FortiOS 6.4.6 - SD-WAN - Route-Tag Overview

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay got my fortinet background and everything it's gonna be funny because this is not a fortinet section of it but i'll get more into that in a second okay so let me just make sure i got everything lined up the way i need it looks good to me um if someone doesn't mind can y'all put in the chat whether or not y'all can see my screen or give me a uh uh audible cue to let me know that y'all my screen is visible and i am going to look at the chat and see okay the chat is saying yes it's views all right awesome awesome okay so let's get right into it uh first off i want to say um thank each and every one of you all for joining um again as you come in uh please place yourself on mute uh you know if you wanna unmute that's all good but just wanna make sure i can get through this uh relatively quickly um so um i myself uh my name is jonathan uh i am known as afroman says on reddit uh also known as historian tech in my own blog and lastly uh to my friends i'm known as jt so unless you're a bully from uh elementary school call me jt uh at any rate um i'm a fortinet employee uh sales engineer currently out of north carolina uh i do hold the nse eight credential um and i've been a mod of our fortinet for a minute so i don't know how long y'all been a part of the community if you're part of the reddit community i encourage you to join if you're not but uh long story short um i play with a lot of fortinet stuff uh the most important thing i guess i can say um today is that this is not a fortinet sanctioned event so you know if you get some information and it doesn't work out as well as you thought uh please don't go and call my boss and get me fired okay um but all that being said uh even though this is in the fortinet sanction event quite commonly fortinet employees are out on the social media sites and just the medium in general i'm trying to share as much knowledge as we can about the platform something we love that's our sales organization our technical support organization our professional services organization in many parts of our other organization um you know we like to be as open book as possible um because we feel like the more that people understand the product and see the value of it the more adoption it's going to bring so hopefully this is uh going to result in some of that uh all that being said uh shout out to my homie uh ultimate who's a guy that i like to call out in particular because i know how much he does and how the tireless hours that he works to make sure that people on social media get a response so tip of the cap to you sir uh keep fighting the good fight uh but not only ultimate but all my other fortinet colleagues who are under their various pseudonyms i appreciate everything that y'all are doing we're doing a great job getting the word out now all that being said enough about fortinet i want to give a big shout out to my man james g on reddit hopefully you're on here because if you're not this is like off or not but all of this started because uh my man had enough confidence to say i don't know right he had enough confidence to say hey i got this thing coming out in front of me and i need some help and you know i think that takes uh a lot of boldness especially on social media today when you know a lot of people will try to rake you over the coals for saying i don't know or i don't need i need help so shout out to you man hopefully this is useful and you know please feel free to keep asking those questions and i'm gonna try to answer them as much as i can as well as my colleagues uh another thing to point out is that um to everyone else right if you have questions and things like that like i know fortinet you know you got technical support you got your sales and account teams you got you know professional services organizations but please reach out to these forums um you know i think the moderation moderators of our fortinet have worked very hard and tirelessly to make sure that it's a welcoming environment right like you know there's there's no stupid questions i mean you know i say that in quotation marks i mean there are some pretty dumb questions but no one knows everything right and everyone starts from somewhere so we try to keep that in mind when people ask um very elementary i guess you can call it that way questions uh so feel free come on you know come to the discord channel um which is also as part of our fortinet you can see how to get out there um use your resources uh some of fortinet's resources the fuse um connect and all that stuff use them there's people out here who you know love and are very passionate about this product and are just happy to share information so that being said today i'm going to focus specifically on an ask from uh james g so one of the things oh james g it's me uh one of the things he mentioned when um in his reddit post was you know i got some questions about this route tag feature in the sd win uh he did also say he wanted to have you know some more information about bgp in general unfortunately james i don't have enough time to go through everything from uh sd-wan and bgp but what i'm going to try to do is cover a lot of the basics i'm going to give a brief overview if you will um to just kind of get you you know wet your appetite and then maybe a little bit later we can set up another deeper dive uh to break down sd win uh quick plug about sd win so i wrote one of the first guides for sdwin for fortinet uh back when it was you know strongly being developed in his early early day um i'm not sure where that guide has turned into but i am in the process of trying to work on guide version 2.0 um so hopefully in the next year or so you'll see that hopefully about sooner than a year but you know this rate it's probably gonna take that uh that being said um i'll try to cover as much detail as possible and then you know i'm gonna really focus on this route tag and then at the end if we have more time uh i will try to you know focus on the general stuff so uh the ground rules you don't need to be on camera uh if you do want to be on camera cool i'm gonna be on camera but if you don't i understand you know lunchtime or it might be evening or early in the morning not sure so it's all good um if you do have questions please feel free to put them in the chat i'm gonna try my best to watch out for the blinking light if i see it i'll try to answer it right as it comes up if i don't see it and it's still there i will answer it at the end so i'm going to try not to let people off a