Inter-VDOM routing
Inter-VDOM routing allows two VDOMs on the same FortiGate to communicate internally. Traffic between VDOMs flows through an inter-VDOM link, which contains a pair of virtual interfaces, one on each VDOM.
|
Inter-VDOM routing isn't supported when both VDOMs use transparent mode. |
Types of inter-VDOM links
The virtual interfaces in an inter-VDOM links don't require IP addresses by default, because the interfaces are internal connections that can be referred to by name in firewall policies and other system references. However, some network configurations require assigned IP addresses for the virtual interfaces,
There are three types of inter-VDOM link, depending on whether or not the virtual interfaces have assigned IP addresses:
- Unnumbered - neither interfaces have an IP address
- Half numbered - only one of the interfaces has an IP address
- Full numbered - both interfaces have an IP address
Static routing
You can use unnumbered inter-VDOM links in static routing by naming the interface and using 0.0.0.0
for the gateway. Running traceroute will not show the interface in the list of hops. However, you can see the interface during packet sniffing, which is useful for troubleshooting. However, if NAT is applied to internal traffic, IP addresses might be required.
Dynamic routing
|
Dynamic routing using inter-VDOM links must be point to point. |
In dynamic routing, the types of inter-VDOM link you can use depends on the routing protocol, as shown below. In general, you should use numbered inter-VDOM links for dynamic routing.
Routing protocol |
Unnumbered |
Half numbered |
Full numbered |
---|---|---|---|
BGP |
No |
No |
Yes |
OSPF |
Yes, but not recommended |
Yes, but not recommended |
Yes |
RIP |
Yes, but not recommended |
Yes, but not recommended |
Yes |
Multicast |
Yes, but the virtual interfaces are unable to become RP candidates |
Yes, but the virtual interface without an IP address is unable to become an RP candidate |
Yes |
HA virtual clusters
Inter-VDOM links can be used to extend FortiGate high availability (HA) and provide failover protection and load balancing for a FortiGate operating with VDOMs. An HA cluster that includes VDOMs is known as a virtual cluster, or vcluster
Virtual clusters can operate in active-passive or active-active HA mode for clusters of up to four FortiGates. Active-passive virtual clustering includes VDOM partitioning to distribute traffic for different VDOMs between the primary and backup FortiGates.
Creating inter-VDOM links
|
Inter-VDOM links are a global setting and you must use a global administrator account to create them. |
The process to create an inter-VDOM link depends on the operation mode of the VDOMs.
NAT-to-NAT routing
If both VDOMs use NAT mode, you can create an inter-VDOM link using either the GUI or CLI.
To configure an inter-VDOM link - GUI:
- Go to Global > Network > Interfaces.
- Select Create New > VDOM link.
- Assign a Name to the link. This name is also used for the two virtual interfaces, with a 0 or 1 appended to the end.
- Under Interface 0, set the Virtual Domain and, if required, set an IP/Netmask.
- Under Interface 1, set the Virtual Domain and, if required, set an IP/Netmask.
- Select OK.
To configure an inter-VDOM link - CLI:
config global
config system vdom-link
edit <name>
end
config system interface
edit <name>
set vdom <VDOM>
set ip <address> <netmask>
next
edit <name>
set vdom <VDOM>
set ip <address> <netmask>
next
end
To confirm that the inter-VDOM link was created, go to Network > Interfaces and locate the inter-VDOM link. Expand the link to view the virtual interfaces.
After you create the inter-VDOM link, configure firewall policies and other settings to allow traffic to flow between the two VDOMs.
NAT-to-transparent routing
You must use the CLI to create inter-VDOM links between a VDOM in NAT mode and a VDOM in transparent mode, because the inter-VDOM link type
must be changed to ethernet
. This configuration also requires a half numbered inter-VDOM link, with an IP address assigned to the virtual interface on the NAT VDOM. The virtual interface on the transparent VDOM doesn't have an IP address.
To configure a NAT-to-transparent VDOM link:
config global
config system vdom-link
edit <name>
set type ethernet
end
config system interface
edit <name>
set vdom <NAT_VDOM>
set ip <address> <netmask>
next
edit <name>
set vdom <transparent_VDOM>
next
end
end
To confirm that the inter-VDOM link was created, go to Network > Interfaces and locate the inter-VDOM link. Expand the link to view the virtual interfaces.
After you create the inter-VDOM link, configure firewall policies and other settings to allow traffic to flow between the two VDOMs.
Deleting VDOM links
|
Before deleting the VDOM link, ensure all policies, firewalls, and other configurations that include the VDOM link are deleted, removed, or changed to no longer include the VDOM link. |
When you delete the VDOM link, you also delete the virtual interfaces. You can't delete the virtual interfaces individually.
To remove a VDOM link - GUI:
- Go to Global > Network > Interfaces.
- Select the VDOM link.
- Select Delete.
- When prompted, select OK.
To remove a VDOM link - CLI:
config global
config system vdom-link
delete <name>
end