Configuration recommendation
- January 26, 2016
- 1 reply
- 5104 views
Hello,
I keep bouncing between using VDOMs or Policies to accomplish my end goals.
My concerns are;
LAN traffic interfering with VoIP services
WAN failover functionality
VPN (IPSec/SSL) load on interface
Traffic routing and shaping
One suggestion is to setup 3 VDOMs with a VDOM link between the LAN and VPN networks. This allows me to setup failover on the LAN network WAN1 to WAN2. Also, I can then setup VoIP to use WAN2 and failover to WAN1 if needed. I'm told there shouldn't be any noticeable latency with data across the VDOM link. I end up using a lot of physical ports but the 100D has plenty.
The second option looks more simple but it also puts a lot of faith in policies to route and separate traffic. I would setup two groups of interfaces into separate hardware switched (OS 5.4 feature). Using WAN1&2 interfaces to make the failover configuration but also add a WLLB policy to direct VoIP traffic to WAN2 (if WAN2 fails the WLLB will failover to WAN1). Then I can either add a second IP to WAN1 (or use 1 IP for everything) for VPN connections. Then route, shape and configure traffic based on policies and features of the Fortigate OS.
Both options seem sound but does anyone have a reason to use one method or the other? I'm attaching a couple of visual layouts (in two posts) to help demonstrate the two options.
Thanks for your input.