Routing. Module Objectives By the end of this module participants will be able to: Interpret routing information in the routing table Differentiate between

Routing

Module Objectives

• By the end of this module participants will be able to:• Interpret routing information in the routing table

• Differentiate between the dynamic routing methods available on the FortiGate unit

• Create static and dynamic routes on the FortiGate unit

Routing

Routing

• Routing is the process of moving packets of data between devices on a network from a source to a final destination• The destination address is used to

determine where the packets must go

Routing Table

Routing Table

• The routing table provides the FortiGate unit with the information it needs to forward a packet to particular destination on a network• The FortiGate unit looks in its routing table

to establish the best route to the destination

• The routing table can be built and updated manually using static routing information• Routing table entries can also be updated

dynamically• Dynamic routing algorithms are used to adjust

network paths by analyzing routing update information

Route Elements

• Each route in the routing table includes the following elements: • IP address/mask

• Gateway IP address/interface

• Distance

• Metric

• Priority

• Device

• Dead Gateway Detection

Click here to read more about route elements

http://campus.training.fortinet.com/mod/resource/view.php?id=4567

Autonomous Systems

Autonomous System (AS)ISP1



Autonomous Systems




• An autonomous system (AS) is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators• Sometimes referred to as a routing

domain

Interior Gateway Protocol


Interior Gateway Protocol


• An Interior Gateway Protocol (IGP) is a routing protocol that is used to exchange routing information within an autonomous system• Interior Gateway Protocols can be divided into two categories• Distance-vector routing protocols

• Link-state routing protocols

Exterior Gateway Protocol




BGP BGP

Exterior Gateway Protocol




BGP BGP

• An Exterior Gateway Protocol (EGP) is used to determine network reachability between autonomous systems• Makes use of Interior Gateway Protocols

to resolve routes within an AS

Static Routes

• A static route allows packets to be forwarded to a destination other than the default gateway• Static routes control traffic exiting the FortiGate unit• Specify through which interface the packet will leave

and to which device the packet should be routed

• Static routes defined manually

Static Routes

Viewing Routing Information

Route Selection

• In FortiOS the route selection process considers the following: • A route is considered only if the outgoing interface is not down

• If multiple routes are available for same subnet, only the lowest distance is chosen

• For dynamic routes, if multiple routes have the same distance, the lowest metric value is chosen

• For dynamic routes, the protocol used will determine the route when multiple routes have the same distance and metric

• All active routes are placed in routing table, the most specific route will be matched first

• Policy routing is applied before routing table lookups

Route Selection

• The FortiGate unit only performs routing lookup for the first packet of the session• Routing information written to session table

• All packets for that session will use same path

• Exception: After topology change, route information is flushed from sessions and must be relearned

Route Distance

• Route distance is configurable for all types of routes, except direct interfaces•Default distance settings on the FortiGate unit:• Directly connected 0

• Static routes 10

• EBGP routes 20

• OSPF routes 110

• RIP routes 120

• IBGP routes 200

Policy Routing

•With policy routing, decisions are based on criteria other than the destination only• Packets can be routed based on:• Protocol

• Source address

• Destination address

• Destination ports

• Type of Service (ToS) bits

Blackhole Routes

Subnet:192.168.1.0/24

Router: 192.168.1.1

Default route to Internet:0.0.0.0Internet

Create a blackhole route dropping all

packets to 192.168.0.0/16

Blackhole Routes

Subnet:192.168.1.0/24

Router: 192.168.1.1


Router would not send packets to default routes

Blackhole Routes

Subnet:192.168.1.0/24

Router: 192.168.1.1


Router would not send packets to default routes

• Blackhole routes are a special type of static routes used to drop all traffic sent to it• Used to dispose of packets instead of

responding to suspicious inquiries

• Can be used to limit traffic on a subnet• For added security, traffic sent to

addresses not in use can be directed to blackhole

Reverse Path Forwarding

• Reverse Path Forwarding (RPF) protects against IP spoofing attacks• Checks the source IP address of all packets• If path back to the source address does not match the

path the packet is coming from, it is dropped

• RPF is only carried out on the first packet in the session• Not on reply traffic, as long as traffic is symmetric

•Debug flow will show packet being dropped• “Reverse path check fail, drop”


Subnet: 192.168.1.0/24

Routes in routing table:0.0.0.0/0.0.0.0 wan1192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local

Internet

Source IP: 10.0.0.1/24

dmz

wan1:1.1.1.1/30

wan2:2.2.2.1/30

Source IP: unknown

Source IP: unknown

Internet


Subnet: 192.168.1.0/24

Routes in routing table:0.0.0.0/0.0.0.0 wan1(static)10.0.0.0/24 dmz (static)192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local

Source IP: 10.0.0.1/24

dmz

wan1:1.1.1.1/30

wan2:2.2.2.1/30

Source IP: unknown

Source IP: unknown

Internet

Internet


Subnet: 192.168.1.0/24

Routes in routing table:0.0.0.0/0.0.0.0 wan1192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local

