Redundancia de Enlaces
-
Upload
mauricio-ch -
Category
Documents
-
view
216 -
download
0
Transcript of Redundancia de Enlaces
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 1/18
Confidential
FortiGate Multi-Threat Security Systems
Dual Internet Links
INTEGRAT-e
Ing. Raúl Pastrana M.
Technical Support Fortinet
(55) 8000 6430
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 2/18
Agenda
• Routing Information
– Routing Table
– Route Elements
– Policy Based Routing
• Configuring Dual Internet Links
– Design Scenario #1: Link Redundancy (only)
– Design Scenario #2: Load Sharing (only)
– Design Scenario #3: Link Redundancy and Load Sharing
• FortiAnalyzer
– Generating a User Report
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 3/18
Routing Table
• Provides information when FortiGate unit
needs to forward a packet
• Routes configured manually
– Static routes
• Routes configured dynamically
– Open Shortest Path First
–
Border Gateway Protocol – Routing Information Protocol
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 4/18
Viewing Routing Information
• Display Forwarding Information Base (FIB)– diagnose ip route list
– Contains all local and non-local routes known to
and reachable to the device
– Populated by routing table and accessed by kernel
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 5/18
Viewing Routing Information
• Also view routing table in Web Config
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 6/18
Viewing Routing Information
• Display Routing Information Base
– get router info routing-table all
• Routing table may contain several entries that
match a specific route – Always choose the most specific route (entry with
longest mask)
– Route distance used to determine which protocol
will submit route
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 7/18
Route Elements
• IP address/mask
– Provide address information
• Gateway IP address/interface
– Where packet should be forwarded for IP address
• Distance
– Which routing information included in routing table
•
Metric – Determine route to use when dynamic routes have
same distance
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 8/18
Route Elements
• Priority
– Determines preference of identical static routes,
same distance and same destination
•
Device – Local bound interface for the route
• Dead Gateway Detection
– Detects failure of gateway, adjusts routing table to
use another gateway
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 9/18
Policy-Based Routing
• Routing decisions can be based upon
additional factors:
– Protocol
–
Incoming Interface – Source IP address / Destination IP address
– Destination port / port range
– Type of Service bits
• Route traffic differently for each application
• If no matching routing policy, FortiGate unit
routes packet using the routing table
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 10/18
Policy-Based Routing
• The protocol field must contain a valid IANAprotocol number:
– www.iana.org/assignments/protocol-numbers
– 0 to indicate all protocols
– 1 ICMP
– 6 TCP
– 17 UDP
–
41 IPv6 – 47 GRE
– 50 ESP
– 51 AH
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 11/18
Route Selection Process
• Route considered only if outgoing interface notdown
• If multiple routes for same subnet, only lowest
distance chosen• For dynamic routes, if multiple routes have
same distance, lowest metric value chosen
• All routes place in routing table, longest prefix
matched first
• Policy routing applied before routing table
lookups
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 12/18
Configuring Dual Internet Links
• There are two separate considerations whenusing two Internet uplinks:
• Link Redundancy and Load Sharing
•
These two features can be combined orimplemented separately
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 13/18
If Internet access is no longer available on one
link, you want traffic to make use of the other link
Link Redundancy (only)
Decisions can be based upon additional factors:
Routing.- You need one default route for each
interfaceDetermining whether link is down (ping
servers).- Define the ping server -a device that will
respond to ping thereby indicating whether that link
is up-Firewall policies.- You must define duplicate
firewall policies to ensure that after traffic fails over,
it is permitted through the firewallhttp://kc.forticare.com/default.asp?id=1768&SID=&Lang=1
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 14/18
You want to make use of both Internet linkssimultaneously but do not have any requirements
for failing traffic over in the event of link failure.
Load Sharing (only)
Firewall policies.- You must define duplicate firewallpolicies to ensure that after traffic fails over, it is
permitted through the firewall
- one default route for the primary link
- direct other traffic over the other link using
specific static routes
http://kc.forticare.com/default.asp?id=1583&SID=&Lang=1
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 15/18
Link Redundancy and Load Sharing
-While both links are available, you want to distributethe Internet traffic over both links. In the event that a
link fails, send all traffic over the active link
-Use default routes with equal distance
-To guarantee that 1 link is always preferred:-Use a default policy route to indicate which interface is the
preferred interface for accessing the Internet
-To redirect traffic over the secondary link:-To make use of the secondary link, you need to use policy routes to
direct some of the traffic onto it rather than onto the primary link
http://kc.forticare.com/default.asp?id=376&SID=&Lang=1
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 16/18
Technical Documentation
• http://docs.fortinet.com/
• http://kc.forticare.com/
• http://www.fortinet.com/products/fortigate/
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 17/18
Demo LAB
• Forti-WiFi 60B, connected directly to Internet
• Forti-WiFi 60, which includes 2 ports to access
WAN interfaces, WAN1 & WAN2 to simulate two
ISP Links to the Internet (assume wan1=ISP 1
and wan2=ISP 2)
• FortiAnalyzer 400, connected directly to Internet
7/27/2019 Redundancia de Enlaces
http://slidepdf.com/reader/full/redundancia-de-enlaces 18/18
Thank you for attending
Dual Internet Links
INTEGRAT-e
Ing. Raúl Pastrana M.
Technical Support Fortinet
(55) 8000 6430