混合场景有两个问题需要考虑和解决:
1.路由问题
上互联网的流量需要走默认路由,而VPN出口有时候只可以访问总部的内网资源,需要把这些流量路由从SD-WAN接口组里分离开来,这是一个比较难处理的点。
解决办法1:写明细路由可以解决,写明细的默认路由和明细的VPN流量,需要SD-WAN调度的流量全部通过SD-WAN规则去匹配然后根据算法选择出接口。
解决办法2:VPN的部分选择使用写明细路由,上互联网的默认路由可以利用SD-WAN接口成员组中的接口下配置“priority”属性,将VPN接口的属性调整为100,这样SD-WAN的默认路由将不会将流量转发到VPN隧道上去。将路由分离开来,然后再用SD-WAN规则去匹配相应的流量进行调度。(下面会演示这一种方式的SD-WAN部署)
2.策略问题
上互联网的策略需要做SNAT,而VPN的流量大部分场景下不需要做NAT,策略也需要将这两种流量区分开来,这是例外一个需要解决的点。
解决办法:需要定义内网的IP地址对象,通过策略明细的匹配出VPN的流量,并不做NAT,将此策略放置于最前面,优先继续匹配处理,而上互联网的策略则至于SD-WAN的最后面,优先处理VPN流量不做NAT,而上互联网的流量则最后匹配做SNAT,这样的方式将二者分离开来。
拓扑图:
分支在上一个章节“VPN&MPLS场景”上增加了一个PPPOE的互联网出口,互联网为双出口、VPN1、VPN2、MPLS,五个出接口全部加入到SD-WAN接口成员里面:
分支FGT增加PPPOE的配置:
config system pppoe-interface
edit "PPPOE1_DR_PENG"
set device "port14"
set username "fortinet"
set password ENC Nb3O1NZBYdGDweF7VzMNabvbztxChaggTKXNMb2m5aCPQ6/H3H6d+XbvPOkh9NUJ0c8nHJ0zxV9hKsGwoJe/kox2RFIO0fl/DxQFN3KtsoRgR0z2K/mnWj5l2BmwHUtZc7zafi56FtqsOZn87pEhdn/g2J9ctGY/jGX9gnZwyFDHOa3PACftjg6Muo/NZl0hUbCxeA==
next
end
config system interface
edit "PPPOE1_DR_PENG"
set vdom "root"
set mode pppoe
set allowaccess ping
set type tunnel
set alias " PPPOE1_DR_PENG"
set estimated-upstream-bandwidth 102400
set estimated-downstream-bandwidth 102400
set role wan
set interface "port14"
next
end
将WAN1和PPPOE接口加入到SD-WAN接口成员组中:
WAN1加入到SD-WAN成员组之前先删除掉WAN1的相关路由/策略的配置:
命令行调整 VPN1/VPN2/VPN3接口的路由优先级:
FGT100E_Master # config system virtual-wan-link
FGT100E_Master (virtual-wan-link) # config members
FGT100E_Master (members) # show
config members
edit 1
set interface "VPN1"
set gateway 10.255.1.2
next
edit 2
set interface "VPN2"
set gateway 10.255.2.2
set weight 2
next
edit 3
set interface "port13"
set gateway 192.168.254.1
set weight 3
next
edit 4
set interface "wan1"
set gateway 202.100.1.192
next
edit 5
set interface "PPPOE1_DR_PENG"
next
end
FGT100E_Master (members) # edit 1
FGT100E_Master (1) # set priority 100
FGT100E_Master (1) # next
FGT100E_Master (members) # edit 2
FGT100E_Master (2) # set priority 100
FGT100E_Master (2) # edit 3
FGT100E_Master (2) # next
FGT100E_Master (members) # edit 3
FGT100E_Master (3) # set priority 100
FGT100E_Master (3) # next
FGT100E_Master (members) # show
config members
edit 1
set interface "VPN1"
set gateway 10.255.1.2
set priority 100
next
edit 2
set interface "VPN2"
