Hello Friends ,
I am kamal in need one advise.
i have 2 customers and i have one Fortigate 201 model. (working in HA)
the request is traffic coming from Lan switches (which has 2 vlans for each cutomer) and then traffic come to Fortigate port - 4 on both HA fortigates
here i want to separate the traffic for both cutomers at fortigate level.
at wan side i have 2 ISPs and both cutomers want to use the both ISPs bandwidth with SDWAN weight algo 50 50 %.
how can we use vlan concept here to separate cutomer traffic and separtes tunnel also with SDWAN concept.
thanks
Kamal singh
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1st good diagram
Are you running each customer in a VDOM or just using vlans and ipsec between site1-to-site2? In your case I would use the ipsec-vpn tunnels and control the traffic and have the policy that allows the traffic from local-remote subnets for vlan2 and vlan3
It looks like you have that done by the diagram? For routing you can control what tunnel carries that traffic and if you need redundancy via the MetroE and 2nd-ISP, just adjust metric with two routes.
If you dump your subnets number and phase2 settings, I could draft it out better.
Ken Felix
PCNSE
NSE
StrongSwan
Hello Ken,
Thanks a lot to have look into this.
you are right i am using vlans instead of Vdom to separate the customer traffic, please advise is it fine.
As its a single Vdom the i am using ports like below:
Devices are in Ha:
Port 4 is for LAN purpose (carrying the 2 Vlans)
Then port1 (primary Metro link) Port2 (Secondary ISP)
Tunnels: i will creates total 4 tunnels :
2 for First customer with both ISP as shows in green in visio
2 for second customer with both ISP as shows in red line in visio.
SDWAN: i will make a policy like :
Source vlan2: Destination : tun1,Tun3 =---Green tunnel
Source Vlan3: Destination : tun2, Tun4=-- Red tunnel
I would request you to help me with config, yes it will be great if you draft the config for me..
Vlan2: 10.99.2.0/24 ---
Vlan3: 10.99.3.0/24 --
ISP IP:
Primary metro link : 1.1.1.1 /30 ------- 1.1.1.2/30
Secondary ISP: 200.200.200.1/30 ------ 200.200.200.2/30
Tunnel:
1st: Subnet: 10.10.10.0/30 -- 10.10.10.1/30 --- other end 10.10.10.2/30
2nd: Subnet: 10.10.10.4/30 -- 10.10.10.5/30 --- other end 10.10.10.6/30
3rd: Subnet: 10.10.10.8/30 -- 10.10.10.9/30 --- other end 10.10.10.10/30
4th: Subnet: 10.10.10.12/30 -- 10.10.10.13/30 --- other end 10.10.10.24/30
i would be so thanks full to you
Thanks
kamal
Hi Kamal,
So this means you have a FGT HA Cluster on each side?
Each clluster has two WAN Links and on each WAN Link a P2p IPSEC Tunnel to the other side?
Do I understand this right?
If so that would mean the traffic is always seperated. Behind the FortiGates the vlan does sperate it (at least if there is no port in both vlans somewhere there) and on the FGT that#s default behaviour even without vlans since all traffic that does not match an explicit policy per default always matches policy #0 (implicite deny) and will be dropped by the FGT. So as long as you don't have Policies on your FGTs that allow traffic from vlan2 to vlan3 or/and vice versa they won't see each other on the FGT. And behind th FGT you vlan setup takes care for this.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.