1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Protection Device
  5. FortiDDoS
  6. Installation manual

Traffic Diversion Using A Single Divert-From And Inject-To Router And A Switch - Fortinet FortiDDoS Installation Manual

Hide thumbs
Table of Contents

Advertisement

Configuration Options
Traffic diversion
using a single
divert-from and
inject-to router
and a switch
FortiDDoS v3.2 Installation Guide
28-320-183686-20130401
http://docs.fortinet.com/
Refer to
Figure
19. A single router acts a Divert-from and Inject-to router. A very simple
deployment is explained in
FortiDDoS device.
One interface on the Internet side of the Router is used to divert the traffic to the
attacked destination. This traffic passes through the FortiDDoS device through a
switch. The traffic is then forwarded to the Inject-to interface on the same Router
through the same switch.
To ensure that the traffic is symmetric and both incoming and outgoing traffic to/from
the attacked destination go through the FortiDDoS device, the LAN interface of the
Router is used to divert the traffic from the attacked destination. This traffic passes
through the FortiDDoS device through a switch. The traffic is then forwarded to the
Inject-to interface on the same Router through the same switch.
A static route is added on the Router for addresses for the attacked customer network.
Having the longest matching prefix, the rule matches first and therefore all traffic to
attacked customer network is diverted from Router to the L3 Switch through the
FortiDDoS device network rather than going straight from Router to Distribution
Switch.
The return path for traffic should preferably be via a FortiDDoS appliance. The solution
will work even if the traffic is unidirectional through the FortiDDoS appliance.
Bidirectional traffic helps the FortiDDoS device determine the statefulness within
connections.
To ensure that the return traffic passes through the FortiDDoS device, use Policy
Based Routing (PBR) available in most routers. This allows routing based on source
address of the packets and interface to be routed via an address.
Figure 19: Traffic diversion using a single divert-from and inject-to router and a FortiDDoS unit
Feedback
Using traffic diversion in service provider environment
Figure
19. This involves Layer 2 forwarding through the
26

Advertisement

Table of Contents
loading

Related Products for Fortinet FortiDDoS

Table of Contents