set gateway 10.255.2.2
set weight 2
set priority 100
next
edit 3
set interface "port13"
set gateway 192.168.254.1
set weight 3
set priority 100
next
edit 4
set interface "wan1"
set gateway 202.100.1.192
next
edit 5
set interface "PPPOE1_DR_PENG"
next
end
调整路由配置:
删除掉之前配置的去往总部VPN网段的明细SD-WAN路由:
添加去往互联网的默认路由指向SD-WAN出接口:
命令行查看实际生效情况:
FGT100E_Master # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [1/0] via 114.100.1.196, PPPOE1_DR_PENG // 实际生效
[1/0] via 202.100.1.192, wan1 // 实际生效
[1/0] via 192.168.254.1, port13, [100/0] // 优先级为100,仅仅存在于路由表中而已,不用于转发去往互联网的数据
[1/0] via 10.255.1.2, VPN1, [100/0] // 优先级为100,仅仅存在于路由表中而已,不用于转发去往互联网的数据
[1/0] via 10.255.2.2, VPN2, [100/0] // 优先级为100,仅仅存在于路由表中而已,不用于转发去往互联网的数据
C 10.255.1.1/32 is directly connected, VPN1
C 10.255.1.2/32 is directly connected, VPN1
C 10.255.2.1/32 is directly connected, VPN2
C 10.255.2.2/32 is directly connected, VPN2
C 114.100.1.196/32 is directly connected, PPPOE1_DR_PENG
C 114.100.1.210/32 is directly connected, PPPOE1_DR_PENG
C 192.168.10.0/24 is directly connected, port1
C 192.168.254.0/24 is directly connected, port13
S 192.168.255.0/24 [10/0] via 192.168.254.1, port13
C 202.100.1.0/24 is directly connected, wan1
最终FGT本地路由表:
FGT100E_Master # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [1/0] via 114.100.1.196, PPPOE1_DR_PENG // 去往互联网的负载均衡路由
[1/0] via 202.100.1.192, wan1
[1/0] via 192.168.254.1, port13, [100/0] // 实际不转发去互联网的流量
[1/0] via 10.255.1.2, VPN1, [100/0] // 实际不转发去互联网的流量
[1/0] via 10.255.2.2, VPN2, [100/0] // 实际不转发去互联网的流量
C 10.255.1.1/32 is directly connected, VPN1
C 10.255.1.2/32 is directly connected, VPN1
C 10.255.2.1/32 is directly connected, VPN2
C 10.255.2.2/32 is directly connected, VPN2
C 114.100.1.196/32 is directly connected, PPPOE1_DR_PENG
C 114.100.1.210/32 is directly connected, PPPOE1_DR_PENG
S 172.16.10.0/24 [10/0] via 192.168.254.1, port13 // 去往VPN业务网段的负载均衡路由
[10/0] via 10.255.1.2, VPN1
[10/0] via 10.255.2.2, VPN2
C 192.168.10.0/24 is directly connected, port1
C 192.168.254.0/24 is directly connected, port13
S 192.168.255.0/24 [10/0] via 192.168.254.1, port13
C 202.100.1.0/24 is directly connected, wan1
路由的部分已经解决。
现在来处理策略的部分,去往VPN的流量是不需要做SNAT的,而去互联网的流量是需要做SNAT的。
先添加IP地址对象,定义分支本地的IP地址网段和总部服务器IP地址网段:
先配置VPN业务网段的策略,放置于最前面:
策略问题也顺序解决!
