Upload
aubrie-heath
View
232
Download
8
Tags:
Embed Size (px)
Citation preview
Routing
Module Objectives
• By the end of this module participants will be able to:• Interpret routing information in the routing table
• Differentiate between the dynamic routing methods available on the FortiGate unit
• Create static and dynamic routes on the FortiGate unit
Routing
Routing
• Routing is the process of moving packets of data between devices on a network from a source to a final destination• The destination address is used to
determine where the packets must go
Routing Table
Routing Table
• The routing table provides the FortiGate unit with the information it needs to forward a packet to particular destination on a network• The FortiGate unit looks in its routing table
to establish the best route to the destination
• The routing table can be built and updated manually using static routing information• Routing table entries can also be updated
dynamically• Dynamic routing algorithms are used to adjust
network paths by analyzing routing update information
Route Elements
• Each route in the routing table includes the following elements: • IP address/mask
• Gateway IP address/interface
• Distance
• Metric
• Priority
• Device
• Dead Gateway Detection
Click here to read more about route elements
Autonomous Systems
Autonomous System (AS)ISP1
Autonomous System (AS)ISP2
Autonomous System (AS)ISP3
Autonomous Systems
Autonomous System (AS)ISP1
Autonomous System (AS)ISP2
Autonomous System (AS)ISP3
• An autonomous system (AS) is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators• Sometimes referred to as a routing
domain
Interior Gateway Protocol
Autonomous System (AS)ISP1
Interior Gateway Protocol
Autonomous System (AS)ISP1
• An Interior Gateway Protocol (IGP) is a routing protocol that is used to exchange routing information within an autonomous system• Interior Gateway Protocols can be divided into two categories• Distance-vector routing protocols
• Link-state routing protocols
Exterior Gateway Protocol
Autonomous System (AS)ISP1
Autonomous System (AS)ISP2
Autonomous System (AS)ISP3
BGP BGP
Exterior Gateway Protocol
Autonomous System (AS)ISP1
Autonomous System (AS)ISP2
Autonomous System (AS)ISP3
BGP BGP
• An Exterior Gateway Protocol (EGP) is used to determine network reachability between autonomous systems• Makes use of Interior Gateway Protocols
to resolve routes within an AS
Static Routes
• A static route allows packets to be forwarded to a destination other than the default gateway• Static routes control traffic exiting the FortiGate unit• Specify through which interface the packet will leave
and to which device the packet should be routed
• Static routes defined manually
Static Routes
Viewing Routing Information
Route Selection
• In FortiOS the route selection process considers the following: • A route is considered only if the outgoing interface is not down
• If multiple routes are available for same subnet, only the lowest distance is chosen
• For dynamic routes, if multiple routes have the same distance, the lowest metric value is chosen
• For dynamic routes, the protocol used will determine the route when multiple routes have the same distance and metric
• All active routes are placed in routing table, the most specific route will be matched first
• Policy routing is applied before routing table lookups
Route Selection
• The FortiGate unit only performs routing lookup for the first packet of the session• Routing information written to session table
• All packets for that session will use same path
• Exception: After topology change, route information is flushed from sessions and must be relearned
Route Distance
• Route distance is configurable for all types of routes, except direct interfaces•Default distance settings on the FortiGate unit:• Directly connected 0
• Static routes 10
• EBGP routes 20
• OSPF routes 110
• RIP routes 120
• IBGP routes 200
Policy Routing
•With policy routing, decisions are based on criteria other than the destination only• Packets can be routed based on:• Protocol
• Source address
• Destination address
• Destination ports
• Type of Service (ToS) bits
Blackhole Routes
Subnet:192.168.1.0/24
Router: 192.168.1.1
Default route to Internet:0.0.0.0Internet
Create a blackhole route dropping all