Internet

Source IP: 10.0.0.1/24

dmz

wan1:1.1.1.1/30

wan2:2.2.2.1/30

Source IP: unknown

Source IP: unknown

Internet


Subnet: 192.168.1.0/24

Routes in routing table:0.0.0.0/0.0.0.0 wan10.0.0.0/0.0.0.0 wan2192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local

Source IP: 10.0.0.1/24

dmz

wan1:1.1.1.1/30

wan2:2.2.2.1/30

Source IP: unknown

Source IP: unknown

Internet

Internet


Subnet: 192.168.1.0/24

Routes in routing table:0.0.0.0/0.0.0.0 wan1(static)0.0.0.0/0.0.0.0 wan2(static)10.0.0.0/24 dmz (static)192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local

Source IP: 10.0.0.1/24

dmz

wan1:1.1.1.1/30

wan2:2.2.2.1/30

Source IP: unknown

Source IP: unknown

Internet

Internet

Both default routes have same distanceand priority → ECMP


Subnet: 192.168.1.0/24

Routes in routing table:0.0.0.0/0.0.0.0 wan1(static)0.0.0.0/0.0.0.0 wan2(static)10.0.0.0/24 dmz (static)192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local

Source IP: 10.0.0.1/24

dmz

wan1:1.1.1.1/30

wan2:2.2.2.1/30

Source IP: unknown

Source IP: unknown

Internet

Internet

config router staticedit <2nd default

route index>set priority 10

end


Subnet: 192.168.1.0/24

Routes in routing table:0.0.0.0/0.0.0.0 wan2(static)10.0.0.0/24 dmz (static)192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local

Source IP: 10.0.0.1/24

dmz

wan1:1.1.1.1/30

wan2:2.2.2.1/30

Source IP: unknown

Source IP: unknown

Internet

Internet

Reverse Path Forwarding Modes

• RPF check can be configured to be more strict• Strict Reverse Path Forwarding• Source address looked up in FIB, if packet received on

interface used to forward traffic to the source, packet allowed

• Loose Reverse Path Forwarding (FortiGate unit default)• Checks only for the existence of a route for the receiving

interface, packet is forwarded even if a better route is available on another interface

Strict Reverse Path Forwarding Disabled

Subnet: 10.10.10.0/24

Routing table:0.0.0.0/0 wan1

20.20.20.0/24 wan110.10.10.0/24 internal

Subnet: 20.20.20.0/24

10.10.10.5

wan1

internal

10.10.10.6

20.20.20.20

hping -1 10.10.10.5 –p 80 –S 10.10.10.6

SYNSYN ACK

Strict Reverse Path Forwarding Disabled

Subnet: 10.10.10.0/24


20.20.20.0/24 wan110.10.10.0/24 internal

Subnet: 20.20.20.0/24

10.10.10.5

wan1

internal

10.10.10.6

20.20.20.20

hping -1 10.10.10.5 –p 80 –S 10.10.10.6

RST

Strict Reverse Path Forwarding Enabled

Subnet: 10.10.10.0/24


20.20.20.0/24 wan110.10.10.0/24 internal

Subnet: 20.20.20.0/24

10.10.10.5

wan1

internal

10.10.10.6

20.20.20.20

hping -1 10.10.10.5 –p 80 –S 10.10.10.6

SYN

Dynamic Routes

• With dynamic routing information is shared with neighboring routers• Devices learn about routes and networks advertised by

neighbors

• The FortiGate unit selects the best route to a destination and updates the routing table based on defined rules• The FortiGate unit supports the following dynamic routing

protocols:• Routing Information Protocol (RIP)

• Open Shortest Path First (OSPF)

• Border Gateway Protocol (BGP)

• Intermediate System to Intermediate System (IS-IS)

Click here to read more about dynamic routing


Routing Information Protocol

•With the Routing Information Protocol (RIP), the FortiGate unit broadcasts requests for RIP updates• Neighbors respond with information from their routing table

• The FortiGate unit adds routes from neighbors only if these are not already recorded in the routing table

• Uses hop count to choose best route• Each network that a packet travels though to the

destination counts as one hop

• If there are two routes to same destination, the FortiGate unit selects one with lowest hop count

Open Shortest Path First

•With Open Shortest Path First (OSPF) routers report information to all other routers in the network• All routers will have an identical view of the network• FortiGate unit calculates best route based on accumulated link-state information• Relative cost used to choose the best route• Add costs associated with outgoing interfaces along path

to destination

• Lower overall cost indicates best route


•Depending on the network topology, entries in the FortiGate unit routing table may include:• Addresses of networks in local OSPF area• Where packets are sent directly

• Routes to OSPF area border routers (ABR)• Where packets are sent when they are destined for another

area

• The OSPF system is divided into ABRs• ABRs link one or more areas to OSPF backbone

• Maintain database of topologies from each connected area


New York Chicago

Boston

BackboneArea 0

ABR

ABR ABR

Open Shortest Path First Configuration

• When configuring OSPF, the following parameters must be identified: • Router ID • Used to identify the FortiGate unit to other OSPF routers

• Areas• Identifies a set of networks grouped together for administrative

purposes

• Networks to advertise• The interfaces participating in OSPF (optional)• This object allows the default OSPF settings to be changed for the

interfaces

• An adjacency can only be formed if two neighbors have some of the same interface attributes, including:• Area ID• Hello Interval• Dead Interval

