Fortinet white logo
Fortinet white logo

Handbook

Linking VDOMs for inter-VDOM routing

Linking VDOMs for inter-VDOM routing

VDOM links allow VDOMs to communicate internally without using additional physical interfaces.

Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM connection.

When VDOMs are configured on your FortiADC unit, configuring inter-VDOM routing and VDOM links is like creating a VLAN interface. VDOM links can be managed in either the CLI or in the network interface list in the GUI.

Inter-VDOM routing is only available for these classic scenarios: static route, PBR, L4 SLB, L7 SLB and NAT. It is currently not supported in IPv6 related configurations.

To create and configure a VDOM-link pair in the GUI:
  1. Go to Network > Interface.
  2. Scroll to the Vdom Link section.
  3. Click Create New.
  4. Configure the following interface settings for each VDOM in the link:
    Virtual DomainSelect the VDOM to link for inter-VDOM routing.
    IPv4/Netmask

    Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.

    Note: The IP address cannot be 0.0.0.0/0.

    Allow Access

    Allow inbound service traffic. Select from the following options:

    • HTTPS — Enables secure connections to the web UI. We recommend this option instead of HTTP.

    • Ping — Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0 (ECHO_RESPONSE or “ping”).

    • SSH — Enables SSH connections to the CLI. We recommend this option instead of Telnet.

    • SNMP — Enables SNMP queries to this network interface.

    • HTTP — Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.

    • Telnet — Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.

    StatusThe Status is not the detected physical link status; it is the administrative status (UP/Down) that indicates whether you permit the network interface to receive and/or transmit packets.
  5. Click Save.

By default, VDOM links created in the GUI are ethernet links. The link type can't be changed after it has been created. To set a VDOM link type to point-to-point (ppp), it needs to be created in the CLI.

To create a VDOM-link pair in the CLI:

config global

config system vdom-link

edit <vdom-link-name>

set type {ethernet|ppp}

next

end

Using this command will automatically create a VDOM-link pair in the system interface. However, by default, these VDOM links will not be assigned an IP address or allowaccess options, so you would not be able to route traffic between the VDOM links until these settings are configured in the system interface.

To configure the interface settings for the VDOM-link pair in the CLI:

config system interface

edit <vdom-link-name0>

set type vdom-link

set vdom <vdom-name>

set ip <ip&netmask>

set allowaccess {http https ping snmp ssh telnet}

next

edit <vdom-link-name1>

set type vdom-link

set vdom <vdom-name>

set ip <ip&netmask>

set allowaccess {http https ping snmp ssh telnet}

next

end

To delete a VDOM link in the GUI:
  1. Go to Network > Interface
  2. Select a VDOM Link and click Delete.
To delete a VDOM link in the CLI:

config global

config system vdom-link

delete <vdom-link-name>

end

end

Test the configuration

When the inter-VDOM routing has been configured, test the configuration to confirm proper operation. Testing connectivity ensures that physical networking connections and FortiADC unit interface configurations are properly configured.

The easiest way to test connectivity is to use the ping and traceroute commands to confirm the connectivity of different routes on the network.

Example

This example shows how to configure a FortiADC unit to use inter-VDOM routing for a static route scenario.

There are two departments of a company, Accounting and Sales, that need to connect to one FortiADC unit, and the company uses a single ISP to connect to the Internet. To achieve this, two separate pairs of VDOM-links will need to be created and configured to link the traffic between VDOM 1 (Accounting) and the Management VDOM (root), and between VDOM 2 (Sales) and the Management VDOM (root).

This example includes the following general steps. We recommend following the steps in the order below.

1) Create the VDOM-link pairs in the system interface

Create the two sets of VDOM-link pairs in the system interface: VDOM 1 to the Management VDOM (Accounting-root) and VDOM 2 to the Management VDOM (Sales-root).

To create the Accounting to root VDOM-link pair:

config global

config system vdom-link

edit Accounting-root

set type ethernet

next

end

end

This will automatically create the pair of VDOMs named Accounting-root0 and Accounting-root1 in the system interface. These VDOMs are created with default interface settings so they will need to be edited to enable the routing between VDOM 1 (Accounting) and the Management VDOM (root).

To create the Sales to root VDOM-link pair:

config global

config system vdom-link

edit Sales-root

set type ethernet

next

end

end

This will automatically create the pair of VDOMs named Sales-root0 and Sales-root1 in the system interface. These VDOMs are created with default interface settings so they will need to be edited to enable the routing between VDOM 2 (Sales) and the Management VDOM (root).

2) Configure the VDOM-link pairs in the system interface

In the system interface, edit and configure the two sets of VDOM-link pairs created through config system vdom-link to enable the inter-VDOM routing between VDOM 1 (Accounting) and the Management VDOM (root), and VDOM 2 (Sales) and the Management VDOM (root).

