Appendix C: Switch and Router Configuration
Switch configuration for load balancing
The following example load balancing configuration is for the FortiSwitch 248-B DPS Ethernet switch.
It configures two trunk groups with eight ports per trunk. Trunk 10 is used for Internet traffic and trunk 11 is used for server-side traffic.
You use the load-balance-hash command to specify src-dst-ip-ipports as the hash distribution algorithm (hash mode) to apply to all trunk groups. This mode uses a 4-tuple (source and destination IP address and source IP L4 port and destination IP L4 port) to ensure that all packets belonging to a session pass through the same port pair on FortiDDoS appliance in both directions.
(clientSide-84.82) #show run
!Current Configuration:
!
!System Description "FortiSwitch-248B-DPS 48x1G & 4x10G"
!System Software Version "5.2.0.2.4"
serviceport ip 192.168.22.98 255.255.255.0 0.0.0.0
vlan database
vlan name 10 "egress"
vlan name 11 "ingress"
exit
port-channel "egress" 1
interface 0/1
channel-group 1/1
exit
interface 0/3
channel-group 1/1
exit
interface 0/5
channel-group 1/1
exit
interface 0/7
channel-group 1/1
exit
interface 0/9
channel-group 1/1
exit
interface 0/11
channel-group 1/1
exit
interface 0/13
channel-group 1/1
exit
interface 0/15
channel-group 1/1
exit
port-channel "ingress" 2
interface 0/2
channel-group 1/2
exit
interface 0/4
channel-group 1/2
exit
interface 0/6
channel-group 1/2
exit
interface 0/8
channel-group 1/2
exit
interface 0/10
channel-group 1/2
exit
interface 0/12
channel-group 1/2
exit
interface 0/14
channel-group 1/2
exit
interface 0/16
channel-group 1/2
exit
mac-addr-table aging-time 60000
interface 0/1
no cdp run
switchport allowed vlan add 10
exit
interface 0/2
no cdp run
exit
interface 0/3
no cdp run
exit
interface 0/4
no cdp run
exit
interface 0/5
no cdp run
exit
interface 0/6
no cdp run
exit
interface 0/7
no cdp run
exit
interface 0/8
no cdp run
exit
interface 0/9
no cdp run
exit
interface 0/10
no cdp run
exit
interface 0/11
no cdp run
exit
interface 0/12
no cdp run
exit
interface 0/13
no cdp run
exit
interface 0/14
no cdp run
exit
interface 0/15
no cdp run
exit
interface 0/16
no cdp run
exit
interface 0/17
no cdp run
switchport allowed vlan add 10
switchport native vlan 10
exit
interface 0/18
no cdp run
switchport allowed vlan add 11
switchport native vlan 11
exit
interface 0/49
no cdp run
switchport allowed vlan add 10
switchport native vlan 10
exit
interface 0/50
no cdp run
switchport allowed vlan add 11
switchport native vlan 11
exit
interface 1/1
staticcapability
switchport allowed vlan add 10
switchport native vlan 10
lacp collector max-delay 0
exit
interface 1/2
staticcapability
switchport allowed vlan add 11
switchport native vlan 11
lacp collector max-delay 0
exit
interface 1/3
staticcapability
switchport allowed vlan add 10
switchport tagging 10
lacp collector max-delay 0
exit
interface 1/4
staticcapability
switchport allowed vlan add 11
switchport tagging 11
lacp collector max-delay 0
exit
router rip
exit
router ospf
exit
exit
(clientSide-84.82) #
(clientSide-84.82) #show load-balance
Hash Mode: src-dst-ip-ipport