Created on 09-06-2019 04:19 AM Edited on 06-08-2022 02:28 PM By Anonymous
Description
This article shows an example on how to route traffic from specific source to one member of the SD-WAN.
Solution
Configuration example:
In this configuration example the traffic coming from 'subnet' to port1 will be routed.
Only in case of link or interface failure the traffic from 'subnet' will be routed to port2.
1) Create address object
#config firewall address
edit subnet
set subnet 192.168.1.1 255.255.255.0
next
2) Configure SD-WAN members
3) Configure Performance SLA4) Configure SD-WAN rule on CLI with mode manual including only the preferable member
#config system virtual-wan-linkthe config should be as below:
config service
edit 1
set name subnet-to-port1
set mode manual
set member 1
set dst all
set src subnet
end
#config system virtual-wan-link5) Generate traffic from 'subnet' to verify that it is using the correct interface
set status enable
config members
edit 1
set interface "port1"
set gateway 10.1.1.2
next
edit 2
set interface "port2"
set gateway 20.2.2.2
next
end
config health-check
edit "8.8.8.8"
set server "8.8.8.8"
set members 1 2
next
end
config service
edit 1
set name "subnet-to-port1"
set member 1
set dst "all"
set src "subnet"
next
end
endTo verify run a sniffer to capture the traffic coming from 'subnet'
4.979750 port1 out 10.1.1.1 -> 8.8.4.4: icmp: echo requestIn case the link will fail the SD-WAN rule will be ignored and the traffic will be routed to port2
4.981440 port1 in 8.8.4.4 -> 10.1.1.1: icmp: echo reply
4.981444 mgmt out 8.8.4.4 -> 192.168.1.1: icmp: echo reply
5.996049 mgmt in 192.168.1.1 -> 8.8.4.4: icmp: echo request
5.996053 port1 out 10.1.1.1 -> 8.8.4.4: icmp: echo request
5.997690 port1 in 8.8.4.4 -> 10.1.1.1: icmp: echo reply
5.997692 mgmt out 8.8.4.4 -> 192.168.1.1: icmp: echo reply
7.027688 mgmt in 192.168.1.1 -> 8.8.4.4: icmp: echo request
To verify run a sniffer to capture the traffic coming from 'subnet'
3.368375 port2 out 20.2.2.1 -> 8.8.4.4: icmp: echo request
203.370026 port2 in 8.8.4.4 -> 20.2.2.1: icmp: echo reply
203.370029 mgmt out 8.8.4.4 -> 192.168.1.1: icmp: echo reply
204.384004 mgmt in 192.168.1.1 -> 8.8.4.4: icmp: echo request
204.384006 port2 out 20.2.2.1 -> 8.8.4.4: icmp: echo request
204.385619 port2 in 8.8.4.4 -> 20.2.2.1: icmp: echo reply
204.385622 mgmt out 8.8.4.4 -> 192.168.1.1: icmp: echo reply
205.400076 mgmt in 192.168.1.1-> 8.8.4.4: icmp: echo request
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.