To configure the interface settings for the Accounting-root VDOM-link pair:

config system interface

edit Accounting-root0

set type vdom-link

set vdom Accounting

set ip 111.111.111.2/24

set allowaccess https ping ssh

next

edit Accounting-root1

set type vdom-link

set vdom root

set ip 111.111.111.1/24

set allowaccess https ping ssh

next

end

To configure the interface settings for the Sales-root VDOM-link pair:

config system interface

edit Sales-root0

set type vdom-link

set vdom Sales

set ip 122.122.122.2/24

set allowaccess https ping ssh

next

edit Sales-root1

set type vdom-link

set vdom root

set ip 122.122.122.1/24

set allowaccess https ping ssh

next

end

3) Configure the static routes

Configure the static route to send the traffic back to the Internal VDOM for each inter-VDOM link. For each VDOM-link pair, specify the destination default route to point to the Internal VDOM network IP address, and specify the gateway IP address of the next-hop router to point to the other end of the inter-VDOM link. Then set the other VDOM in the link pair to send back the traffic by setting the gateway IP address to point back to the other VDOM in the link.

Configuring the static route for the Accounting-root VDOM-link pair

For the Accounting-root VDOM-link pair, set the destination for the Management VDOM (root) as the Internal VDOM 1 (Accounting) network, and set the gateway routing IP address to point to VDOM 1 (Accounting). Then set the gateway routing IP address for VDOM 1 (Accounting) to point to the Management VDOM (root).

To route the Management VDOM (root):

config router static

edit 1

set destination 20.24.2.0/24

set gateway 111.111.111.2

next

end

To route the VDOM 1 (Accounting):

config router static

edit 2

set gateway 111.111.111.1

next

end

Configuring the static route for the Sales-root VDOM-link pair

For the Sales-root VDOM-link pair, set the destination for the Management VDOM (root) as the Internal VDOM 2 (Sales) network, and set the gateway routing IP address to point to VDOM 2 (Sales). Then set the gateway routing IP address for VDOM 2 (Sales) to point to the Management VDOM (root).

To route the Management VDOM (root):

config router static

edit 3

set destination 20.24.3.0/24

set gateway 122.122.122.2

next

end

To route the VDOM 2 (Sales):

config router static

edit 4

set gateway 122.122.122.1

next

end

Linking VDOMs for inter-VDOM routing

Linking VDOMs for inter-VDOM routing

VDOM links allow VDOMs to communicate internally without using additional physical interfaces.

Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM connection.

When VDOMs are configured on your FortiADC unit, configuring inter-VDOM routing and VDOM links is like creating a VLAN interface. VDOM links can be managed in either the CLI or in the network interface list in the GUI.

Inter-VDOM routing is only available for these classic scenarios: static route, PBR, L4 SLB, L7 SLB and NAT. It is currently not supported in IPv6 related configurations.

To create and configure a VDOM-link pair in the GUI:
  1. Go to Network > Interface.
  2. Scroll to the Vdom Link section.
  3. Click Create New.
  4. Configure the following interface settings for each VDOM in the link:
    Virtual DomainSelect the VDOM to link for inter-VDOM routing.
    IPv4/Netmask

    Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.

    Note: The IP address cannot be 0.0.0.0/0.

    Allow Access

    Allow inbound service traffic. Select from the following options:

    • HTTPS — Enables secure connections to the web UI. We recommend this option instead of HTTP.

    • Ping — Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0 (ECHO_RESPONSE or “ping”).

    • SSH — Enables SSH connections to the CLI. We recommend this option instead of Telnet.

    • SNMP — Enables SNMP queries to this network interface.

    • HTTP — Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.

    • Telnet — Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.

    StatusThe Status is not the detected physical link status; it is the administrative status (UP/Down) that indicates whether you permit the network interface to receive and/or transmit packets.
  5. Click Save.

By default, VDOM links created in the GUI are ethernet links. The link type can't be changed after it has been created. To set a VDOM link type to point-to-point (ppp), it needs to be created in the CLI.

To create a VDOM-link pair in the CLI:

config global

config system vdom-link

edit <vdom-link-name>

set type {ethernet|ppp}

next

end

Using this command will automatically create a VDOM-link pair in the system interface. However, by default, these VDOM links will not be assigned an IP address or allowaccess options, so you would not be able to route traffic between the VDOM links until these settings are configured in the system interface.

