Administrative Access HTTPS SSH PING
Description Internal RnD network
Administrative Status Up
  1. Edit port2 (ISP) interface.
  2. Set the following information, and select OK.
Alias ISP
IP/Netmask 2002:AC14:7866::/0
Administrative Access HTTPS SSH PING
Description ISP and internet
Administrative Status Up

To configure system information on Router2 – CLI:

config system global set hostname Router2 set gui-ipv6 enable

end config system interface edit port1

set alias internal set allowaccess https ping ssh set description “Internal RnD network” config ipv6

set ip6-address 2002:a0b:6566::/0

end

next edit port2

set alias ISP set allowaccess https ping ssh set description “ISP and internet” config ipv6 set ip6-address 2002:AC14:7866:: end

end

Configuring RIPng on FortiGate units

Now that the interfaces are configured, you can configure RIPng on the FortiGate units.

There are only two networks and two interfaces to include — the internal network, and the ISP network. There is no redistribution, and no authentication. In RIPng there is no specific command to include a subnet in the RIP broadcasts. There is also no information required for the interfaces beyond including their name.

As this is a CLI only configuration, configure the ISP router and the other FortiGate unit as neighbors. This was not part of the previous example as this feature is not offered in the web-based manager. Declaring neighbors in the configuration like this will reduce the discovery traffic when the routers start up.

Since RIPng is not supported in the web-based manager, this section will only be entered in the CLI.

To configure RIPng on Router1 – CLI:

config router ripng config interface edit port1 next edit port2 end

config neighbor

edit 1 set interface port1 set ipv6 2002:a0b:6566::/0

next edit 2 set interface port2 set ipv6 2002:AC14:7805::/0

end

To configure RIPng on Router2 – CLI:

config router ripng config interface edit port1 next edit port2 end

config neighbor

edit 1 set interface port1 set ipv6 2002:a0b:6565::/0

next edit 2 set interface port2 set ipv6 2002:AC14:7805::/0 end

Configuring other network devices

The other devices on the internal network all support IPv6, and are running RIPng where applicable. They only need to know the internal interface network addresses of the FortiGate units.

The ISP routers need to know the FortiGate unit information such as IPv6 addresses.

Testing the configuration

In addition to normal testing of your network configuration, you must also test the IPv6 part of this example.

For troubleshooting problems with your network, see the FortiOS Handbook Troubleshooting chapter.

Testing the IPv6 RIPng information

There are some commands to use when checking that your RIPng information is correct on your network. These are useful to check on your RIPng FortiGate units on your network. Comparing the output between devices will help you understand your network better, and also track down any problems.

diagnose ipv6 address list

View the local scope IPv6 addresses used as next-hops by RIPng on the FortiGate unit.

diagnose ipv6 route list

View ipv6 addresses that are installed in the routing table.

get router info6 routing-table

View the routing table. This information is almost the same as the previous command (diagnose ipv6 route list) however it is presented in an easier to read format. get router info6 rip interface external

View brief output on the RIP information for the interface listed. The information includes if the interface is up or down, what routing protocol is being used, and whether passive interface or split horizon are enabled.

get router info6 neighbor-cache list

View the IPv6/MAC address mapping. This also displays the interface index and name associated with the address.

Debugging IPv6 on RIPng

The debug commands are very useful to see what is happening on the network at the packet level. There are a few changes to debugging the packet flow when debugging IPv6.

The following CLI commands specify both IPv6 and RIP, so only RIPng packets will be reported. The output from these commands will show you the RIPng traffic on your FortiGate unit including RECV, SEND, and UPDATE actions.

The addresses are in IPv6 format.

diagnose debug enable diagnose ipv6 router rip level info diagnose ipv6 router rip all enable These three commands will:

Turn on debugging in general

Set the debug level to information, a verbose reporting level

Turn on all RIP router settings

Part of the information displayed from the debugging is the metric (hop count). If the metric is 16, then that destination is unreachable since the maximum hop count is 15.

In general, you should see an update announcement, followed by the routing table being sent out, and a received reply in response.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.