Redundancia de Enlaces

7/27/2019 Redundancia de Enlaces

http://slidepdf.com/reader/full/redundancia-de-enlaces 1/18

Confidential

FortiGate Multi-Threat Security Systems

Dual Internet Links

INTEGRAT-e

Ing. Raúl Pastrana M.

Technical Support Fortinet

[email protected]

(55) 8000 6430

mailto:[email protected]






Agenda

• Routing Information

– Routing Table

– Route Elements

– Policy Based Routing

• Configuring Dual Internet Links

– Design Scenario #1: Link Redundancy (only)

– Design Scenario #2: Load Sharing (only)

– Design Scenario #3: Link Redundancy and Load Sharing

• FortiAnalyzer

– Generating a User Report



Routing Table

• Provides information when FortiGate unit

needs to forward a packet

• Routes configured manually

– Static routes

• Routes configured dynamically

– Open Shortest Path First

–

Border Gateway Protocol – Routing Information Protocol



Viewing Routing Information

• Display Forwarding Information Base (FIB)– diagnose ip route list

– Contains all local and non-local routes known to

and reachable to the device

– Populated by routing table and accessed by kernel




• Also view routing table in Web Config




• Display Routing Information Base

– get router info routing-table all

• Routing table may contain several entries that

match a specific route – Always choose the most specific route (entry with

longest mask)

– Route distance used to determine which protocol

will submit route



Route Elements

• IP address/mask

– Provide address information

• Gateway IP address/interface

– Where packet should be forwarded for IP address

• Distance

– Which routing information included in routing table

•

Metric – Determine route to use when dynamic routes have

same distance



Route Elements

• Priority

– Determines preference of identical static routes,

same distance and same destination

•

Device – Local bound interface for the route

• Dead Gateway Detection

– Detects failure of gateway, adjusts routing table to

use another gateway



Policy-Based Routing

• Routing decisions can be based upon

additional factors:

– Protocol

–

Incoming Interface – Source IP address / Destination IP address

– Destination port / port range

– Type of Service bits

• Route traffic differently for each application

• If no matching routing policy, FortiGate unit

routes packet using the routing table



Policy-Based Routing

• The protocol field must contain a valid IANAprotocol number:

– www.iana.org/assignments/protocol-numbers

– 0 to indicate all protocols

– 1 ICMP

– 6 TCP

– 17 UDP

–

41 IPv6 – 47 GRE

– 50 ESP

– 51 AH

http://www.iana.org/assignments/protocol-numbers






Route Selection Process

• Route considered only if outgoing interface notdown

• If multiple routes for same subnet, only lowest

distance chosen• For dynamic routes, if multiple routes have

same distance, lowest metric value chosen

• All routes place in routing table, longest prefix

matched first

• Policy routing applied before routing table

lookups



Configuring Dual Internet Links

• There are two separate considerations whenusing two Internet uplinks:

• Link Redundancy and Load Sharing

•

These two features can be combined orimplemented separately



If Internet access is no longer available on one

link, you want traffic to make use of the other link

Link Redundancy (only)

Decisions can be based upon additional factors:

Routing.- You need one default route for each

interfaceDetermining whether link is down (ping

servers).- Define the ping server -a device that will

respond to ping thereby indicating whether that link

is up-Firewall policies.- You must define duplicate

firewall policies to ensure that after traffic fails over,

it is permitted through the firewallhttp://kc.forticare.com/default.asp?id=1768&SID=&Lang=1



You want to make use of both Internet linkssimultaneously but do not have any requirements

for failing traffic over in the event of link failure.

Load Sharing (only)

Firewall policies.- You must define duplicate firewallpolicies to ensure that after traffic fails over, it is

permitted through the firewall

- one default route for the primary link

- direct other traffic over the other link using

specific static routes

http://kc.forticare.com/default.asp?id=1583&SID=&Lang=1



Link Redundancy and Load Sharing

-While both links are available, you want to distributethe Internet traffic over both links. In the event that a

link fails, send all traffic over the active link

-Use default routes with equal distance

-To guarantee that 1 link is always preferred:-Use a default policy route to indicate which interface is the

preferred interface for accessing the Internet

-To redirect traffic over the secondary link:-To make use of the secondary link, you need to use policy routes to

direct some of the traffic onto it rather than onto the primary link

http://kc.forticare.com/default.asp?id=376&SID=&Lang=1



Technical Documentation

• http://docs.fortinet.com/

• http://kc.forticare.com/

• http://www.fortinet.com/products/fortigate/

http://docs.fortinet.com/

http://kc.forticare.com/

http://www.fortinet.com/products/fortigate/

http://www.fortinet.com/products/fortigate/

http://kc.forticare.com/

http://docs.fortinet.com/



Demo LAB

• Forti-WiFi 60B, connected directly to Internet

• Forti-WiFi 60, which includes 2 ports to access

WAN interfaces, WAN1 & WAN2 to simulate two

ISP Links to the Internet (assume wan1=ISP 1

and wan2=ISP 2)

• FortiAnalyzer 400, connected directly to Internet



Thank you for attending

Dual Internet Links

INTEGRAT-e

Ing. Raúl Pastrana M.

Technical Support Fortinet

(55) 8000 6430




Date post:	13-Apr-2018
Category:	Documents
Upload:	mauricio-ch
View:	215 times
Download:	0 times

Redundancia de Enlaces

Documents