To configure the interface settings for the VDOM-link pair in the CLI:

config system interface

edit <vdom-link-name0>

set type vdom-link

set vdom <vdom-name>

set ip <ip&netmask>

set allowaccess {http https ping snmp ssh telnet}

next

edit <vdom-link-name1>

set type vdom-link

set vdom <vdom-name>

set ip <ip&netmask>

set allowaccess {http https ping snmp ssh telnet}

next

end

To delete a VDOM link in the GUI:
  1. Go to Network > Interface
  2. Select a VDOM Link and click Delete.
To delete a VDOM link in the CLI:

config global

config system vdom-link

delete <vdom-link-name>

end

end

Test the configuration

When the inter-VDOM routing has been configured, test the configuration to confirm proper operation. Testing connectivity ensures that physical networking connections and FortiADC unit interface configurations are properly configured.

The easiest way to test connectivity is to use the ping and traceroute commands to confirm the connectivity of different routes on the network.

Example

This example shows how to configure a FortiADC unit to use inter-VDOM routing for a static route scenario.

There are two departments of a company, Accounting and Sales, that need to connect to one FortiADC unit, and the company uses a single ISP to connect to the Internet. To achieve this, two separate pairs of VDOM-links will need to be created and configured to link the traffic between VDOM 1 (Accounting) and the Management VDOM (root), and between VDOM 2 (Sales) and the Management VDOM (root).

This example includes the following general steps. We recommend following the steps in the order below.

1) Create the VDOM-link pairs in the system interface

Create the two sets of VDOM-link pairs in the system interface: VDOM 1 to the Management VDOM (Accounting-root) and VDOM 2 to the Management VDOM (Sales-root).

To create the Accounting to root VDOM-link pair:

config global

config system vdom-link

edit Accounting-root

set type ethernet

next

end

end

This will automatically create the pair of VDOMs named Accounting-root0 and Accounting-root1 in the system interface. These VDOMs are created with default interface settings so they will need to be edited to enable the routing between VDOM 1 (Accounting) and the Management VDOM (root).

To create the Sales to root VDOM-link pair:

config global

config system vdom-link

edit Sales-root

set type ethernet

next

end

end

This will automatically create the pair of VDOMs named Sales-root0 and Sales-root1 in the system interface. These VDOMs are created with default interface settings so they will need to be edited to enable the routing between VDOM 2 (Sales) and the Management VDOM (root).

2) Configure the VDOM-link pairs in the system interface

In the system interface, edit and configure the two sets of VDOM-link pairs created through config system vdom-link to enable the inter-VDOM routing between VDOM 1 (Accounting) and the Management VDOM (root), and VDOM 2 (Sales) and the Management VDOM (root).

To configure the interface settings for the Accounting-root VDOM-link pair:

config system interface

edit Accounting-root0

set type vdom-link

set vdom Accounting

set ip 111.111.111.2/24

set allowaccess https ping ssh

next

edit Accounting-root1

set type vdom-link

set vdom root

set ip 111.111.111.1/24

set allowaccess https ping ssh

next

end

To configure the interface settings for the Sales-root VDOM-link pair:

config system interface

edit Sales-root0

set type vdom-link

set vdom Sales

set ip 122.122.122.2/24

set allowaccess https ping ssh

next

edit Sales-root1

set type vdom-link

set vdom root

set ip 122.122.122.1/24

set allowaccess https ping ssh

next

end

3) Configure the static routes

Configure the static route to send the traffic back to the Internal VDOM for each inter-VDOM link. For each VDOM-link pair, specify the destination default route to point to the Internal VDOM network IP address, and specify the gateway IP address of the next-hop router to point to the other end of the inter-VDOM link. Then set the other VDOM in the link pair to send back the traffic by setting the gateway IP address to point back to the other VDOM in the link.

Configuring the static route for the Accounting-root VDOM-link pair

For the Accounting-root VDOM-link pair, set the destination for the Management VDOM (root) as the Internal VDOM 1 (Accounting) network, and set the gateway routing IP address to point to VDOM 1 (Accounting). Then set the gateway routing IP address for VDOM 1 (Accounting) to point to the Management VDOM (root).

To route the Management VDOM (root):

config router static

edit 1

set destination 20.24.2.0/24

set gateway 111.111.111.2

next

end

To route the VDOM 1 (Accounting):

config router static

edit 2

set gateway 111.111.111.1

next

end

Configuring the static route for the Sales-root VDOM-link pair

For the Sales-root VDOM-link pair, set the destination for the Management VDOM (root) as the Internal VDOM 2 (Sales) network, and set the gateway routing IP address to point to VDOM 2 (Sales). Then set the gateway routing IP address for VDOM 2 (Sales) to point to the Management VDOM (root).

To route the Management VDOM (root):

config router static

edit 3

set destination 20.24.3.0/24

set gateway 122.122.122.2

next

end

To route the VDOM 2 (Sales):

config router static

edit 4

set gateway 122.122.122.1

next

end