packets to 192.168.0.0/16
Blackhole Routes
Subnet:192.168.1.0/24
Router: 192.168.1.1
Default route to Internet:0.0.0.0Internet
Router would not send packets to default routes
Blackhole Routes
Subnet:192.168.1.0/24
Router: 192.168.1.1
Default route to Internet:0.0.0.0Internet
Router would not send packets to default routes
• Blackhole routes are a special type of static routes used to drop all traffic sent to it• Used to dispose of packets instead of
responding to suspicious inquiries
• Can be used to limit traffic on a subnet• For added security, traffic sent to
addresses not in use can be directed to blackhole
Reverse Path Forwarding
• Reverse Path Forwarding (RPF) protects against IP spoofing attacks• Checks the source IP address of all packets• If path back to the source address does not match the
path the packet is coming from, it is dropped
• RPF is only carried out on the first packet in the session• Not on reply traffic, as long as traffic is symmetric
•Debug flow will show packet being dropped• “Reverse path check fail, drop”
Reverse Path Forwarding
Subnet: 192.168.1.0/24
Routes in routing table:0.0.0.0/0.0.0.0 wan1192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local
Internet
Source IP: 10.0.0.1/24
dmz
wan1:1.1.1.1/30
wan2:2.2.2.1/30
Source IP: unknown
Source IP: unknown
Internet
Reverse Path Forwarding
Subnet: 192.168.1.0/24
Routes in routing table:0.0.0.0/0.0.0.0 wan1(static)10.0.0.0/24 dmz (static)192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local
Source IP: 10.0.0.1/24
dmz
wan1:1.1.1.1/30
wan2:2.2.2.1/30
Source IP: unknown
Source IP: unknown
Internet
Internet
Reverse Path Forwarding
Subnet: 192.168.1.0/24
Routes in routing table:0.0.0.0/0.0.0.0 wan1192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local
Internet
Source IP: 10.0.0.1/24
dmz
wan1:1.1.1.1/30
wan2:2.2.2.1/30
Source IP: unknown
Source IP: unknown
Internet
Reverse Path Forwarding
Subnet: 192.168.1.0/24
Routes in routing table:0.0.0.0/0.0.0.0 wan10.0.0.0/0.0.0.0 wan2192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local
Source IP: 10.0.0.1/24
dmz
wan1:1.1.1.1/30
wan2:2.2.2.1/30
Source IP: unknown
Source IP: unknown
Internet
Internet
Reverse Path Forwarding
Subnet: 192.168.1.0/24
Routes in routing table:0.0.0.0/0.0.0.0 wan1(static)0.0.0.0/0.0.0.0 wan2(static)10.0.0.0/24 dmz (static)192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local
Source IP: 10.0.0.1/24
dmz
wan1:1.1.1.1/30
wan2:2.2.2.1/30
Source IP: unknown
Source IP: unknown
Internet
Internet
Both default routes have same distanceand priority → ECMP
Reverse Path Forwarding
Subnet: 192.168.1.0/24
Routes in routing table:0.0.0.0/0.0.0.0 wan1(static)0.0.0.0/0.0.0.0 wan2(static)10.0.0.0/24 dmz (static)192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local
Source IP: 10.0.0.1/24
dmz
wan1:1.1.1.1/30
wan2:2.2.2.1/30
Source IP: unknown
Source IP: unknown
Internet
Internet
config router staticedit <2nd default
route index>set priority 10
end
Reverse Path Forwarding
Subnet: 192.168.1.0/24
Routes in routing table:0.0.0.0/0.0.0.0 wan2(static)10.0.0.0/24 dmz (static)192.168.1.0/24 local1.1.1.0/30 local2.2.2.0/30 local
Source IP: 10.0.0.1/24
dmz
wan1:1.1.1.1/30
wan2:2.2.2.1/30
Source IP: unknown
Source IP: unknown
Internet
Internet
Reverse Path Forwarding Modes
• RPF check can be configured to be more strict• Strict Reverse Path Forwarding• Source address looked up in FIB, if packet received on
interface used to forward traffic to the source, packet allowed
• Loose Reverse Path Forwarding (FortiGate unit default)• Checks only for the existence of a route for the receiving
interface, packet is forwarded even if a better route is available on another interface
Strict Reverse Path Forwarding Disabled
Subnet: 10.10.10.0/24
Routing table:0.0.0.0/0 wan1
20.20.20.0/24 wan110.10.10.0/24 internal
Subnet: 20.20.20.0/24
10.10.10.5
wan1
internal
10.10.10.6
20.20.20.20
hping -1 10.10.10.5 –p 80 –S 10.10.10.6
SYNSYN ACK
Strict Reverse Path Forwarding Disabled
Subnet: 10.10.10.0/24
Routing table:0.0.0.0/0 wan1
20.20.20.0/24 wan110.10.10.0/24 internal
Subnet: 20.20.20.0/24
10.10.10.5
wan1
internal
10.10.10.6
20.20.20.20
hping -1 10.10.10.5 –p 80 –S 10.10.10.6
RST
Strict Reverse Path Forwarding Enabled
Subnet: 10.10.10.0/24
Routing table:0.0.0.0/0 wan1
