- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple WAN And VIP Routing
Hi, All.
I have a Fortigate 201E, with multiple WAN interfaces,
I am trying to change "Administrative Distance" on the static routes i have, so that some of the WAN interfaces are used more frequently than others.
Whenever I do that, VIP that is not pointed to the lowest "Administrative Distance" (or at least equal) will not work.
Do I have to use policy route?
Thank you
Sahar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah, you can't and shouldn't use distance for that.
if you want to spread traffic over multiple interfaces have a look what is currently called SD WAN
https://cookbook.fortinet.com/redundant-internet-with-sd-wan-60/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply,
I am using SD-WAN interface as well, I have a lot of WAN interfaces not all are used in the SD-WAN.
What I don't understand is how administrative distance influences VIP, and incoming traffic.
I was trying to change distance to avoid using Policy Route, to use a specific outbound interface for a specific network.
But I guess Policy Route is the way to go.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
saharhod wrote:What I don't understand is how administrative distance influences VIP, and incoming traffic.
for incoming traffic the issue lies with the reverse path check, it is a feature that makes sure that traffic only enters on an interface it is expected.
see https://kb.fortinet.com/kb/documentLink.do?externalID=FD30543
when you have two routes towards the internet with different administrative distances then only one is in the routing table. which means that traffic on the other interface will be dropped because of the reverse path check as it compares the routing table with the traffic seen.
so you need to keep the same administrative distance and different priorities to make this work for incoming traffic.
for outgoing traffic you then use SD-WAN and perhaps policy routes, depending if you want to load balance outgoing traffic or determine what interface is used.