SD-WAN Configuration on FortiGate: How to Split Traffic from 2 Networks/VLANs between WAN1 and WAN2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey what's up guys this is g here with kb trainings welcome to this video where i'm going to show you how to configure sd1 on the 40 gate so that two different networks or two different vlans can use two or prefer two different interfaces in our sd1 configuration i'm still not home as you can see i'm still away from home and those of you that follow me on facebook or instagram know exactly where i am so if you are not make sure you follow me on social media so we can connect and you can see the behind the scenes it's also an easy way for you to connect with me so if you like this video i have a course on kbtronics.com about the ccna 200 301 that course bring you from zero to engineer it teaches you everything you have to know on network security and so on to be able to take and pass the ccna exam which is a very important certification that will help you start or boost your career in the tech industry so the course is available on cabletrends.com go there and check it out so here i have a switch and i have a 40 gate down here and then i have a checkpoint firewall so the design that we're going to use looks like this so i'm renting an airbnb right now with some friends so i have a home network which goes to the internet and the home network has 10.0.0.0.24 subnet so to the home network i connected my d-link switch and then i can share the connectivity between the checkpoint and the fortigate when one goes directly to the switch so it's in the same network as the home network which is 10.00 so one two goes to the checkpoint so there is some routing happening on the checkpoint here and one two is in 20.0.0 24. so i have two up links going to the internet and these two are going to be the members of our sd1 interface and down here i have my macbook where i'm recording this video and i created two vlans on the photogate the vlan 2 with 2.0.0 24 and a vlan 3 with 3.0.0.0.24 so right now because my device is connected to the port number two it is part of the vlan 2. later when i want to test my configuration i'm going to move it from the port number two to the port number three so that it's part of the vlan number three or the network number three and we're going to see the result and here i have some pings going to google as you can see right now it's failing and here i have some trace route that we're going to execute later on and these are the things that we're going to do today so i just showed you the current configuration and the current goal actually the goal is to make sure that the vlan 2 prefers when one so if 1 1 and 1 2 are active on the sd1 vlan 2 will go with when one first and vlan 3 will go with one two first and of course if the vlan 2 doesn't have one one available if one one is down the vlan 2 is going to switch to one two and if the vlan 3 doesn't detect one two or if one two is down the vlan 3 is going to use when one so i showed you the design and what we're going to do today now we're going to go in the photogate and start our configuration i'm going first to create an st1 interface so to create an s1 interface we need to go under network sd1 and click on new i'm going to create a new zone and i will name it sd1 zone and click ok or i can name it interface it doesn't matter so i need to add new members to that sd1 zone i will do sd1 member or new sd1 member and therefore the first one is when one i'm going to add it to sd1 zone and i'm going to add the second member it's going to be 1 2 and i will add it to sd1 zone and select ok so now i have our two members inside here but let me show you actually what it looks like in terms of network interfaces so i showed you that i have the vlan 2 which is linked to the port number two and it has the subnet of two zeros let's see i mean 2.01 we have the vn3 with 3.001 if we look at our laptop so we have 2.0.0.2 we are in the vlan 2 right now and that's where we are trying to go to the internet but we we still cannot because we don't have all the configurations ready so we just added members to the sd1 now we're going to add rules and the rules are the most important things because from the rules vlan 1 will know how to treat those interfaces and the incoming i mean the incoming traffic if i go under sd1 and select sd1 rules there is one rule at the end here this is implicit so we need to add two new rules the first one we're going to name it vlan 2 prefer when one so here we're going to say if the traffic is coming from the villain to addresses um the users we don't really have to define and going to the internet so all we are manually going to say that this traffic will prefer the nfs when one and then we will just select okay so this is the first sd1 rule we are saying that vlan number two prefers when one i'm going to add another rule or i can just come here and duplicate the rule i think i can yeah i come here and clone the rule and name it vlan 3 prefer one two all right so from here i can say it's enabled and click on ok so then come in here to modify it i'll have to i'll have to change the source address to vlan 3 addresses remove vlan 2 and select ok so we have this rule for the vlan no no i need to change the member i mean the the interface to 1 2 so that we know that this vlan prefers one two all right so we good here and the next thing we need to do is to add an ipv4 policy for vlan 2 and vlan 3. so i need to go under policy and objects and then create new um [Music] vlan 2 to internet incoming interface is vlan 2 outgoing interface is sd1 zone the source interface i mean source address we have addresses in the vlan 2 destination is everything on the internet services all the services and that's all we need and i will select okay so i can take this and copy it and also passed bebo above or below it doesn't matter so i will come in the new policy and name it name it vlan 3 to internet all right so the incoming interface is vlan 3 outgoing is sd1 zone the address is i'm going to take vlan 3 addresses and everything stays the same and i will click on ok we still are not able to ping because there is one more step that we need to do here is add a static route so we go under network and select static route and here we're going to add a new route it's a default route so goes to zero zero zero zero and here we nee we need to select the outgoing interface which is the st1 zone and then okay with this we should be able to ping now let's give it a moment all right so now we have the pings going out to the internet and remember we are in the villa number two let's see what port we are using right now that's where we're going to use the truss route let's do a truss rod to the internet i mean to google and see so as you can see here it's going to 2.01 and then goes to when one this is one one ten that's zero zero that one this is a good thing because we know that the vln2 is using when one so let's come here and apply the cable to n1 and see the behavior we're going to lose some pings of course but we're going to be back okay we just lost the ping and now we are back on one two which means that the computer or the vlan 2 is preferring when one first let's do some pressure out you can see that when we are leaving the device we are going to one two and then to the internet that's good that's expected so let's switch our device from i'm going to return the cable on the on when one so let's switch our device from the vlan 2 to the vlan 3. let's see what happens it should grab a new ip from the vlan 3. let's go under connected yep i have an ip from the villain 3 and why don't we have some pings here are my policies okay i don't know so here i have access to the fortigate with the vlan 3. let's go and check the policies vlan 3 sd1 vn3 addresses oh the policy was not enabled that's why so if i enable the policy come here yep we are connected to the internet so every time you make a copy of a policy make sure you enable the policy because it's not enabled by default so now we can ping from the vlan 3. let's go a traceroute and see what one connection we are using so as you can see vlan 3 is using one two first that's the sd1 rule we are using one two first and i am going to unplug the 1 2 cable let's go back to our pings here i'm going to unplug the 1 2 cable and as you can see we lost the ping and now we are back online and if i come here and do another truss route you can see that we are using when one all right guys this is what i wanted to demonstrate this is a question i received on youtube i'm glad to respond to the question i like those questions if you have any question leave it in a comment i'd be glad to take my time to answer your questions all right guys if you liked the video don't forget to like it on youtube and share it with your friend also subscribe to the channel if you like some technical projects like this one here and make sure you follow me on facebook instagram and twitter and if you are studying for the cisco ccna 200 301 i have a course available on kbjoings.com to teach you all of this to make you go from zero to engineer to help you start or boost your career in the tech industry thank you guys and i'll see you in the next video take care and bye

Info

Channel: KBTrainings

Views: 13,151

Rating: undefined out of 5

Keywords: fortigate, fortinet, fortios, sd-wan, sdwan, sd-wan configuration, vlans, cisco, ccna, ccnp, ccie, sd-wan configuration in fortigate, sd-wan configuration step by step, sd-wan configuration guide, checkpoint, check point, quantum spark

Id: 2TeZUJh09JU

Channel Id: undefined

Length: 11min 22sec (682 seconds)

Published: Tue Jul 05 2022