mute just because i got a feeling that this thing's going to go down to the wire but we'll see also guys this is the first time i've done this so please expect some uh hang-ups and hiccups if you will uh this is very off the cut something that's very not formal um it's gonna be supposedly just more of a talk rather than a presentation um in a demo so without that being said let's get to it all right so right now you can see my screen and what you should see is the first thing on the screen is a network topology right so what i want to do is just kind of you know level set with everybody to give everyone a glimpse of the environment that i'm going to be demonstrating and working out of so you can see all the way here to the left i have a branch one for the gate this is actually a physical 101 f that's in my 24u lab right over there then you also see this hqo1 uh this is a virtual machine for the gate running 40 os 7.0 don't do it in production but in a lab environment all good and then lastly i have data center 01 which is also running as a vm running 40 os 646 uh and that's going to serve as the hub of my hubspoke model uh sd-wan deployment so branch one hq one those are my spokes data center one that's my hub okay now you can see here um you know you can kind of ignore this 810 f at the end that's just my home gateway uh for the gate but the real meat and potatoes come down to these routers um that i have in this kind of intermediate layer between my fortigates in my actual 81f this is serving as my hopefully you can see my cursor this is serving as my uh internet layer if you will so it's not very complicated right like i just have each of the florida gates on their own networks these guys are running ebgp between them hence you can see the different as numbers so they're exchanging routes all happily and uh the fortigates can you know basically get to their internet addresses um through these routers so it's not a very complicated uh lab environment but it will you know kind of simulate uh most use cases for what you're gonna see when you're actually deploying out on the internets i said that with an s now uh that being said uh one thing that you don't see on the lab environment and i know i keep looking at the camera and then i got i got a dual monitor set up here but what you don't see is that i do have a uh virtual machine called winbridge and what it does is it allows me to set up a transparent bridge between my fortigate and my router so that i can do network congestion and increased latency and introduce packet loss to the link so if i got enough time at the end i'm going to do a demo of sd-wan uh using the route tag feature so y'all can see that it works and i'm going to be using that tool which y'all will see how i configure and stuff like that so that is my lab uh like i said if you got any questions let me just check to see if there's any questions [Music] uh okay got questions cool recording yes i'm gonna post a recording on reddit uh and maybe my blog in discord uh once it's all done it's being recorded via zoom cloud so i should just be able to see the link that should be good uh reason to be to do ebgp as an igp so i'm not using ebgp as an igp i'm actually using ibgp as an igp and that's going to happen between my fortigates the ebgp portion is actually serving as an exterior gateway gateway protocol and that's why i'm using ebgp on the internet because nine times out of ten if you're going to simulate an internet connection the routers that are on the internet they're using ebgp to talk so that's what i'm using there but great questions uh please keep filling them in the chat as they come in now let's talk about uh sdwin in general so before i actually start talking about rap tags and going into the details about that i'm going to take a step back and just give you a brief uh synopsis of sd win right so sd win is essentially a way to introduce intelligent routing into your network so you know back in the day and this game really not too far gone but back in the day if you wanted to have you know low latency high quality of service links you had to go with the mpls or some kind of dedicated circuit right so you know mpls is expensive uh it costs a ton of money it's sometimes hard to reach or hard to get in a lot of different places there's a lot of downfalls to getting it and you don't get a lot of bandwidth typically for the amount of money you pay however there's typically an abundance of commodity circuits now commodity internet going to be things like your spectrums your atm t's your horizons yay uh centurylink i'm not endorsing any of these by the way but i'm just saying these are the common ones that are out there comcast etcetera etcetera these are us-based if you in other countries i'm sure you'll have your own local providers while you know if you're in a rural setting they might be harder to come by in most kind of like metropolitan city areas they're you know relatively prevalent um across the board right so a lot of times you can say hey i want to get internet access and they can you know bring you online within a week whereas if you're trying to bring mpls online sometimes i can take months and maybe even years depending on where the infrastructure is in demand that being said mpls in those dedicated circuits provide a certain layer of benefit because they're dedicated links you know you know how much bandwidth you're going to get you have a typical sla on the amount of latency that you're going to get so if you have critical applications such as voice or video you typically want to place that on those links because you know that's going to be a great user experience well commodity internet you know while they don't necessarily guarantee things like latency our quality of service they you know they do provide a pretty good sla around up time right so you know nine times out of ten a commodity circuit could potentially meet your needs when it comes to some of your critical applications voice video maybe if you have uh some cloud provider applications and you want to make sure it takes a certain path internet can typically provide a great way to access those items the problem is that you know again they don't necessarily have the same level of slas associated with a mpls circuit so somebody runs a backhoe through a fiber and cut your you know commodity internet you might be down for a few days um so to combat that you know a lot of the vendors you know kind of got smart and say hey what if we took multiple uh commodity internet circuits and basically bonded them into a virtualized you know