Configure IPv6 Neighbor Discovery

The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the readability of a neighbor, and keep track of neighboring routers.

Nodes (hosts) use neighbor discovery to determine the link-layer addresses for neighbors known to reside on attached links and to quickly purge cached values that become invalid. Hosts also use neighbor discovery to find neighboring routers that are willing to forward packets on their behalf. In addition, nodes use the protocol to actively keep track of which neighbors are reachable and which are not, and to detect changed link-layer addresses. When a router or the path to a router fails, a host actively searches for functioning alternates.

Before you begin

Supported in Routed mode only. For IPv6 neighbor settings supported in transparent mode, see Configure a Global IPv6 Address.

Procedure

Step 1

Select Devices > Device Management and click Edit (edit icon) for your Firewall Threat Defense device. The Interfaces page is selected by default.

Step 2

Click Edit (edit icon) for the interface you want to edit.

Step 3

Click IPv6, and then Prefixes.

Step 4

(Optional) To configure which IPv6 prefixes are included in IPv6 router advertisements, perform the following steps:

  1. Click (add icon)Add Prefix.

  2. In the Address field, enter the IPv6 address with the prefix length or check the Default check box to use the default prefix.

  3. (Optional) Uncheck the Advertisement check box to indicate that the IPv6 prefix is not advertised. For the Default prefix, this setting only applies to on-link prefixes. Off-link prefixes will still be advertised unless you uncheck Advertisement for a specific off-link prefix.

  4. Check the Off Link check box to indicate that the specified prefix is assigned to the link. Nodes sending traffic to addresses that contain the specified prefix consider the destination to be locally reachable on the link. This prefix should not be used for on-link determination.

  5. To use the specified prefix for autoconfiguration, check the Autoconfiguration check box.

  6. For the Prefix Lifetime, click Duration or Expiration Date.

    • Duration—Enter a Preferred Lifetime for the prefix in seconds. This setting is the amount of time that the specified IPv6 prefix is advertised as being valid. The maximum value represents infinity. Valid values are from 0 to 4294967295. The default is 2592000 (30 days). Enter a Valid Lifetime for the prefix in seconds. This setting is the amount of time that the specified IPv6 prefix is advertised as being preferred. The maximum value represents infinity. Valid values are from 0 to 4294967295. The default setting is 604800 (seven days). Alternatively, check the Infinite check box to set an unlimited duration.

    • Expiration Date—Choose a Valid and Preferred date and time.

  7. Click OK.

Step 5

Click Settings.

IPv6 Settings
IPv6 Settings

Step 6

(Optional) Set the maximum number of DAD attempts, between 1 and 600. 1 attempt is the default. Set the value to 0 to disable duplicate address detection (DAD) processing.

This setting configures the number of consecutive neighbor solicitation messages that are sent on an interface while DAD is performed on IPv6 addresses.

During the stateless autoconfiguration process, Duplicate Address Detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces.

When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not used, and the following error message is generated: 


325002: Duplicate address ipv6_address/MAC_address on interface

If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface. If the duplicate address is a global address, the address is not used.

Step 7

(Optional) Configure the interval between IPv6 neighbor solicitation retransmissions in the NS Interval field, between 1000 and 3600000 ms.

The default value is 1000 ms.

Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to discover the link-layer addresses of other nodes on the local link. After receiving a neighbor solicitation message, the destination node replies by sending a neighbor advertisement message (ICPMv6 Type 136) on the local link.

After the source node receives the neighbor advertisement, the source node and destination node can communicate. Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer address of a neighbor is identified. When a node wants to verifying the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor.

Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node on a local link.

Step 8

(Optional) Configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred in the Reachable Time field, between 0 and 3600000 ms.

The default value is 0 ms. When 0 is used for the value, the reachable time is sent as undetermined. It is up to the receiving devices to set and track the reachable time value.

The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly, however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.

Step 9

(Optional) To suppress the router advertisement transmissions, uncheck the Enable RA check box. If you enable router advertisement transmissions, you can set the RA lifetime and interval.

Router advertisement messages (ICMPv6 Type 134) are automatically sent in response to router solicitation messages (ICMPv6 Type 133). Router solicitation messages are sent by hosts at system startup so that the host can immediately autoconfigure without needing to wait for the next scheduled router advertisement message.

You may want to disable these messages on any interface for which you do not want the Firewall Threat Defense to supply the IPv6 prefix (for example, the outside interface).

  • RA Lifetime—Configure the router lifetime value in IPv6 router advertisements, between 0 and 9000 seconds.

    The default is 1800 seconds.

  • RA Interval—Configure the interval between IPv6 router advertisement transmissions, between 3 and 1800 seconds.

    The default is 200 seconds.

    To prevent synchronization with other IPv6 nodes, the firewall randomly adjusts the value that you set (jitter).

Step 10

(Optional) Configure the Recursive DNS Server (RDNSS) option to advertise a list of DNS servers to IPv6 clients.

This option is useful for clients that use SLAAC instead of DHCPv6 for their addressing. Note that if you enabled the prefix delegation client on the Firewall Threat Defense, you can alternatively pass along the DNS server information that the Firewall Threat Defense received using the Firewall Threat Defense's DHCPv6 stateless server. If you configure both methods, the client will receive both sets of servers.

  1. In the DNS Servers area, click Add DNS Server.

    Add a DNS Server
    Add a DNS Server

  2. Enter the DNS Server IPv6 Address.

  3. Enter the maximum Lifetime, in seconds, that the DNS server will be used for name resolution, between 200 and 4294967295. If you set the value to 0, the entry will not be used. If you set the value to 4294967295, the entry will never expire. The default is 3 x the maximum RA interval. The value must be greater than or equal to the RA Interval.

  4. Click OK.

  5. Repeat for up to 8 servers.

    The servers are advertised in the order you add them.

Step 11

(Optional) Configure the DNS Search List (DNSSL) option to advertise a list of search domains to IPv6 clients.

This option is useful for clients that use SLAAC instead of DHCPv6 for their addressing. Note that if you enabled the prefix delegation client on the Firewall Threat Defense, you can alternatively pass along the DNS domain that the Firewall Threat Defense received using the Firewall Threat Defense's DHCPv6 stateless server. If you configure both methods, the client will receive both sets of domains.

  1. In the Router Advertisement DNS-SEARCH-LIST area, click Add.

    Add a Domain for Search
    Add a Domain for Search

  2. Enter the Domain Name.

  3. Enter the maximum Lifetime, in seconds, that the domain will be used, between 200 and 4294967295. If you set the value to 0, the entry will not be used. If you set the value to 4294967295, the entry will never expire. The default is 3 x the maximum RA interval. The value must be greater than or equal to the RA Interval.

  4. Click OK.

  5. Repeat for up to 5 domains.

    The domains are advertised in the order you add them.

Step 12

Click OK.

Step 13

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.