Redudancy between PPOE and Static Interface in Firewall
This articles explains
how the FortiGate routes traffic with two static default routes depending on
various combination of administrative distance, priority, and if a Policy Based
Route is present.Description
Network scenario used for this example :
[ FortiGate ]
[ PC ] -- LAN ------ [ switch port16 ] --- ISP1 (192.168.182.0/23)
(10.160.0.0/16) [ port13 ] --- ISP2 (172.31.224.0/23)
Note : the "priority" parameter is used in situation where a static route needs to be present in order to accept incoming traffic and pass the RPF check (anti-spoofing). Please check related articles for more details.
Preferences :
- Priority preference
: lowest value is preferred for the routing table
- Distance preference
: lowest value is preferred for the routing table
Scope
- All FortiGate model
- FortiOS 4.1 and above.
- NAT mode only
Solution
Scenario 1 : same distance , same priority.
Configuration example :
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
next
edit 2
set device "port14"
set gateway 172.31.225.254
next
end
The routing table contains the two static routes and ECMP will be applied (See related article about ECMP) :
FGT# get router info routing-table static
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
next
edit 2
set device "port14"
set gateway 172.31.225.254
next
end
The routing table contains the two static routes and ECMP will be applied (See related article about ECMP) :
FGT# get router info routing-table static
S*
0.0.0.0/0 [10/0] via 172.31.225.254, port13
[10/0] via 192.168.183.254, port16 |
Verify egress interface on ping from PC to 10.70.202.225 with a sniffer trace :
FGT# diagnose sniffer packet any "icmp" 4
6.748817 switch in 10.160.0.93 -> 10.70.202.225: icmp:
echo request
6.748858 port16 out 192.168.182.200 -> 10.70.202.225: icmp: echo request |
Scenario 2 : different distance , same priority.
Configuration example :
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
next
edit 2
set device "port13"
set distance 5
set gateway 172.31.225.254
next
end
The routing table contains only the static route with the lowest distance :
FGT# get router info routing-table static
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
next
edit 2
set device "port13"
set distance 5
set gateway 172.31.225.254
next
end
The routing table contains only the static route with the lowest distance :
FGT# get router info routing-table static
S*
0.0.0.0/0 [5/0] via 172.31.225.254, port13
|
Scenario 3a : same distance , different priority.
Configuration example :
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
set priority 2
next
edit 2
set device "port13"
set gateway 172.31.225.254
set priority 5
next
end
The routing table contains the two static routes but only the one with the lowest priority (port 16) is used for routing traffic. The second one is used to accept traffic ingressing port13.
FGT# get router info routing-table static
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
set priority 2
next
edit 2
set device "port13"
set gateway 172.31.225.254
set priority 5
next
end
The routing table contains the two static routes but only the one with the lowest priority (port 16) is used for routing traffic. The second one is used to accept traffic ingressing port13.
FGT# get router info routing-table static
S* 0.0.0.0/0 [10/0] via 192.168.183.254,
port16, [2/0]
[10/0] via 172.31.225.254, port13, [5/0] |
Verify egress interface on ping from PC to 10.70.202.225 with a sniffer trace :
FGT# diagnose sniffer packet any "icmp" 4
3.518463 switch in 10.160.0.93 -> 10.70.202.225: icmp:
echo request
3.518481 port16 out 192.168.182.200 -> 10.70.202.225: icmp: echo request |
Scenario 3b : same distance , different priority.
Configuration example :
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
set priority 2
next
edit 2
set device "port13"
set gateway 172.31.225.254
set priority 1
next
end
The routing table contains the two static routes but only the one with the lowest priority (port 13) is used for routing traffic. The second one is used to accept traffic ingressing port16.
FGT# get router info routing-table static
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
set priority 2
next
edit 2
set device "port13"
set gateway 172.31.225.254
set priority 1
next
end
The routing table contains the two static routes but only the one with the lowest priority (port 13) is used for routing traffic. The second one is used to accept traffic ingressing port16.
FGT# get router info routing-table static
S* 0.0.0.0/0 [10/0] via 172.31.225.254,
port13, [1/0]
[10/0] via 192.168.183.254, port16, [2/0] |
Verify egress interface on ping from PC to 10.70.202.225 with a sniffer trace :
FGT# diagnose sniffer packet any "icmp" 4
2.636176 switch in 10.160.0.93 -> 10.70.202.225: icmp:
echo request
2.636222 port13 out 172.31.224.200 -> 10.70.202.225: icmp: echo request |
Scenario 4 : same distance , same priority, policy based
route
The goal is to route all
HTTP traffic over port13.
Configuration example :
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
next
edit 2
set device "port14"
set gateway 172.31.225.254
next
end
config router policy
edit 1
set input-device "switch"
set protocol 6
set start-port 80
set end-port 80
set output-device "port13"
next
end
Note : no gateway is defined in the Policy Based route above. In this case the FortiGate will lookup the best route in the routing on port13.
The routing table contains the two static routes and ECMP will be applied except for the traffic matching the Policy Based route routed on port13 :
FGT# get router info routing-table static
Configuration example :
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
next
edit 2
set device "port14"
set gateway 172.31.225.254
next
end
config router policy
edit 1
set input-device "switch"
set protocol 6
set start-port 80
set end-port 80
set output-device "port13"
next
end
Note : no gateway is defined in the Policy Based route above. In this case the FortiGate will lookup the best route in the routing on port13.
The routing table contains the two static routes and ECMP will be applied except for the traffic matching the Policy Based route routed on port13 :
FGT# get router info routing-table static
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port13
[10/0] via 192.168.183.254, port16 |
Scenario 5 : same distance , different priority, policy
based route
The goal is to verify
that all HTTP traffic is routed over port13 even though the static route
priority in this interface is less preferred than on port 16.
Configuration example :
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
set priority 2
next
edit 2
set device "port13"
set gateway 172.31.225.254
set priority 5
next
end
config router policy
edit 1
set input-device "switch"
set protocol 6
set start-port 80
set end-port 80
set output-device "port13"
next
end
Note : no gateway is defined in the Policy Based route above. In this case the FortiGate will lookup the best route in the routing on port13.
The routing table contains the two static routes but only the one with the lowest priority (port 16) is used for routing traffic, except for the traffic matching the Policy Based route which will be routed over port13 :
FGT# get router info routing-table static
Configuration example :
config router static
edit 1
set device "port16"
set gateway 192.168.183.254
set priority 2
next
edit 2
set device "port13"
set gateway 172.31.225.254
set priority 5
next
end
config router policy
edit 1
set input-device "switch"
set protocol 6
set start-port 80
set end-port 80
set output-device "port13"
next
end
Note : no gateway is defined in the Policy Based route above. In this case the FortiGate will lookup the best route in the routing on port13.
The routing table contains the two static routes but only the one with the lowest priority (port 16) is used for routing traffic, except for the traffic matching the Policy Based route which will be routed over port13 :
FGT# get router info routing-table static
S*
0.0.0.0/0 [10/0] via 192.168.183.254, port16, [2/0]
[10/0] via 172.31.225.254, port13, [5/0] |
Comments
Post a Comment