wand circuit and we put some intelligence on the platform so that you know it can pick and choose uh the best circuit based on some you know network criteria and hence sdwin was born so that is a quick summary about sdwin um as far as setting up on the fortigate uh i guess the thing or the main difference between you know fortigate sd-win um deployment versus some of your other you know big names or well well-known players is that you know fortinet sd-wan is not uh controller-based and what i mean by that is that when you look at some of the other peer-play sd-wan providers they have like a cloud management infrastructure and essentially that cloud management infrastructure is controlling the different endpoints and saying okay you know when this set of link characteristics or criteria is met you start using these links fortinet's a little different as in the decisions are actually made by the initiating side right so there's no cloud controller that's going down to the fortigate uh to tell it hey you know you need to switch over this link uh fortigate can be pretty autonomous um in that set so you know if it does lose you know connectivity to the management via you know for the manager or any of the for the gate cloud management utilities you can still go to the local ui before the gate make changes and it can still perform its sd win based on the local policy that's set that being said that does sometimes pose challenges in the scenario that you know you have a hub and spoke model nine times out of ten traffic is going to be initiated from the spoke going up to the hub so sdwin works fine when you want to initiate traffic from the hub going back to the spoke this might mean like if you're trying to monitor some applications or something like that behind the spoke you know you're typically going to run into some um some challenges but fortinet does have i consider them workarounds um to get around that you can either you know do sd-wing from the hub going back to the spokes and or you can use some features within the spoke to basically change the routes that are preferable on the hub side via bgp that's out of scope for what i'm talking about today but just know that those capabilities are there that being said when you are getting ready to set up bgp on a fortinet device there's three main things that you got to worry about number one is plumbing number two is routing and number three is policies so i'm not going to go through and actually set up everything from scratch but i'm going to show you the different components of what i'm talking about so the first component which is the plumbing which is basically the the network connectivity between your sites that are going to be working you know over sd-wan so let me check before i go into this if you see i got any new questions all right awesome awesome uh so plumbing uh so with sd win right like i was going back and describing the you know purpose of sd-wan if you got one interface there's not really a lot of benefit that sdwin's going to give you now there is some benefit right if you turn on sd-wan on fortigate and you only got one interface at least you have the ability to monitor and see the amount of uh your network correct new network characteristics of the win device that the photo or the weigh-in circuit of fortigate is using right but in most cases when you deploy sd-wan you need two or more when or or interfaces to be able to do intelligent routing over so in this scenario i have two different vpns terminating to my hub for the gate now if i go back and look at my hub for the gate which is this data center you will see i have two vpns that are in dial up mode that will answer those vpn connectivities from each of my spokes so again i'm not going to go into the details but i'm just going to give you the high high level uh once you do have that plumbing set up so you've got your internet connectivity so you can route between the two fortigates then you've got your vpn so that you can establish an overlay network um you know based on those internet connectivity or that internet uh network uh the last portion of it is to set up well i'm not gonna talk about adv pn i'm gonna skip advp and for now just know you gotta have two internet uh two vpn interfaces okay once you've got the uh vpn interfaces established the next thing you gotta cover is the routing portion so this is going to be where your bgp comes in now in this scenario in 40 os 6.4.6 most of this has to be done from the gui i'm sorry from the cli so a lot of people are going to be like boo you know i'm not trying to hear that like when are we going to bring it in to the gui well you know by no means is this an endorsement so like i said if you're in the lab environment cool if you're in production don't do this uh a lot of this functionality has been brought into the gui uh in 40os 7.0 so uh shout out to my man jordan thompson from the fortinet uh developing team i know that you were listening to folks on reddit and uh you heard them loud and clear and you took their advice and recommendations and put in the products so thank you so much for doing that um but since we're down on 40 os 7 i'm just going to show you that you know everything from the florida gate side um on the spokes side is handled through the cli and you know it's a baseline bgp con uh configuration when i say baseline you know baseline if you know what you're doing with sdwin uh otherwise you know some of these things you have to wait for the guy to come out the last thing you want to do once you have your plumbing in place and your routing in place is set up the policies so the first part of setting up the policies is one defining your sdwin zones so this is something that was new uh i think introduced with 40 os either 641 or 642 um but essentially what you have to do is take your your interfaces are going to be participating in sd-wan create an sd-wan zone and throw them in here so in this case you can see i have two different zones i have sd internet which takes my underlay my physical interfaces that allow me to connect to the internet and then i have my sd vpn which is my overlay which allows me to connect over my underlay to get to my data center to access those resources from there you've got to build the policy to actually set up performance slas service level agreements so that the florida gate can monitor over you know the correlating or corresponding underlay in the core spawning overlay to see how that network is performing so in this scenario i actually built my slas to go over my vpn connections and i'm actually hitting a