Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

| Configure | 348

IPv6 Router Advertisement

Address Assignment for IPv6 Devices

IPv6 clients are assigned an IP address through:

• DHCP for IPv6

• Stateless address auto configuration (SLAAC)

DHCP for IPv6

Similar to IPv4, IPv6 can use DHCP to assign IP addresses to any clients. The device can be configured to be a stateful DHCP server. The DHCP server is responsible for assigning the IP address to the client and for keeping a record of all clients and the IPv6 addresses assigned to them.

Stateless Address Auto Configuration

The IPv6 protocol supports address auto configuration for stateless addresses. IPv6 devices automatically create unique link-local addresses for IPv6 enabled interfaces, and clients use router advertisement messages to configure their own IP address automatically.

Router Advertisement

The device acting as a router has the ability to participate in stateless auto configuration (SLAAC) and by default provides a IPv6 address and a default gateway to the client.

When the device interface is connected to a network and enabled, the host may send out an ICMPv6 (type 135)

Router Solicitation (RS) message that requests the device to generate Router Advertisement (RA) immediately instead of waiting until their next scheduled time. On receiving the RS message, the device immediately sends an ICMPv6

(type 134) router advertisement (RA) message announcing the state of its availability. Router advertisements include information about which method to be used for address assignment, prefixes used for on-link determination and/or address configuration, hop limit value, several flag status, etc. The critical parameters can be administered centrally and if necessary, can be propagated automatically to all hosts on the network. The device advertises information about various interfaces and Internet parameters either periodically or in response to the RS message, informing all the nodes on the network about any modification regarding addressing information. Thus, Router advertisement (along with prefix flags) permits simple stateless auto configuration and guides a host in generating an address using autoconfiguration.

Note: You can also view and manage the router advertisement service status on the Monitor & Analyze >

Diagnostics > Services page.

Configure IPv6 Router Advertisement settings

You can configure the router advertisement settings for an interface from this page.

1. Go to Configure > Network > IPv6 Router Advertisement and click Add.

2. Enter details for the General Settings.

Interface

Select an interface for router advertisement.

All IPv6 enabled physical interfaces, LAG, VLAN and bridge interfaces can be selected.

Description

Enter a description for the interface to be selected for router advertisement.

Min Advertisement Interval

Specify the minimum time interval in seconds between two consecutive unsolicited router advertisement messages sent to the clients.

Acceptable range: 3 to 1350 seconds

Default: 198 seconds

If the Max Advertisement Interval is 9 seconds or above, then the Min Advertisement Interval must be: 0.75 * maximum advertisement interval.

Max Advertisement Interval

Specify the maximum time interval in seconds between two consecutive unsolicited router advertisement messages sent to the clients.

Acceptable Range: 4 to 1800 seconds

Default: 600 seconds

Managed Flag

Select to set the managed flag. When this flag is set, IPv6 addresses are obtained from the DHCPv6 server.

By default, this flag is not selected.

Note: The option must be selected only if a DHCPv6 Server is available else IPv6 clients would not get IPv6 addresses

Other Flag

Select to set the other flag. When this flag is set, the DHCPv6 client obtains other network parameters such as DNS server, domain name, NIS, NISP, SIP, SNTP, and BCMS servers from the

DHCPv6 server.

Note: This option must be selected only if a DHCPv6 server is available.

Default Gateway

Select to use the device as default gateway for communication with the client.

Life Time

Specify the time in seconds to be used for router advertisement as a default gateway at the client end.

The value specified should be between the value specified for Max Advertisement Interval and

9000 seconds.

Default: 1800 seconds

Prefix Advertisement Configuration

Prefix Advertisement includes zero or more prefix options containing information that the default gateway advertises. This information is used by stateless address auto configuration to auto-generate a global IPv6 address. Prefix advertisement has its own list of attributes:

Prefix / 64

Provide the first 64 bits of the IPv6 address.

The interface uses this prefix information from the router advertisement message to determine the last 64 bits (interface identifier) of its 128-bit IPv6 address.

The first 64 bits (higher order bits) of the IPv6 address so provided, specify the network, while the remaining specify a particular address in the network. Hence, IPv6 addresses in one network have the same first 64 bits and are called “prefix”.

On-link

Select to set the prefix to be “On-link”. With the attribute On-link set, the devices with IPv6 addresses that are within this prefix are reachable on the subnet without a need of a router.

By default, this flag is set.

Autonomous

Select to set the prefix attribute Autonomous. On being set, the global IPv6 address is automatically generated by appending the 64 bit interface identifier to the prefix (prefix /64) advertised in the prefix information.

| Configure | 349

Only those prefixes that has the Autonomous flag set gets a stateless address auto configuration

(SLAAC) IPv6 address.

By default, the flag is set.

Preferred Life Time

Specify the time in minutes for a valid address to remain in the preferred state. The use of the preferred address is unlimited.

On expiry of the valid life time, the preferred address becomes deprecated. The use of the deprecated address must be avoided, however, it is not forbidden and can be continued to be used as source address for an existing communication.

The IPv6 address will continue to remain in the preferred state as long as it is refreshed by prefixes in the router advertisement or by any other means or are renewed by DHCPv6.

Acceptable values: 0 to 71582789 minutes

Default: 240 minutes

Specify the attribute value as “-1” for an infinite preferred life time.

Valid Life Time

Specify the time in minutes for an address to remain in the valid state.

This value determines the time for an address to be in the valid state. Until the time expires, the prefix is considered to be on-link and auto-configured addresses using the prefix can be used.

On expiry of the valid life time, the IPv6 address becomes invalid and cannot be used to send or receive traffic.

Acceptable range: 0 to 71582789 minutes

Default: 1440 minutes

Specify the attribute value as “-1” for an infinite valid life time.

Use the and icons to add or remove a prefix.

Note: The value of attribute Valid Life Time must be greater than or equal to value of Preferred Life Time.

| Configure | 350

Figure 346: General Settings

3. Enter the details for the Advanced Settings

Using the network discovery protocol (NDP) devices on the same interface discover the presence of each other and the respective link-layer addresses, find gateway routers and maintain the reachability information about the active paths to the peers.