Dynamic Routing Overview

This section provides an overview of dynamic routing, and how it compares to static routing. For details on various dynamic routing protocols, see the following chapters for detailed information.

The following topics are included in this section: What is dynamic routing?

Comparison of dynamic routing protocols

Choosing a routing protocol Dynamic routing terminology IPv6 in dynamic routing

What is dynamic routing?

Dynamic routing uses a dynamic routing protocol to automatically select the best route to put into the routing table. So instead of manually entering static routes in the routing table, dynamic routing automatically receives routing updates, and dynamically decides which routes are best to go into the routing table. Its this intelligent and hands-off approach that makes dynamic routing so useful.

Dynamic routing protocols vary in many ways and this is reflected in the various administrative distances assigned to routes learned from dynamic routing. These variations take into account differences in reliability, speed of convergence, and other similar factors. For more information on these administrative distances, see Advanced Static Routing on page 256.

This section includes:

• Comparing static and dynamic routing
• Dynamic routing protocols
• Minimum configuration for dynamic routing

Static routing example

This is an example of a typical small network configuration that uses only static routing.

This network is in a dentist office that includes a number of dentists, assistants, and office staff. The size of the office is not expected to grow significantly in the near future, and the network usage is very stable—there are no new applications being added to the network.

The users on the network are:

• Admin staff – access to local patient records, and perform online billing
• Dentists – access and update local patient records, research online from desk
• Assistants – access and update local patient records in exam rooms

The distinction here is mainly that only the admin staff and dentist’s office need access to the Internet—all the other traffic is local and doesn’t need to leave the local network. Routing is only required for the outbound traffic, and the computers that have valid outbound traffic.

Configuring routing only on computers that need it acts as an additional layer of secur- ity by helping prevent malicious traffic from leaving the network.

This section includes the following topics:

• Network layout and assumptions
• General configuration steps
• Configure FortiGate unit
• Configure Admin PC and Dentist PCs
• Testing network configuration

Network layout and assumptions

The computers on the network are admin staff computers, dentist office computers, and dental exam room computers. While there are other devices on the local network such as printers, they do not need Internet access or any routing.

This networked office equipment includes 1 admin staff PC, 3 dentist PCs, and 5 exam room PCs. There are also a network printer, and a router on the network as well.

Assumptions about these computers, and network include:

• The FortiGate unit is a model with interfaces labeled port1 and port2.
• The FortiGate unit has been installed and is configured in NAT/Route mode.
• VDOMs are not enabled.
• The computers on the network are running MS Windows software.
• Any hubs required in the network are not shown in the network diagram.
• The network administrator has access to the ISP IP addresses, and is the super_admin administrator on the FortiGate unit.

Static routing example device names, IP addresses, and level of access

Transparent mode static routing

FortiOS operating modes allow you to change the configuration of your FortiGate unit depending on the role it needs to fill in your network.

NAT/Route operating mode is the standard mode where all interfaces are accessed individually, and traffic can be routed between ports to travel from one network to another.

In transparent operating mode, all physical interfaces act like one interface. The FortiGate unit essentially becomes a bridge — traffic coming in over any interface is broadcast back out over all the interfaces on the FortiGate unit.

In transparent mode, there is no entry for routing at the main level of the menu on the web-based manager display as there is in NAT/Route mode. Routing is instead accessed through the network menu option.

To view the routing table in transparent mode, go to System > Network > Routing Table.

When viewing or creating a static route entry in transparent mode there are only three fields available.

Destination IP / Mask The destination of the traffic being routed. The first entry is attempted first for a match, then the next, and so on until a match is found or the last entry is reached. If no match is found, the traffic will not be routed.

Use 0.0.0.0 to match all traffic destinations. This is the default route.

Gateway Specifies the next hop for the traffic. Generally the gateway is the address of a router on the edge of your network.

Priority  The priority is used if there is more than one match for a route. This allows multiple routes to be used, with one preferred. If the preferred route is unavailable the other routes can be used instead.

Valid range of priority can be from 0 to 4 294 967 295.

If more than one route matches and they have the same priority it becomes an ECMP situation and traffic is shared among those routes. See Trans- parent mode static routing on page 275.

When configuring routing on a FortiGate unit in transparent mode, remember that all interfaces must be connected to the same subnet. That means all traffic will be coming from and leaving on the same subnet. This is important because it limits your static routing options to only the gateways attached to this subnet. For example,

if you only have one router connecting your network to the Internet then all static routing on the FortiGate unit will use that gateway. For this reason static routing on FortiGate units in transparent mode may be a bit different, but it is not as complex as routing in NAT/Route mode.