loopback interface right here 1071-223.1 from my spokes so the reason why i chose loopback was because one it doesn't go down um which is very important and uh two it's something that is separate from the other network so you know a lot of times you want to make sure that the traffic can get to the hub and then from that point it's up on the hub to decide the best path to get it to where wherever it needs to go so um there are some other scenarios where you don't necessarily want to choose the loopback but 99 of time if you want to choose loopback the last part is setting up the sd-wan rules which i will start to delve in a little bit deeper when i start talking about the route tag feature but just want to show that you know that is the uh last part and this actually tells the sd-wan um how to make intelligent decisions based on some predefined criteria whether that be latency jitter packet loss bandwidth or some other custom uh metric if you will uh in the last part of course you know fortigate next generation firewall can't do anything without a firewall rule you must make sure that you have the firewall rules in place as you can see here i have this allowed uh data to data center from my taurean code vlan uh over sd win so when i get towards the i call it the demonstration part at the end of sd-wan uh we'll see how that all comes together so that is the basic setup of sd-wan um are there any questions about that man that's a good question all right uh so rowan rowan or rowan sorry i'm not sure if i'm printing out your name correctly i'm gonna get back to that question uh towards the tail end so keep posting them in there as they come in there and i will make sure to answer that question all right so let's get to what we're talking about today route tags so like you might ask okay when i go in and i create an sd-wan rule today jonathan like you know the way i do it now is i go in and i say all right i'm gonna choose this source so this might be the network that's behind the florida gate going to this destination which is going to be the network on the other side of the sd-wan and you know i hit okay and it just works so why in the heck do i even need a route tag well let me tell you why so typically a route tag is um or typically an sd-wan deployment right i would say probably nine times out of ten you know you could probably get away with using static routes not nine times out of ten sorry four times out of ten you could probably get away with using static routes uh and having a very statically defunded sd-wan topology right so things are may not you know be changing dynamically or you know you may not be growing new sites um you know it's very like if you have a very you know i'ma set it and forget it type network then using static routes and you know network objects that are static that's perfectly fine i'd say in 73.2 percent of the time you're going to have most people who have dynamic environments so you know to do and to scale at the degree of what you would need to keep up with the dynamic environment trying to manage all that static with static routes and going in and making changes at the forum manager i think is going to outweigh the benefit of installing or deploying sd-wan so to help automate and to you know essentially make the system scale itself um you can use things like bgp as your routing protocol and use things like route tags to dynamically learn new networks and perform some level of sd-wan functionality against them without having to go in and manually make a change into policy so for example let's say for instance you have you know 10 networks at your hub today and these 10 networks you know let's say two of them are critical and the other eight are just your normal you know i just want to low balance you know choose the maximum bandwidth setting for uh accessing those networks over sdwin let's say you add a new critical network right say for instance you know you got your voip uh you got your video cameras and now you have some other new network that requires you know ultra low latency or uh best path selection well if you don't have route tags what you would have to do today is essentially go into the florida um fortinet i'm sorry the fortigate hub introduce that network into bgp or you know if you're using a static router you would have to statically assign that but introduce that network in the bgp then you have to actually go in and touch your rule to add that network in there right now again if you're you know only making a change once a year you're probably not going to get a benefit from that but i've seen in some cases where customers have very dynamic networks you know networks are spinning up networks are spinning down sometimes the fortigate is learning those new networks from other upstream routers so its routing table is going to constantly be changing so what the fortigate can do is say okay well rather than you know you having to add that network i'm going to tag it with a particular community stream so community strings is a standard in bgp that basically allows you to apply a label to a route that's being learned in bgp so i can attack that label to a route going to my downstream spokes and i can tell my folks hey whenever you see this community stream perform or apply this route tag to it and this route tag can correlate to a specific rule within sdwin policy so you know that's probably the main use case another use case for that is you know let's say for instance you have like non-contiguous networks at your hub you know maybe you got a 10 network here 172 network here a lot of times people say well i can just create you know an address object that is contiguous that will encompass all of the networks that i want to encompass and that's very well possible and fine but if you have you know non-contiguous networks with ranging subnet masks you know maybe have a 23 here or 27 there or 29 here uh you know some of that can start to become unwieldy to manage via network objects so instead what you can do is tag them via bgp and then based on that tag again create a sd-wan rule that can perform whatever predetermined sd-wan strategy for handling that traffic okay so any questions about that before i keep going oh all right awesome let's keep it moving so let's talk about the configuration of this so um majority of the configuration for this oh my hub closed so let me bring my hub back up uh so the majority of configuration for this is going to happen at the um spoke side but there is some configuration you have to do from the hub side so the first thing i want to show is at the hub