20.20.20.0/24 wan110.10.10.0/24 internal
Subnet: 20.20.20.0/24
10.10.10.5
wan1
internal
10.10.10.6
20.20.20.20
hping -1 10.10.10.5 –p 80 –S 10.10.10.6
SYN
Dynamic Routes
• With dynamic routing information is shared with neighboring routers• Devices learn about routes and networks advertised by
neighbors
• The FortiGate unit selects the best route to a destination and updates the routing table based on defined rules• The FortiGate unit supports the following dynamic routing
protocols:• Routing Information Protocol (RIP)
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP)
• Intermediate System to Intermediate System (IS-IS)
Click here to read more about dynamic routing
Routing Information Protocol
•With the Routing Information Protocol (RIP), the FortiGate unit broadcasts requests for RIP updates• Neighbors respond with information from their routing table
• The FortiGate unit adds routes from neighbors only if these are not already recorded in the routing table
• Uses hop count to choose best route• Each network that a packet travels though to the
destination counts as one hop
• If there are two routes to same destination, the FortiGate unit selects one with lowest hop count
Open Shortest Path First
•With Open Shortest Path First (OSPF) routers report information to all other routers in the network• All routers will have an identical view of the network• FortiGate unit calculates best route based on accumulated link-state information• Relative cost used to choose the best route• Add costs associated with outgoing interfaces along path
to destination
• Lower overall cost indicates best route
Open Shortest Path First
•Depending on the network topology, entries in the FortiGate unit routing table may include:• Addresses of networks in local OSPF area• Where packets are sent directly
• Routes to OSPF area border routers (ABR)• Where packets are sent when they are destined for another
area
• The OSPF system is divided into ABRs• ABRs link one or more areas to OSPF backbone
• Maintain database of topologies from each connected area
Open Shortest Path First
New York Chicago
Boston
BackboneArea 0
ABR
ABR ABR
Open Shortest Path First Configuration
• When configuring OSPF, the following parameters must be identified: • Router ID • Used to identify the FortiGate unit to other OSPF routers
• Areas• Identifies a set of networks grouped together for administrative
purposes
• Networks to advertise• The interfaces participating in OSPF (optional)• This object allows the default OSPF settings to be changed for the
interfaces
• An adjacency can only be formed if two neighbors have some of the same interface attributes, including:• Area ID• Hello Interval• Dead Interval
Border Gateway Protocol
•With Border Gateway Protocol (BGP) reachability information is exchanged between configured peers• Does not discover network topology
• Constructs a graph of autonomous system (AS) connectivity• Routing loops may be pruned• Policy decisions may be enforced
• The FortiGate unit accepts BGP routes and enters them into the routing table• An AS-PATH is built to get to a destination• Multiple paths can exist
Border Gateway Protocol
AS 701 (ISP 1) AS 702 (ISP 2) AS 703 (ISP 3)
AS 704 (ISP 4) AS 705 (ISP 5)
AS 706 (ISP 6)
Starting point
Destination
AS Path: AS 701 → AS 702 → AS 703 → AS 705 → AS 706
Border Gateway Protocol Configuration
• BGP is run in the context of VDOMs• EBGP routes default distance of 20• Preferred over OSPF and RIP
• Less preferred than static routes
Bi-Directional Forwarding Detection
•Dynamic routing can have problems detecting device failures on network• Bi-Directional Forwarding Detection (BFD) can detect failures faster than the protocols and can reroute• The FortiGate unit supports BFD as part of OSPF and BGP•Once a connection to router is established, BFD checks the status frequently• If router goes down, routing is changed accordingly• BFD will continue to monitor the status of the router and
will reset the routes once available
Intermediate System to Intermediate System
• Intermediate System to Intermediate System (IS-IS) operates by flooding link state information throughout the network of routers • Each IS-IS router independently builds a database of the network's topology• Aggregates the flooded network information.