配置SD-WAN健康检查:
一个去往总部服务器的 VPN1/VPN2/MPLS接口的健康检查。
另外一个是去往互联网的WAN1/PPPOE接口的健康检查。
通过SD-WAN检查检测可以知道各个出口的具体质量情况。
接下来就是按照各自的业务需求配置SD-WAN规则了:
需求1:去往总部网段的服务器 Server 172.16.10.200 UDP 9090业务需要满足SLA目标 延迟200ms、丢包1%,同时需要按照cost优先走MPLS(Port13)、VPN2、VPN1这样的出口顺序。
按照需求我们选择:Lowest Cost(SLA)方式进行SD-WAN负载
调整VPN1/VPN2/MPLS的接口Cost值,MPLS cost 为 100、VPN2 cost为200、VPN3 cost的为300
这样Lowest Cost(SLA)将会按照接口cost的顺序 优先选择MPLS(port13)、VPN1、VPN2进行选择,同时都需要满足SLA目标值。
查看SD-WAN规则选择结果:
FGT100E_Master # diagnose sys virtual-wan-link member
Member(1): interface: VPN1, gateway: 10.255.1.2, priority: 100, weight: 0
Member(2): interface: VPN2, gateway: 10.255.2.2, priority: 100, weight: 0
Member(3): interface: port13, gateway: 192.168.254.1, priority: 100, weight: 0
Member(4): interface: wan1, gateway: 202.100.1.192, priority: 0, weight: 0
Member(5): interface: PPPOE1_DR_PENG, gateway: 114.100.1.196, priority: 0, weight: 0
FGT100E_Master # diagnose sys virtual-wan-link health-check
Health Check(HUB_Server_Check):
Seq(3): state(alive), packet-loss(0.000%) latency(30.833), jitter(0.098) sla_map=0x1
Seq(1): state(alive), packet-loss(0.000%) latency(40.810), jitter(0.086) sla_map=0x1
Seq(2): state(alive), packet-loss(0.000%) latency(10.698), jitter(0.089) sla_map=0x1
Health Check(Internet_Check_8.8.8.8):
Seq(5): state(alive), packet-loss(0.000%) latency(61.882), jitter(0.667) sla_map=0x1
Seq(4): state(alive), packet-loss(0.000%) latency(71.941), jitter(0.927) sla_map=0x1
FGT100E_Master # diagnose sys virtual-wan-link service 2
Service(2): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(17: 9090->9090), Mode(sla)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(3), alive, sla(0x1), cfg_order(0), cost(100), selected // 优选择MPLS出口(port13)
2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(200), selected
3: Seq_num(1), alive, sla(0x1), cfg_order(2), cost(300), selected
Src address:
192.168.10.0-192.168.10.255
Dst address:
172.16.10.200-172.16.10.200
FGT100E_Master # diagnose firewall proute list
id=2133524482 vwl_service=2(TO_Server_10_200_UDP_9090) vwl_mbr_seq=3 2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=17 sport=0:65535 iif=0 dport=9090 oif=23 oif=42 oif=41
source(1): 192.168.10.0-192.168.10.255
destination(1): 172.16.10.200-172.16.10.200
结果验证:
制造MPLS接口 延迟为250ms超过SLA目标值200ms,查看SD-WAN规则出口的切换:
FGT100E_Master # diagnose sys virtual-wan-link member
Member(1): interface: VPN1, gateway: 10.255.1.2, priority: 100, weight: 0
Member(2): interface: VPN2, gateway: 10.255.2.2, priority: 100, weight: 0
Member(3): interface: port13, gateway: 192.168.254.1, priority: 100, weight: 0
Member(4): interface: wan1, gateway: 202.100.1.192, priority: 0, weight: 0
Member(5): interface: PPPOE1_DR_PENG, gateway: 114.100.1.196, priority: 0, weight: 0
FGT100E_Master # diagnose sys virtual-wan-link health-check
Health Check(HUB_Server_Check):
Seq(3): state(alive), packet-loss(0.000%) latency(250.825), jitter(0.099) sla_map=0x0 // 超出SLA目标值
Seq(1): state(alive), packet-loss(0.000%) latency(40.827), jitter(0.078) sla_map=0x1
Seq(2): state(alive), packet-loss(0.000%) latency(10.638), jitter(0.097) sla_map=0x1
Health Check(Internet_Check_8.8.8.8):
Seq(5): state(alive), packet-loss(0.000%) latency(62.132), jitter(0.508) sla_map=0x1
Seq(4): state(alive), packet-loss(0.000%) latency(72.056), jitter(0.510) sla_map=0x1