you can see that i have a route map that's basically tagging certain certain routes that the hub is sending down to the spokes so if i go in and look at this actual route map you'll see that i have a rule that basically says you know any any route because i didn't specify criteria for match so basically any route that this uh hub is sending out to the spokes tag it with this community stream of six four five five zero colon two thousand now i'm not going to give you a dissertation about community strings but in a nutshell it's a 32-bit number which is commonly seen as two 16-bit numbers um separated uh with a colon in between and from what i read generally speaking the first 16 bit number is typically the as that is representative of the router that is actually sending the stuff out and the second 16-bit number is a label so that's kind of a user-defined label in this scenario i just chose 2000 arbitrarily you can choose anything that's a 16-bit number which 2-16 i can't do the math right now but it's a large number that being said once you have the route map defined you simply just apply it to the bgp neighbor so in this scenario since it's at the hub i'm applying it to my spokes um so i'm using a dynamic bgp neighbor group so i don't have to define each of the neighbors individually you can apply it to them and that is essentially all you have to do and if you want to confirm it not summary it's labor uh you can see here that this community attribute is being sent um from my hub down to my uh neighbors spokes um alternatively i think there's also the get router info bgp community uh yeah i'm not sure if this is actually right but this is the correct um label or community string that i'm sending now so that's pretty much all you have to do from the hub side now note once you make that change those may not actually reflect in the spoke um until you actually uh clear the bgp pier so for whatever reason even though i have soft uh inbound soft reconfiguration inbound enabled on both sides i wasn't able to get that community stream to start showing up on my spokes side until i actually cleared the bgp but i'll show you that in a second all right that being said that's pretty much it from the hub side very straightforward now from the branch side what you'll see if i go to my show route bgp is that i do have a route map in which is telling my brent side that any of the routes learned from this peer which is my hub perform this route map to do whatever criteria i specify right so if i go and look at this show router wrap map and then do the rm tag in you'll see that i have a route map specifically uh tailored to matching the inbound communities right so if you got multiple inbound communities you can set multiple rules to match based on that by the way on the hub side if you had multiple communities you want to send out you would just create multiple rules so um and then you have to match the prefix right because you got to tie prefix to a rule but uh that being said uh this inbound communities i'm going to show you the contents of that community list and you can see here all it's doing is it has a rule to you know match anything that has the community stream 64550 2000 which is coming from my hub for today um so the big kicker in this is that in the route map itself when you match that particular community you want to set the route tag attribute because that is what tells the spokes side or the client side for the gate hey these networks are associated with these route tags so when you reference a route tag an sd-wan rule is going to know to match it to these networks this is not to be confused because i was setting this up yesterday i was like why is this working this is not to be confused with the [Music] attribute set tag this is something completely different and if you set this you're gonna be in for a bad time okay i mean sorry if you set this with the intent to use it as a route tag with the sd-wan you're gonna be in for a bad time otherwise it probably works it's fine for whatever intent it is um but please make sure you use the set route tag again this is well documented and defined in the fortinet handbook so if you just follow the instructions there you'll be well on your way but just want to call that out because you know your boy got lost for a little bit that being said once you have those route tags defined and by the way when i was talking about clearing the bgp um what i did was i did this clear ip and then you could go in and specify the neighbor so that way if you have other neighbors defined on your spoke and you don't want to impact them but you do want to clear the bgp sessions that are going to your upstream um hub you can pop in the ip address of the hub and it'll actually clear those and leave the other ones intact so uh just kind of a pro tip um for you but that being said uh once those are all properly uh done uh you can see here my bgp summaries established and then i can go get router info bgp community and bam now i see all of the routes that have a community associated with it now what's not useful of this is that if i had multiple communities i couldn't see which of these routes belong to the community so instead what you got to do is use this community info and what this will tell you is all of the different communities that the fortigate has learned so now i can go and take that go back into community paste that in there and now it will show me all the routes associated with this community so if i did have a different community uh like maybe six four five five cold and six four five five zero colon one thousand i could pop those in and it would show me just the routes associated with the different communities so again a pro tip something i ran into uh while trying to you know get ready for this uh but all in all it works just fine now once you have your communities coming in to your fortigate and the routes are being properly tagged well let me take a step back so one thing i want you to notice too because i have that route tag now this route tag here is populated to show you that not only did i get the communities in but i've actually applied the proper route tag to those routes so that's another um useful tidbit of this uh bgp um community command is that it will show you a route tag um when we get to the debug session very shortly i'll talk about some other commands you can use but for now once you have that set up you can go in and actually create your sd-wan rule which allows you to reference the route tag rather than referencing a source and you know a destination address right so now