Technical Tip: Floating static route with FortiSwitch

ehamud · ‎12-27-2023

Description

This article explains how to have a backup link using a static route when the OSPF protocol has a failure.

Scope

Any FortiSwitch that supports L3 features.

Solution

A floating static route can be used as a backup or failover when a dynamic routing protocol is not available. Because it is known that the administrative distance from a Static route Is lower than any other dynamic routing protocol, the Static route in this case will be installed with a higher preference.

Consider the topology:

A summary of this exercise:

FortiSwitch-3 has VLAN 30 working with OSPF under Area 0 as well as FortiSwitch-2. FortiSwitch-2 also is connected to FortiSwitch-1 using Area 1 with VLAN 20
Between FortiSwitch-1 and FortiSwitch-3, there is no routing protocol configured. The result is that when FortiSwitch-3 produces traffic towards FortiSwitch-1, the path will be: FortiSwitch-3 – FortiSwitch-2 and finally FortiSwitch-1.
Upon configuring a static route between FortiSwitch-3 to FortiSwitch-1 the traffic path will be: FortiSwitch-3 to FortiSwitch-1.
The last point is to increase the Administrative distance from the static route. It should be higher than the OSPF Administrative distance 110. The result will be that traffic is as follows: FortiSwitch-3 – FortiSwitch-2 and finally FortiSwitch-1.
A cable will be disconnected to represent a link failure between FortiSwitch-3 and FortiSwitch-2. All traffic will be reachable using the Static route.

The following configuration was already made on the VLANs and IP addresses from FortiSwitch-1:

config system interface

show

edit "VLAN20-P1"

set ip 192.168.2.1 255.255.255.0

set allowaccess ping https ssh

set snmp-index 13

set vlanid 20

set interface "internal"

set ip 192.168.4.2 255.255.255.0

set allowaccess ping https ssh

set snmp-index 15

set vlanid 10

set interface "internal"

config system interface

show

edit "VLAN20-P2"

set ip 192.168.2.2 255.255.255.0

set allowaccess ping https ssh

set snmp-index 14

set vlanid 20

set interface "internal"

set ip 192.168.3.4 255.255.255.0

set allowaccess ping ssh

set snmp-index 15

set vlanid 30

set interface "internal"

config system interface

show

edit "VLAN10-P1"

set ip 192.168.4.1 255.255.255.0

set allowaccess ping https ssh

set snmp-index 14

set vlanid 10

set interface "internal"

set ip 192.168.3.3 255.255.255.0

set allowaccess ping ssh

set snmp-index 15

set vlanid 30

set interface "internal"

Refer to this document for instructions.

OSPF FortiSwitch-1 configuration:

show

config router ospf

set router-id 10.11.101.3

config area

edit 1.1.1.1

config interface

edit "VLAN20-P1"

set cost 100

set priority 100

config network

edit 1

set area 1.1.1.1

set prefix 192.168.2.0 255.255.255.0

config redistribute "connected"

set status enable

end

OSPF FortiSwitch-2 configuration:

config router ospf

show

config router ospf

set router-id 10.11.101.1

config area

edit 0.0.0.0

config interface

edit "VLAN30-P3"

set cost 100

set priority 100

set cost 100

set priority 100

config network

edit 1

set area 0.0.0.0

set prefix 192.168.3.0 255.255.255.0

set area 1.1.1.1

set prefix 192.168.2.0 255.255.255.0

config redistribute "connected"

set status enable

end

OSPF FortiSwitch-3 configuration:

show

config router ospf

set router-id 10.11.101.2

config area

edit 0.0.0.0

config interface

edit "VLAN30-P2"

set cost 100

set priority 100

config network

edit 1

set area 0.0.0.0

set prefix 192.168.3.0 255.255.255.0

config redistribute "connected"

set status enable

end

The routing table can be viewed from each Switch:

FortiSwitch-1

Now the network 192.168.3.0 is reachable.

get router info routing-table

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, T - Table,

> - selected route, * - FIB route, q - queued, r - rejected, b - backup, ^ - HW install failed

t - trapped, o - offload failure

O 192.168.2.0/24 [110/100] is directly connected, VLAN20-P1, weight 1, 1d21h23m

C>* 192.168.2.0/24 is directly connected, VLAN20-P1, 1d22h00m

O>* 192.168.3.0/24 [110/200] via 192.168.2.2, VLAN20-P1, weight 1, 1d21h23m

O 192.168.4.0/24 [110/10] via 192.168.2.2, VLAN20-P1, weight 1, 1d21h23m

C>* 192.168.4.0/24 is directly connected, VLAN10-P2, 1d21h55m

FortiSwitch-2

Now the network 192.168.4.0 is reachable.