FGT100E_Master # diagnose sys virtual-wan-link service 2
Service(2): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(17: 9090->9090), Mode(sla)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(200), selected // VPN2作为优选出口,因为VPN2符合SLA目标,同时VPN2的cost比VPN2的cost值要小
2: Seq_num(1), alive, sla(0x1), cfg_order(2), cost(300), selected
3: Seq_num(3), alive, sla(0x0), cfg_order(0), cost(100), selected
Src address:
192.168.10.0-192.168.10.255
Dst address:
172.16.10.200-172.16.10.200
FGT100E_Master # diagnose firewall proute list
id=2133524482 vwl_service=2(TO_Server_10_200_UDP_9090) vwl_mbr_seq=2 1 3 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=17 sport=0:65535 iif=0 dport=9090 oif=42 oif=41 oif=23
source(1): 192.168.10.0-192.168.10.255
destination(1): 172.16.10.200-172.16.10.200
查看相关流量的出接口变化:
需求2:Microsoft-Office365的业务需要强制走WAN1出去,其他去往互联网的流量进行默认的源IP负载均衡即可。
按照需求我们需要选择“Manual(手动选路)”来强制Microsoft-Office365走固定IP的出口WAN1
SD-WAN规则调用了Office相关的应用程序和Internet服务注意事项:
由于我的SD-WAN规则里面选择了Office相关的应用程序,这样基于应用的SD-WAN规则(策略路由)要生效的话需要满足一些条件:
第一步:应用程序是需要先通过内网用户通过使用Office相关的应用程序,然后FGT进行应用识别的,因此策略里面一定要开启APP Control才可以,需要识别的更好甚至需要开启SSL深度检测:
第二步:识别之后将会学习到相应的Office相关的应用程序的IP地址,将会形成一个动态的Office相关的应用程序IP地址数据库,最终才会将这个学习到的IP数据库加入到SD-WAN规则(策略路由)里面,因此这需要有一个学习的过程,SD-WAN中的应用程序的调用不会立即生效,因此在没有成功学习之前,SKPYE的流量会走到其他线路上去,FGT会去学习这些识别出来的应用程序的IP地址,这并非问题,而是SD-WAN调用应用的工作逻辑就是这样,学习完毕之后,新发起的流量才会匹配到SD-WAN规则(策略路由),我们可以通过命令行查看到学习的应用程序IP数据库信息:
FGT100E_Master # diagnose sys virtual-wan-link internet-service-app-ctrl-list // 应用程序的IP数据库,动态学习的,学习完毕,应用程序才可以被SD-WAN规则所调用,这需要一定的时间生成这个应用程序的数据库
Microsoft.Office.365.Portal(41468 4294837274): 13.107.6.163 6 443 Thu Oct 31 22:20:44 2019
Microsoft.Office.365.Portal(41468 4294837274): 40.100.155.18 6 443 Thu Oct 31 22:20:41 2019
Microsoft.Office.365.Portal(41468 4294837274): 104.76.0.106 6 443 Thu Oct 31 22:22:24 2019
Microsoft.Outlook.Office.365(45553 4294837289): 13.107.18.11 6 443 Thu Oct 31 22:20:42 2019
Microsoft.Outlook.Office.365(45553 4294837289): 40.100.54.18 6 443 Thu Oct 31 22:20:41 2019
如果需要学习将到的Office相关的应用程序的数据库立马完全生效,旧的会话是会保持原有出口的,想要这些旧的会话立即生效需要清除旧的会话和路由缓存信息,而新建的会话则不需要此操作,具体命令行:
FGT100E_Master # diagnose sys session filter src 192.168.10.100
FGT100E_Master # diagnose sys session clear //清除测试机器的会话,让其重新匹配新的SD-WAN规则(有Office相关的应用程序的IP数据库更新)
FGT100E_Master # diagnose ip rtcache flush // 清除路由缓存
而Internet 服务数据库,就相当于是一个在Fortiguard已经学习好了的IP数据库,通过FortiGuard自动更新到FGT本地,无需FGT学习,可以直接被SD-WAN规则(策略路由)调用。
业务测试结果:
其他互联网将会按照默认路由进行源IP的负载均衡处理。
FGT100E_Master # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [1/0] via 114.100.1.196, PPPOE1_DR_PENG
[1/0] via 202.100.1.192, wan1
[1/0] via 192.168.254.1, port13, [100/0]
[1/0] via 10.255.1.2, VPN1, [100/0]
[1/0] via 10.255.2.2, VPN2, [100/0]
C 10.255.1.1/32 is directly connected, VPN1
C 10.255.1.2/32 is directly connected, VPN1
C 10.255.2.1/32 is directly connected, VPN2
C 10.255.2.2/32 is directly connected, VPN2
C 114.100.1.196/32 is directly connected, PPPOE1_DR_PENG
C 114.100.1.210/32 is directly connected, PPPOE1_DR_PENG
S 172.16.10.0/24 [10/0] via 192.168.254.1, port13
[10/0] via 10.255.1.2, VPN1
[10/0] via 10.255.2.2, VPN2
C 192.168.10.0/24 is directly connected, port1
C 192.168.254.0/24 is directly connected, port13
S 192.168.255.0/24 [10/0] via 192.168.254.1, port13
C 202.100.1.0/24 is directly connected, wan1