this actually takes place of that because it's saying you know any of the routes that i am dynamically learning via bgp i'm going to apply this particular sd-wan strategy to it now when you initially configure that it has to be done through the cli on before the gate unfortunately is not available as a selection criteria as part of the rules as you can see when i'm creating a new rule however once it has been set through the cli you can see that it is now modifiable from the gui and you know if i wanted to change it to you know 1500 or maybe 2500 or whatever i want to set it to i can set it to that um and then of course all the other criteria if you want to say only apply this to a specific source um you can do that as well now note that once you do set criteria for the destination you cannot use it as an and to both the internet servers and or the application so you know these are considered a you know once you set it that's the only criteria that you can use for matching but nine times out of ten if you have you know control over your networks and you know what your networks are correlating to um like for instance if it's dealing with voip you're typically going to have your only a void network where your phones and pbx's and all that stuff live you can do the matching based on that network and then have that dynamically updated um via this route tag so once you have the route tag set you choose your strategy in this scenario i'm going to choose best quality um but of course if you're familiar with our sd-wan solution you know you can choose manual which will allow you to manually assign your interfaces lowest cost which will allow you to assign a cost to each interface to say okay you know i'm gonna use this one first and only if it comes out of the sla start using the higher cost interface and of course uh maximum bandwidth which allows you to round robbing your sessions uh across uh all of the um interfaces or interfaces within a particular sd-wan zone so you can see here i'm going back to best quality i'm using vpn dc one one vpn dc22 and my uh measure sla is going to be across my vpn tunnel to get to my loopback interface on my hub for the gate and lastly is the quality criteria in this scenario i'm going to use latency but like i was saying earlier you have a lot of different criteria you can use to decide which is the best path to take so all that being said as you can see it's active it's working right now i have vpn dc 1-1 being selected as my best path and if i look at the sla you're going to see that the latency is a tad bit higher on vpn dc 1.1 the reason on 1-1 the reason why i selected it is because in the best path criteria match there's something called a link cost threshold that you can set and why am i telling you when i can show you uh the link cost threshold is something that you can set so that the you know the interfaces aren't ping ponging back and forth to each other so what the fortigate will do is it will look at the order of how you have the interfaces defined here so i have vp1 and vpn 2 and then it'll say as long as the latency of vpn 1 is not 50 more of the latency of vpn 2 still use vpn 1. so in this scenario when i get to my test scenario what i'm going to do is i'm going to show you all um well if i got time i will show you you know how that all works like if i got my latency on both of them at 25 and then i bought the latency on vpn one it's still not going to change but when i bump it up to 40 because you know 25 half of that is 12.5 12.5 plus 25 is 37.5 40 is over 37.5 it will actually fail over the vpn too so sorry i had to do some math hilarious um all right i don't know somebody went off on me let me see if i can catch him so i can bam got you all right so all that being said um let's let's uh see some of the debugs right so again it's all working you know you can see that the route tags in effect it's choosing its latency uh as a criteria if i look at what i can do to debug this i got a few options uh the first option is what i've shown you from bgp right get router info bgp community will show you the route tags matching to specific networks the second option is this route uh sdwin diag nose sys sdwin and then you can look at this route tag list so what this will do is actually show you that with route tag 2000 i have these addresses associated with it now this breaks it out into the type of prefix so i got some slash 24s here and i got a slash 32 because i'm tagging basically every route i'm learning from the hub down to the spoke okay uh you also have this command route tag flush so um you know if you want to manually kick off a flush and have it to clear this out and you know re-learn everything that's there but in my experience uh it typically allows you to um what's the word i'm looking for typically it allows you to uh update dynamically right so that typically works very well uh another command that you have is this sd-win service bam this will also tell you um the route tag as well it does not actually tell you the tag number that's matching but it will tell you that these are the routes that are matching right so in a nutshell um those are the you know commands that you're going to use to kind of troubleshoot it to make sure that you you know do all the steps right and that you're following all the steps and everything's working uh so if you run into problems that's typically what you got to do to see if there's you know if it's working properly so as far as i know there's not a lot of support for it in the gui today um but just keep dropping your enhancement request to your local account teams in or on reddit where our uh studious uh employees are constantly taking that information and feeding it back up uh and you know hopefully we'll get some support added in that future all right that being said i'm going to take a quick breather to see if i can go back and answer some questions then i'll do my sd-wan demo and then i'm going to wrap this up uh so in your opinion are there any major benefits into using sdwin in an active passive when set up in contrast to the pre-st win error where you configure a link monitor uh absolutely i think the benefits that sd-wan gives you even if you're doing active passive land is the ability to monitor uh your links um i know that the link monitor will also monitor for jitter latency and packet loss but there was really no gui draft design way to render that information i'm not even sure if it recorded it in a log file while sd-wan allows you to get a visual representation of how your links are doing also you can record it in a log file