how can separate cutomer traffic via vlans in single VDOM and VPN tunnel separate too

kamalsingh · ‎06-05-2020

Hello Friends ,

I am kamal in need one advise.

i have 2 customers and i have one Fortigate 201 model. (working in HA)

the request is traffic coming from Lan switches (which has 2 vlans for each cutomer) and then traffic come to Fortigate port - 4 on both HA fortigates

here i want to separate the traffic for both cutomers at fortigate level.

at wan side i have 2 ISPs and both cutomers want to use the both ISPs bandwidth with SDWAN weight algo 50 50 %.

how can we use vlan concept here to separate cutomer traffic and separtes tunnel also with SDWAN concept.

thanks

Kamal singh

emnoc · ‎06-05-2020

1st good diagram

Are you running each customer in a VDOM or just using vlans and ipsec between site1-to-site2? In your case I would use the ipsec-vpn tunnels and control the traffic and have the policy that allows the traffic from local-remote subnets for vlan2 and vlan3

It looks like you have that done by the diagram? For routing you can control what tunnel carries that traffic and if you need redundancy via the MetroE and 2nd-ISP, just adjust metric with two routes.

If you dump your subnets number and phase2 settings, I could draft it out better.

Ken Felix

PCNSE

NSE

StrongSwan

kamalsingh · ‎06-06-2020

Hello Ken,

Thanks a lot to have look into this.

you are right i am using vlans instead of Vdom to separate the customer traffic, please advise is it fine.

As its a single Vdom the i am using ports like below:

Devices are in Ha:

Port 4 is for LAN purpose (carrying the 2 Vlans)

Then port1 (primary Metro link) Port2 (Secondary ISP)

Tunnels: i will creates total 4 tunnels :

2 for First customer with both ISP as shows in green in visio

2 for second customer with both ISP as shows in red line in visio.

SDWAN: i will make a policy like :

Source vlan2: Destination : tun1,Tun3 =---Green tunnel

Source Vlan3: Destination : tun2, Tun4=-- Red tunnel

I would request you to help me with config, yes it will be great if you draft the config for me..

Vlan2: 10.99.2.0/24 ---

Vlan3: 10.99.3.0/24 --

ISP IP:

Primary metro link : 1.1.1.1 /30 ------- 1.1.1.2/30

Secondary ISP: 200.200.200.1/30 ------ 200.200.200.2/30

Tunnel:

1st: Subnet: 10.10.10.0/30 -- 10.10.10.1/30 --- other end 10.10.10.2/30

2nd: Subnet: 10.10.10.4/30 -- 10.10.10.5/30 --- other end 10.10.10.6/30

3rd: Subnet: 10.10.10.8/30 -- 10.10.10.9/30 --- other end 10.10.10.10/30

4th: Subnet: 10.10.10.12/30 -- 10.10.10.13/30 --- other end 10.10.10.24/30

i would be so thanks full to you

Thanks

kamal

sw2090 · ‎06-08-2020

Hi Kamal,

So this means you have a FGT HA Cluster on each side?

Each clluster has two WAN Links and on each WAN Link a P2p IPSEC Tunnel to the other side?

Do I understand this right?

If so that would mean the traffic is always seperated. Behind the FortiGates the vlan does sperate it (at least if there is no port in both vlans somewhere there) and on the FGT that#s default behaviour even without vlans since all traffic that does not match an explicit policy per default always matches policy #0 (implicite deny) and will be dropped by the FGT. So as long as you don't have Policies on your FGTs that allow traffic from vlan2 to vlan3 or/and vice versa they won't see each other on the FGT. And behind th FGT you vlan setup takes care for this.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams