Fortinet black logo

Handbook

Inter-VDOM routing

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:199083
Download PDF

Inter-VDOM routing

Inter-VDOM routing allows two VDOMs on the same FortiGate to communicate internally. Traffic between VDOMs flows through an inter-VDOM link, which contains a pair of virtual interfaces, one on each VDOM.

note icon

Inter-VDOM routing isn't supported when both VDOMs use transparent mode.

Types of inter-VDOM links

The virtual interfaces in an inter-VDOM links don't require IP addresses by default, because the interfaces are internal connections that can be referred to by name in firewall policies and other system references. However, some network configurations require assigned IP addresses for the virtual interfaces,

There are three types of inter-VDOM link, depending on whether or not the virtual interfaces have assigned IP addresses:

  • Unnumbered - neither interfaces have an IP address
  • Half numbered - only one of the interfaces has an IP address
  • Full numbered - both interfaces have an IP address

Static routing

You can use unnumbered inter-VDOM links in static routing by naming the interface and using 0.0.0.0 for the gateway. Running traceroute will not show the interface in the list of hops. However, you can see the interface during packet sniffing, which is useful for troubleshooting. However, if NAT is applied to internal traffic, IP addresses might be required.

Dynamic routing

note icon

Dynamic routing using inter-VDOM links must be point to point.

In dynamic routing, the types of inter-VDOM link you can use depends on the routing protocol, as shown below. In general, you should use numbered inter-VDOM links for dynamic routing.

Routing protocol

Unnumbered

Half numbered

Full numbered

BGP

No

No

Yes

OSPF

Yes, but not recommended

Yes, but not recommended

Yes

RIP

Yes, but not recommended

Yes, but not recommended

Yes

Multicast

Yes, but the virtual interfaces are unable to become RP candidates

Yes, but the virtual interface without an IP address is unable to become an RP candidate

Yes

HA virtual clusters

Inter-VDOM links can be used to extend FortiGate high availability (HA) and provide failover protection and load balancing for a FortiGate operating with VDOMs. An HA cluster that includes VDOMs is known as a virtual cluster, or vcluster

Virtual clusters can operate in active-passive or active-active HA mode for clusters of up to four FortiGates. Active-passive virtual clustering includes VDOM partitioning to distribute traffic for different VDOMs between the primary and backup FortiGates.

For more information about virtual clusters, see Virtual clustering.

Creating inter-VDOM links

note icon

Inter-VDOM links are a global setting and you must use a global administrator account to create them.

The process to create an inter-VDOM link depends on the operation mode of the VDOMs.

NAT-to-NAT routing

If both VDOMs use NAT mode, you can create an inter-VDOM link using either the GUI or CLI.

To configure an inter-VDOM link - GUI:
  1. Go to Global > Network > Interfaces.
  2. Select Create New > VDOM link.
  3. Assign a Name to the link. This name is also used for the two virtual interfaces, with a 0 or 1 appended to the end.
  4. Under Interface 0, set the Virtual Domain and, if required, set an IP/Netmask.
  5. Under Interface 1, set the Virtual Domain and, if required, set an IP/Netmask.
  6. Select OK.
To configure an inter-VDOM link - CLI:

config global

config system vdom-link

edit <name>

end

config system interface

edit <name>

set vdom <VDOM>

set ip <address> <netmask>

next

edit <name>

set vdom <VDOM>

set ip <address> <netmask>

next

end

To confirm that the inter-VDOM link was created, go to Network > Interfaces and locate the inter-VDOM link. Expand the link to view the virtual interfaces.

After you create the inter-VDOM link, configure firewall policies and other settings to allow traffic to flow between the two VDOMs.

NAT-to-transparent routing

You must use the CLI to create inter-VDOM links between a VDOM in NAT mode and a VDOM in transparent mode, because the inter-VDOM link type must be changed to ethernet. This configuration also requires a half numbered inter-VDOM link, with an IP address assigned to the virtual interface on the NAT VDOM. The virtual interface on the transparent VDOM doesn't have an IP address.

To configure a NAT-to-transparent VDOM link:

config global

config system vdom-link

edit <name>

set type ethernet

end

config system interface

edit <name>

set vdom <NAT_VDOM>

set ip <address> <netmask>

next

edit <name>

set vdom <transparent_VDOM>

next

end

end

To confirm that the inter-VDOM link was created, go to Network > Interfaces and locate the inter-VDOM link. Expand the link to view the virtual interfaces.

After you create the inter-VDOM link, configure firewall policies and other settings to allow traffic to flow between the two VDOMs.

Deleting VDOM links

note icon

Before deleting the VDOM link, ensure all policies, firewalls, and other configurations that include the VDOM link are deleted, removed, or changed to no longer include the VDOM link.