• Like the OSPF protocol, IS-IS uses the Dijkstra algorithm for computing the best path through the network
Multicast Routing
•Multicast routing consists of a single multicast source sending data to many receivers• Conserve bandwidth
• Reduce network traffic
• Source only needs to transmit single stream of data to multicast router• Data routed to receivers
• Routing decision based on source and destination address of multicast packet
• Can apply NAT to multicast packets• FortiGate unit can be configured as multicast router in NAT/Route Mode
Equal Cost Multipath
• If more than one Equal Cost Multipath (ECMP) route is available, the method the FortiGate unit uses to select the route can be configured• Source based• All the sessions generated from the same source IP
address will always use the same route
• Weight based• Routes with higher weight are chosen
• Spill-over• The same route will be used until the spill-over threshold is
reached. At this point, the next interface is chosen
Routing Diagnostic Commands
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0 [110/10] via 192.168.11.254, wan1, 01:29:24
C 172.16.78.0/24 is directly connected, wan2
O 192.168.1.0/24 [110/200] via 192.168.11.59, internal, 01:30:28
C 192.168.3.0/24 is directly connected, dmz
C 192.168.11.0/24 is directly connected, internal
S 192.168.96.0/19 [10/0] is directly connected, linkA0
S 192.168.192.0/19 [10/0] is directly connected, linkB0
Routing Diagnostic Commands
get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S 0.0.0.0/0 [15/0] via 172.16.110.2, wan1
O E2 0.0.0.0/0 [110/10] via 10.1.1.2, prvAroot-0, 00:01:37
S *> 0.0.0.0/0 [5/0] via 172.16.110.1, wan1
S 0.0.0.0/0 [10/0] via 192.168.1.1, wan1 inactive
Routing Diagnostic Commands
diag ip route list (or get router info kernel)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.171.128/25 pref=192.168.171.227 gwy=0.0.0.0 dev=2(port1)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.109.0/24 pref=192.168.109.130 gwy=0.0.0.0 dev=3(port2)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.171.254 dev=2(port1)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=7(root)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.109.255/32 pref=192.168.109.130 gwy=0.0.0.0 dev=3(port2)
Routing Diagnostic Commands
diag ip address list
IP=192.168.12.254->192.168.12.254/255.255.255.0 index=3 devname=wan1
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=5 devname=root
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=7 devname=ProviderA
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=9 devname=ProviderB
IP=172.16.78.254->172.16.78.254/255.255.255.0 index=12 devname=wan2
IP=192.168.3.254->192.168.3.254/255.255.255.0 index=13 devname=dmz
Routing Diagnostic Commands
get router info protocols
Routing Protocol is "ospf 0" Invalid after 0 seconds, hold down 0, flushed after 0 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: system Routing for Networks: 172.16.0.0/16 192.168.3.0/24 192.168.64.0/18Routing Protocol is "bgp 100" IGP synchronization is disabled Automatic route summarization is disabled Default local-preference applied to incoming route is 100 Redistributing: connected Neighbor(s): Address AddressFamily FiltIn FiltOut DistIn DistOut RouteMapIn RouteMapOut Weight
192.168.101.1 unicast
• Lab - Routing• Configuring dead gateway detection
• Configuring default static routes
• Configuring policy routes
Click here for step-by-step instructions on completing this lab
Lab
Student Resources
Click here to view the list of resources used in this module