- 论坛徽章:
- 0
|
About redundant interfaces
You can combine two or more physical interfaces to provide link redundancy, to ensure that Internet services remain active if one physical interface fails.
You can set up this feature on any FortiGate unit that has two spare interfaces.
For example, if you have two Internet services connected to a FortiGate unit, T1 on Wan 1 and DSL on Wan 2, you can configure Wan 2 to take over Internet traffic if Wan 1 fails.
FortiGate firmware on models 800 and higher implements redundant interfaces, and the procedure to create redundant interfaces is different from models up to 500. See the
procedure for models 800 and above
.
Creating redundant interfaces in models up to 500
Creating redundant interfaces includes these steps:
- Creating new static routes
- Configuring a ping server on each interface
- Setting route preferences
- Creating a firewall policy
Creating new static routes
The redundant interfaces will use these static routes.
The distance value specifies the priority of every route going to the same destination. The route with the lower distance is added to the route table and used first. The second route will not be used until the first route fails. Thus, the route using the primary interface must have a lower distance value, so that it will be used instead of the route using the secondary interface.
To create new static routes
Go to Router > Static.
Select Create New.
Enter the destination IP for the primary route.
Select the interface for the primary route.
Set a distance of 10.
select OK.
Enter the same destination IP for the secondary route.
Select the device for the secondary route.
Set a distance of 11.
Go to Router > Monitor to confirm the new routes.
Configuring a ping server
The FortiGate unit tests the connection through an interface by sending a ping to a reliable server. If the connection is active, the server will send a ping back to the FortiGate unit. If a ping test repeatedly fails, the FortiGate unit considers that connection to have failed, and will select an alternate connection. You can set the interval between pings and the number of times the ping test can fail before a connection is considered failed in Network Options.
To test a connection, a ping must be sent to a reliable server, usually a DNS server. The local gateway or a common website are not reliable enough to confirm a connection.
To configure a ping server
Go to System > Network > Interface.
Select the Edit icon for the devices using the two new static routes.
Enter an IP address for Ping Server.
Select Enable for Ping Server.
Verifying and setting the route preference
You can set up multiple routes to a destination in the network. The FortiGate unit uses the best route for each destination, specified by the lowest priority value.
To verify the route preference
Open the Command Line Interface (CLI).
Log in to the FortiGate unit.
To verify the route preferences, enter the following:
config router static
show
The main route should have a lower priority value than the secondary route. If this is not the case, you can set priority values manually.
To set the route preference
-->
To set the route preference in the CLI, enter the following:
config router static
edit 2
set device
set gateway
next
edit 2
set device
set gateway
end
Creating a firewall policy
You must define a firewall policy for the new route from your primary device to the secondary device to function.
To create a firewall policy
Go to Firewall > Policy.
Select Create New
Select the primary interface for Source
Select the secondary interface for Destination.
Select the IP address of the primary interface for Source.
Select the IP address of the secondary interface for Destination.
Leave other options at the default settings.
Select OK.
Creating redundant interfaces for FortiGate-800 and higher
In models 800 and above, adding redundant interfaces is a one step process. The FortiGate firmware implements redundant interfaces.
To create redundant interfaces
Go to System > Network > Interface.
Select Create New
Enter a name for the redundant interface.
The interface name must not be the same as any other interface, zone or VDOM.
Select Redundant Interface for Type.
Select an interface included in the redundant interface from Available Interfaces.
Select the right arrow button to move the interface to the Selected Interface list.
Repeat the selection procedure for all interfaces you want to include in the redundant interface.
Enter the destination IP for the redundant interfaces in IP/Netmask.
Enter an IP address for Ping Server.
Select Enable for Ping Server.
Configure other interface options as required.
Select OK.
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/18307/showart_155096.html |
|
免费注册
发表于 2006-08-14 09:26