Moving a policy route

A routing policy is added to the bottom of the routing table when it is created. If you prefer to use one policy over another, you may want to move it to a different location in the routing policy table.

The option to use one of two routes happens when both routes are a match, for example

172.20.0.0/255.255.0.0 and 172.20.120.0/255.255.255.0. If both of these routes are in the

policy table, both can match a route to 172.20.120.112 but you consider the second one as a better match. In that case the best match route should be positioned before the other route in the policy table.

To change the position of a policy route in the table, go to Router > Static > Policy Routes and select Move

To for the policy route you want to move.

Before/After Select Before to place the selected Policy Route before the indicated route.

Select After to place it following the indicated route.

Policy route ID   Enter the Policy route ID of the route in the Policy route table to move the selected route before or after.

Policy routing

Policy routing enables you to redirect traffic away from a static route. This can be useful if you want to route certain types of network traffic differently. You can use incoming traffic’s protocol, source address or interface, destination address, or port number to determine where to send the traffic. For example, generally network traffic would go to the router of a subnet, but you might want to direct SMTP or POP3 traffic directly to the mail server on that subnet.

If you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit, the

FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match

is found and the policy contains enough information to route the packet (a minimum of the IP address of the next- hop router and the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet using the information in the policy. If no policy route matches the packet, the FortiGate unit routes the packet using the routing table.

Most policy settings are optional,and a matching policy alone might not provide enough information for forwarding the packet. In fact, the FortiGate almost always requires a matching route in the routing table in order to use a policy route. The FortiGate unit will refer to the routing table in an attempt to match the information in the packet header with a route in the routing table.

Policy route options define which attributes of a incoming packet cause policy routing to occur. If the attributes of a packet match all the specified conditions, the FortiGate unit routes the packet through the specified interface to the specified gateway.

To view policy routes go to Router > Static > Policy Routes.

Create New                                 Add a policy route. See Adding a policy route on page 272.

Edit                                             Edit the selected policy route.

Delete                                         Delete the selected policy route.

Move To

Move the selected policy route. Enter the new position and select OK.

For more information, see Moving a policy route on page 274.

#                                            The ID numbers of configured route policies. These numbers are sequen- tial unless policies have been moved within the table.

Incoming                                    The interfaces on which packets subjected to route policies are received.

Outgoing                                    The interfaces through which policy routed packets are routed.

Source                                        The IP source addresses and network masks that cause policy routing to occur.

Destination                                The IP destination addresses and network masks that cause policy routing to occur.

Static routing tips

When your network goes beyond basic static routing, here are some tips to help you plan and manage your static routing.

Always configure a default route

The first thing configured on a router on your network should be the default route. And where possible the default routes should point to either one or very few gateways. This makes it easier to locate and correct problems in the network. By comparison, if one router uses a second router as its gateway which uses a fourth for its gateway and so on, one failure in that chain will appear as an outage for all the devices downstream. By using one or very few addresses as gateways, if there is an outage on the network it will either be very localized or network-wide — either is easy to troubleshoot.

Have an updated network plan

A network plan lists different subnets, user groups, and different servers. Essentially is puts all your resources on the network, and shows how the parts of your network are connected. Keeping your plan updated will also help you troubleshoot problems more quickly when they arise.

A network plan helps your static routing by eliminating potential bottlenecks, and helping troubleshoot any routing problems that come up. Also you can use it to plan for the future and act on any changes to your needs or resources more quickly.

Plan for expansion

No network remains the same size. At some time, all networks grow. If you take future growth into account, there will be less disruption to your existing network when that growth happens. For example allocating a block of addresses for servers can easily prevent having to re-assign IP addresses to multiple servers due to a new server.

With static routing, if you group parts of your network properly you can easily use network masks to address each part of your network separately. This will reduce the amount of administration required both to maintain the routing, and to troubleshoot any problems.

Configure as much security as possible

Securing your network through static routing methods is a good low level method to defend both your important information and your network bandwidth.

• Implement NAT to obscure your IP address is an excellent first step.
• Implement black hole routing to hide which IP addresses are in use or not on your local network.
• Configure and use access control list (ACL) to help ensure you know only valid users are using the network.

All three features limit access to the people who should be using your network, and obscure your network information from the outside world and potential hackers.