so if you want to send it to a third-party server or you're for the analyzer um you can make charts and graphs and you know provide that to your isp to say hey look this is how great my service has been or look how this is how crappy my server has been get on your job um in my experience so far sdwin sometimes complicates the routing due to the hashing rhythm algorithm uh or the self-originating traffic so i mean yeah there's gonna be always some pros and cons to using sd-wan i do think the pros outweigh the cons but you know typically there is a way to make it do um what you want it to do if you're running any particular problems or questions please hit your uh local account team up support or hit these forums and see if somebody can help you out uh also in my geography uh bandwidth 100 megabits is a commodity not a luxury indeed we are spoiled over here in the u.s where you know we have gig fiber links uh kind of mainstay in some of our major metros um that being said if you're trying to look at that level of bandwidth on an mpls circuit you're gonna probably play way more money than you would pay uh if you're using you know commodity internet um you know when it comes to 5g i know that a lot of wireless providers are starting to up their data caps because their networks just have more uh capacity to support those networks so you know i think the way the trajectory is going uh bandwidth hopefully is going to start to become a little bit more prevalent another question would you ever choose ebgp for hub and spoke sd when uh if you're just doing eb i mean sorry if you're just doing sd-wan and you don't have a use case for 80 vpn i mean there's no there's no reason why you can't use ebgp right there might be a little bit more administrative overhead because you can't use the things like the dynamic uh bgp groups because you know if you're using ebgp each one of your spokes um they're gonna have a separate as number uh and there's some workarounds about that like you can go into the actual uh neighbor within the fortigate and say set my as to this you know whatever but all that being said um you know there's there's yes you can use it for that uh would i recommend it i think ibgp is the way to go just from a maintenance management overhead um you know it allows you to pretty much do everything that you need to do from the ibgp standpoint you could also set up route reflector so you have to do that when you're using advpn so that routes from you know spoke a uh and routes from spoke b spoke a can learn about the routes from spoke b through the hub which is going to serve as the rock reflector i get the feeling that initially everything was igbgp in the documentation but now an example deployments found they use ebgp so i'm not sure which documents you're referring to some of the old documentation some that i've actually written probably had ebgp because i didn't know any better at the time which was a few years ago um now that i am you know kind of in line with how the best practices are uh i particularly recommend be ibgp the whole way i don't even recommend using ospf or rip because those are supported in advpn as well ibgp the whole way uh something that has been unanswered for me a long time how do you configure rules from slas for for a hub okay that one we're going to take on a different call because that's going to go way beyond the uh i guess the scope of what i have but you know i have been playing around with that in my lab environment and here you can see that uh i have you know a spoke defined sla uh within my hub so essentially you have to create one of these for each of your spokes you can put a loop back on each of your spokes advertisers up to the hub and then use that um to go backwards and then when you're using your sd-wan rules because sd-wan is using routing uh if you choose an sd-wan rule that says use advpn1 and abvpn2 it's only going to take the route that is available that's being advertised from the spoke so again way beyond the scope of what this call is you know going to be able to cover and since i got last 10 minutes uh you know post it up on reddit or on discord or whatever way you can get to me and then maybe i can set up another call a little bit later to kind of dive into that a little bit more detail all right with that being said let's hop over to the fun part the demonstration so let me just log into these two machines hopefully i can get this done in the next 10 minutes and we'll see maybe and i hate that i get timed out i really gotta changed these timeout settings all right so what i'm going to do now is i'm going to hook up these wind bridges so let me just make sure that they're working minimize move console and for those who haven't seen proxmox this is a alternative to like a vmware and you know all that this is a great open source free um hypervisor i strongly recommend it so okay they are working just fine so all i need to do is put these guys in line with them so i'm going to take my router 02 i'm going to bridge that to 610 and i'm going to take my router on three bridge that to six twenty okay so now what you're gonna see is the performance slas uh before i think these were down to like milliseconds like one or two milliseconds now you can see they popped up to 19 and uh 10. that's because you know once i add them into the uh wan bridge it's going to start introducing latency naturally it's because it has to go through another vm but beyond that because i also have it configured to start generating some traffic so not traffic but some network congestion so right now what i'm going to do is disable my sd-wan rule okay so i'm going to set the status to disable so we know that sdwin isn't going and what i'm going to do is start up a network stream from my branch to my hub so uh on my hub side here i got vlc running i like this super mario time attack because you know super mario who doesn't love super mario i'm going to um be streaming this over http port 8080 and i'm going to turn off transcoding because i want it to be as raw as it can uh take up as much bandwidth as i can and no i just wanted to go all right well it's never asked me that before so let's try that one more time stream next http add next and turn off transcoding go and go all right um so while that is uh getting ready to get started there i am going to see if i can connect to it uh so i'm going to say open network stream 10 oops this is 8080 play see if i can get to it and my stream is not going yet uh this is always the best part right when you're doing something live okay let's try this one more time add this