Border Gateway Protocol

•With Border Gateway Protocol (BGP) reachability information is exchanged between configured peers• Does not discover network topology

• Constructs a graph of autonomous system (AS) connectivity• Routing loops may be pruned• Policy decisions may be enforced

• The FortiGate unit accepts BGP routes and enters them into the routing table• An AS-PATH is built to get to a destination• Multiple paths can exist

Border Gateway Protocol

AS 701 (ISP 1) AS 702 (ISP 2) AS 703 (ISP 3)

AS 704 (ISP 4) AS 705 (ISP 5)

AS 706 (ISP 6)

Starting point

Destination

AS Path: AS 701 → AS 702 → AS 703 → AS 705 → AS 706

Border Gateway Protocol Configuration

• BGP is run in the context of VDOMs• EBGP routes default distance of 20• Preferred over OSPF and RIP

• Less preferred than static routes

Bi-Directional Forwarding Detection

•Dynamic routing can have problems detecting device failures on network• Bi-Directional Forwarding Detection (BFD) can detect failures faster than the protocols and can reroute• The FortiGate unit supports BFD as part of OSPF and BGP•Once a connection to router is established, BFD checks the status frequently• If router goes down, routing is changed accordingly• BFD will continue to monitor the status of the router and

will reset the routes once available

Intermediate System to Intermediate System

• Intermediate System to Intermediate System (IS-IS) operates by flooding link state information throughout the network of routers • Each IS-IS router independently builds a database of the network's topology• Aggregates the flooded network information.

• Like the OSPF protocol, IS-IS uses the Dijkstra algorithm for computing the best path through the network

Multicast Routing

•Multicast routing consists of a single multicast source sending data to many receivers• Conserve bandwidth

• Reduce network traffic

• Source only needs to transmit single stream of data to multicast router• Data routed to receivers

• Routing decision based on source and destination address of multicast packet

• Can apply NAT to multicast packets• FortiGate unit can be configured as multicast router in NAT/Route Mode

Equal Cost Multipath

• If more than one Equal Cost Multipath (ECMP) route is available, the method the FortiGate unit uses to select the route can be configured• Source based• All the sessions generated from the same source IP

address will always use the same route

• Weight based• Routes with higher weight are chosen

• Spill-over• The same route will be used until the spill-over threshold is

reached. At this point, the next interface is chosen

Routing Diagnostic Commands

get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

O*E2 0.0.0.0/0 [110/10] via 192.168.11.254, wan1, 01:29:24

C 172.16.78.0/24 is directly connected, wan2

O 192.168.1.0/24 [110/200] via 192.168.11.59, internal, 01:30:28

C 192.168.3.0/24 is directly connected, dmz

C 192.168.11.0/24 is directly connected, internal

S 192.168.96.0/19 [10/0] is directly connected, linkA0

S 192.168.192.0/19 [10/0] is directly connected, linkB0


get router info routing-table database

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

> - selected route, * - FIB route, p - stale info

S 0.0.0.0/0 [15/0] via 172.16.110.2, wan1

O E2 0.0.0.0/0 [110/10] via 10.1.1.2, prvAroot-0, 00:01:37

S *> 0.0.0.0/0 [5/0] via 172.16.110.1, wan1

S 0.0.0.0/0 [10/0] via 192.168.1.1, wan1 inactive


diag ip route list (or get router info kernel)

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.171.128/25 pref=192.168.171.227 gwy=0.0.0.0 dev=2(port1)



tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=7(root)



diag ip address list

IP=192.168.12.254->192.168.12.254/255.255.255.0 index=3 devname=wan1

IP=127.0.0.1->127.0.0.1/255.0.0.0 index=5 devname=root

IP=127.0.0.1->127.0.0.1/255.0.0.0 index=7 devname=ProviderA

IP=127.0.0.1->127.0.0.1/255.0.0.0 index=9 devname=ProviderB

IP=172.16.78.254->172.16.78.254/255.255.255.0 index=12 devname=wan2

IP=192.168.3.254->192.168.3.254/255.255.255.0 index=13 devname=dmz


get router info protocols

Routing Protocol is "ospf 0" Invalid after 0 seconds, hold down 0, flushed after 0 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: system Routing for Networks: 172.16.0.0/16 192.168.3.0/24 192.168.64.0/18Routing Protocol is "bgp 100" IGP synchronization is disabled Automatic route summarization is disabled Default local-preference applied to incoming route is 100 Redistributing: connected Neighbor(s): Address AddressFamily FiltIn FiltOut DistIn DistOut RouteMapIn RouteMapOut Weight

192.168.101.1 unicast

• Lab - Routing• Configuring dead gateway detection

• Configuring default static routes

• Configuring policy routes

Click here for step-by-step instructions on completing this lab

Lab



Student Resources

Click here to view the list of resources used in this module

http://campus.training.fortinet.com/course/view.php?id=1011

Documents

Routing. Module Objectives By the end of this module participants will be able to: Interpret routing information in the routing table Differentiate between