When you delete the VDOM link, you also delete the virtual interfaces. You can't delete the virtual interfaces individually.
To remove a VDOM link - GUI:
  1. Go to Global > Network > Interfaces.
  2. Select the VDOM link.
  3. Select Delete.
  4. When prompted, select OK.
To remove a VDOM link - CLI:

config global

config system vdom-link

delete <name>

end

Inter-VDOM routing

Inter-VDOM routing allows two VDOMs on the same FortiGate to communicate internally. Traffic between VDOMs flows through an inter-VDOM link, which contains a pair of virtual interfaces, one on each VDOM.

note icon

Inter-VDOM routing isn't supported when both VDOMs use transparent mode.

Types of inter-VDOM links

The virtual interfaces in an inter-VDOM links don't require IP addresses by default, because the interfaces are internal connections that can be referred to by name in firewall policies and other system references. However, some network configurations require assigned IP addresses for the virtual interfaces,

There are three types of inter-VDOM link, depending on whether or not the virtual interfaces have assigned IP addresses:

  • Unnumbered - neither interfaces have an IP address
  • Half numbered - only one of the interfaces has an IP address
  • Full numbered - both interfaces have an IP address

Static routing

You can use unnumbered inter-VDOM links in static routing by naming the interface and using 0.0.0.0 for the gateway. Running traceroute will not show the interface in the list of hops. However, you can see the interface during packet sniffing, which is useful for troubleshooting. However, if NAT is applied to internal traffic, IP addresses might be required.

Dynamic routing

note icon

Dynamic routing using inter-VDOM links must be point to point.

In dynamic routing, the types of inter-VDOM link you can use depends on the routing protocol, as shown below. In general, you should use numbered inter-VDOM links for dynamic routing.

Routing protocol

Unnumbered

Half numbered

Full numbered

BGP

No

No

Yes

OSPF

Yes, but not recommended

Yes, but not recommended

Yes

RIP

Yes, but not recommended

Yes, but not recommended

Yes

Multicast

Yes, but the virtual interfaces are unable to become RP candidates

Yes, but the virtual interface without an IP address is unable to become an RP candidate

Yes

HA virtual clusters

Inter-VDOM links can be used to extend FortiGate high availability (HA) and provide failover protection and load balancing for a FortiGate operating with VDOMs. An HA cluster that includes VDOMs is known as a virtual cluster, or vcluster

Virtual clusters can operate in active-passive or active-active HA mode for clusters of up to four FortiGates. Active-passive virtual clustering includes VDOM partitioning to distribute traffic for different VDOMs between the primary and backup FortiGates.

For more information about virtual clusters, see Virtual clustering.

Creating inter-VDOM links

note icon

Inter-VDOM links are a global setting and you must use a global administrator account to create them.

The process to create an inter-VDOM link depends on the operation mode of the VDOMs.

NAT-to-NAT routing

If both VDOMs use NAT mode, you can create an inter-VDOM link using either the GUI or CLI.

To configure an inter-VDOM link - GUI:
  1. Go to Global > Network > Interfaces.
  2. Select Create New > VDOM link.
  3. Assign a Name to the link. This name is also used for the two virtual interfaces, with a 0 or 1 appended to the end.
  4. Under Interface 0, set the Virtual Domain and, if required, set an IP/Netmask.
  5. Under Interface 1, set the Virtual Domain and, if required, set an IP/Netmask.
  6. Select OK.
To configure an inter-VDOM link - CLI:

config global

config system vdom-link

edit <name>

end

config system interface

edit <name>

set vdom <VDOM>

set ip <address> <netmask>

next

edit <name>

set vdom <VDOM>

set ip <address> <netmask>

next

end

To confirm that the inter-VDOM link was created, go to Network > Interfaces and locate the inter-VDOM link. Expand the link to view the virtual interfaces.

After you create the inter-VDOM link, configure firewall policies and other settings to allow traffic to flow between the two VDOMs.

NAT-to-transparent routing

You must use the CLI to create inter-VDOM links between a VDOM in NAT mode and a VDOM in transparent mode, because the inter-VDOM link type must be changed to ethernet. This configuration also requires a half numbered inter-VDOM link, with an IP address assigned to the virtual interface on the NAT VDOM. The virtual interface on the transparent VDOM doesn't have an IP address.

To configure a NAT-to-transparent VDOM link:

config global

config system vdom-link

edit <name>

set type ethernet

end

config system interface

edit <name>

set vdom <NAT_VDOM>

set ip <address> <netmask>

next

edit <name>

set vdom <transparent_VDOM>

next

end

end

To confirm that the inter-VDOM link was created, go to Network > Interfaces and locate the inter-VDOM link. Expand the link to view the virtual interfaces.

After you create the inter-VDOM link, configure firewall policies and other settings to allow traffic to flow between the two VDOMs.

Deleting VDOM links

note icon

Before deleting the VDOM link, ensure all policies, firewalls, and other configurations that include the VDOM link are deleted, removed, or changed to no longer include the VDOM link.

When you delete the VDOM link, you also delete the virtual interfaces. You can't delete the virtual interfaces individually.
To remove a VDOM link - GUI:
  1. Go to Global > Network > Interfaces.
  2. Select the VDOM link.
  3. Select Delete.
  4. When prompted, select OK.
To remove a VDOM link - CLI:

config global

config system vdom-link

delete <name>

end