this i've literally done this thousands and thousands of times and now this is going to be the day where it decides hey i'm not doing it all right well um you know they always say the best laid plans right so uh what i'm gonna do is this is a vm um i'm gonna go ahead and get this guy updated or at least see if i can get it updated in short amount of time uh so i got seven minutes hopefully within the two minute mark i will be able to get this guy going uh let's try this update real quick and see what happens and see if we can get this thing going but all that being said uh since i'm waiting for this thing to upgrade are there any questions um any other questions about what has been seen so far uh any questions about sd-wan in general while i'm waiting um you can feel free to you know take yourself off a mute if you prefer asking a question rather than going on chat so i'll be quiet for two minutes and then happy to fill in any questions all right well i'm gonna say not everyone at once so maybe someone's actually out there struggling to find the mute button all right awesome awesome uh does pervert preserve session route enable apply to sd win dynamic routing changes um man that's a good question so i am not 100 sure i would have to actually go and uh test that um my 38.9 you know surety question answer to that is yes it will um apply to a dynamic sd-wan session um but to be quite honest you know i'm not a hundred percent sure so um sorry i don't have a good answer for you on that one right now uh what i will say is that i can go check it out a little bit later um you're welcome to you know either reach out to me through reddit or hit me up on historiantech.com and you know i can test it out in my free time and let you know but as far as i know yes um that will allow you to uh even take a dirty um router or a session that is marked as dirty um which is typically what happens when a route change happens uh on the florida gate and apply to that so but again that's that's not a high level of confidence usually i like to give above uh you know 70 percent surety um level but in this scenario i'm not 100 sure so i won't pretend to know all right so what i'm going to do is go ahead and trust uh you know trusty old reboot since this uh windows server has been on for the past 100 plus days and see if i can get it going this way so i promise y'all if it don't work by 1257 i will go ahead and you know terminate it and poten potentially set this up to share with y'all at a later date um but i'm not going to go a minute over a minute over 1 p.m so well i might go a minute over but you know i try to be very cognizant of your time all right let's try this one more tom stream add super mario stream next and oh i know what the problem is haha this needs to be changed to 80 90. all right sorry so i have uh florida client ems running on this machine and that uses 8080 by default um so that's why i couldn't stream it because port's in use that being said uh let's go ahead and get to the streaming so open up network stream changes to 80 90 which is why i had that set and play all right so as y'all can see hopefully you know the stream is keeping up and y'all can see super mario he's doing his thing everything's happy so i'm not watching super mario right now imagine i'm on a voice call uh a video call with some colleagues uh maybe not across the pond but at least across the state and you know we're having our uh web meeting all right so now i'm going to introduce from the photogate side before i introduce this you can see here that my sessions are going great um if i look at my photo view sessions my vlc is going over vpn dc 1-1 you can see it's currently over vlc going to this host and it's being hardware accelerated awesome everything i expect to see so now i'm going to go into my vpn 1-1 and i'm going to introduce some latency and let's introduce some packet loss all right so you'll see from a video boom uh you know mario's starting to struggle a little bit um you know it's not as fast wow it actually is moving still pretty fast all right so let me actually go in and introduce maybe a little bit more because you know that that hardware acceleration is pretty resilient here so let me go at 400 and i'm going to do i think 53 packet loss all right see if we can get mario to struggle a little bit okay so now uh mario's gonna start struggling a little bit you can see here we got a little gray sign you know it's trying to download packet laws going you can go here and look at the sd win even though i have a rule off my performance is still there so you can see that the sd-wan is seeing hey you know something's not happy right now but if i go and look at the session in fortinet and on the florida gate sorry i'm still taking this bad vpn 1-1 even though i got a perfectly working vpn 1-2 so what i'm going to do here is go back i'm gonna let you see this in real time usually what i do is i stop it and start all over again but ain't nobody got time for that so i'm going to go ahead hit this session turn this bad boy on and let's see if it if it gets smart so i go back and look at my display oh okay well i guess i should have started it over again so what i'm going to do is stop it on both sides i'm going to resume the session stop here all right got a minute gotta get minute to win it um where was i at here here here stream [Music] add boom stream fixed http add 8090 x all right i'm just going to do the same test again so you can see it in action go back to this guy here dlc almost there stream sorry open network stream there we go network stream is going all right working just fine so i'm going to do the same test here custom 400 uh 2 packet loss and we see it should be over on vpn 1-2 which it is so um i typically like to give a little bit more information and show that in in more detail but since i was coming up to the telling of this um i wanted to make sure that you got to see it in action so with all that being said it's one o'clock thank you all so much for your time i really much so appreciate uh everyone who joined again feel free to hit me up on reddit uh historiantech.com um as well as discord uh afroman says in reddit and uh discord and lastly feel free to join our fortinet and discord so we can continue this conversation hope y'all have a great rest of y'all today thank y'all so much for your time this recorder will be posted shortly talk to you all later

Info

Channel: historiantech

Views: 620

Rating: undefined out of 5

Keywords:

Id: iE0NtoohFtg

Channel Id: undefined

Length: 61min 22sec (3682 seconds)

Published: Wed Jul 14 2021