get router info routing-table

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, T - Table,

> - selected route, * - FIB route, q - queued, r - rejected, b - backup, ^ - HW install failed

t - trapped, o - offload failure

O 192.168.2.0/24 [110/100] is directly connected, VLAN20-P2, weight 1, 1d21h26m

C>* 192.168.2.0/24 is directly connected, VLAN20-P2, 1d22h00m

O 192.168.3.0/24 [110/100] is directly connected, VLAN30-P3, weight 1, 1d21h42m

C>* 192.168.3.0/24 is directly connected, VLAN30-P3, 1d21h52m

O>* 192.168.4.0/24 [110/10] via 192.168.2.1, VLAN20-P2, weight 1, 1d21h25m

FortiSwitch-3

Now the network 192.168.2.0 is reachable through port2 using VLAN 30 via IP address 192.168.3.4:

get router info routing-table

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, T - Table,

> - selected route, * - FIB route, q - queued, r - rejected, b - backup, ^ - HW install failed

t - trapped, o - offload failure

O>* 192.168.2.0/24 [110/200] via 192.168.3.4, VLAN30-P2, weight 1, 1d21h27m

O 192.168.3.0/24 [110/100] is directly connected, VLAN30-P2, weight 1, 1d21h39m

C>* 192.168.3.0/24 is directly connected, VLAN30-P2, 1d21h51m

O 192.168.4.0/24 [110/10] via 192.168.3.4, VLAN30-P2, weight 1, 1d21h25m

C>* 192.168.4.0/24 is directly connected, VLAN10-P1, 1d21h55m

Generate traffic by executing a traceroute from FortiSwitch-3 to the IP 192.168.2.1 which belongs to FortiSwitch-1. As shown, the traffic goes from FortiSwitch-3 to FortiSwitch-2, and finally to FortiSwitch-1,

execute traceroute 192.168.2.1

traceroute to 192.168.2.1 (192.168.2.1), 32 hops max, 3 probe count, 5 timeout, 84 byte packets

1 192.168.3.4 3.653 ms 3.180 ms 2.957 ms

2 192.168.2.1 6.825 ms 12.046 ms 10.237 ms

Now, create a Static route under FortiSwitch-3 pointing to FortiSwitch-1. This will be the Floating static route.

config router static

edit 1

set device VLAN10-P1 <- A new entry '1' may be added.

set dst 192.168.2.0 255.255.255.0

set gateway 192.168.4.2

end

Check the routing table again from FortiSwitch-3. The difference now is that the OSPF route has been deleted. O>* 192.168.2.0/24 [110/200] via 192.168.3.4, VLAN30-P2, weight 1, 1d21h27m.

This has happened because the static route has a lower administrative distance of 10, and this new route has already installed:

get router info routing-table

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, T - Table,

> - selected route, * - FIB route, q - queued, r - rejected, b - backup, ^ - HW install failed

t - trapped, o - offload failure

S>* 192.168.2.0/24 [10/0] via 192.168.4.2, VLAN10-P1, weight 1, 00:00:27

O 192.168.2.0/24 [110/200] via 192.168.3.4, VLAN30-P2, weight 1, 1d21h41m

O 192.168.3.0/24 [110/100] is directly connected, VLAN30-P2, weight 1, 1d21h53m

C>* 192.168.3.0/24 is directly connected, VLAN30-P2, 1d22h05m

O 192.168.4.0/24 [110/10] via 192.168.3.4, VLAN30-P2, weight 1, 1d21h39m

C>* 192.168.4.0/24 is directly connected, VLAN10-P1, 1d22h10m

Once again, perform a traceroute from FortiSwitch-3 to the FortiSwitch-1 IP address 192.168.2.1. Note that it has only one hop:

execute traceroute 192.168.2.1

traceroute to 192.168.2.1 (192.168.2.1), 32 hops max, 3 probe count, 5 timeout, 84 byte packets

* 192.168.2.1 6.295 ms 3.156 ms 2.717 ms

A Wireshark packet capture will show that the flow communication is only between the FortiSwitch-3 port1 with IP address 192.168.4.1 to FortiSwitch-1 port2 with IP address 192.168.2.1:

Now, increase the administrative distance from the Static route under FortiSwitch-3. It must be higher than OSPF 110:

config router static

edit 1

set distance 130

end

Check the routing table and the traceroute to FortiSwitch-1 and note the difference: the Static Route and OSPF route with network 192.168.2.0 is installed, but the traffic is flowing through FortiSwitch-3 to FortiSwitch-2, and finally to FortiSwitch-1:

get router info routing-table

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, T - Table,

> - selected route, * - FIB route, q - queued, r - rejected, b - backup, ^ - HW install failed

t - trapped, o - offload failure

S 192.168.2.0/24 [130/0] via 192.168.4.2, VLAN10-P1, weight 1, 00:00:06

O>* 192.168.2.0/24 [110/200] via 192.168.3.4, VLAN30-P2, weight 1, 1d21h51m

O 192.168.3.0/24 [110/100] is directly connected, VLAN30-P2, weight 1, 1d22h03m

C>* 192.168.3.0/24 is directly connected, VLAN30-P2, 1d22h15m

O 192.168.4.0/24 [110/10] via 192.168.3.4, VLAN30-P2, weight 1, 1d21h49m

C>* 192.168.4.0/24 is directly connected, VLAN10-P1, 1d22h20m

execute traceroute 192.168.2.1

traceroute to 192.168.2.1 (192.168.2.1), 32 hops max, 3 probe count, 5 timeout, 84 byte packets

1 192.168.3.4 3.575 ms 2.956 ms 2.525 ms

* 192.168.2.1 7.039 ms 8.400 ms 7.491 ms

Now, disconnect the cable between the interface under FortiSwitch-3 port2 and FortiSwitch-2. The traffic will instead go through the static route. Since the OSPF route has gone, only the one static route remains:

get router info routing-table

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, T - Table,

> - selected route, * - FIB route, q - queued, r - rejected, b - backup, ^ - HW install failed

t - trapped, o - offload failure

S>* 192.168.2.0/24 [130/0] via 192.168.4.2, VLAN10-P1, weight 1, 00:15:34

C>* 192.168.4.0/24 is directly connected, VLAN10-P1, 1d22h35m