Fortinet white logo
Fortinet white logo

Administration Guide

Route leaking between VRFs

Route leaking between VRFs

Route leaking allows you to configure communication between VRFs. If route leaking is not configured, then the VRFs are isolated. This example shows route leaking with BGP using virtual inter-VDOM links.

In this example, a hub FortiGate forms BGP neighbors with two branches. It learns the networks 192.168.101.0/24 and 192.168.102.0/24 from the neighbors and separates them into VRF 10 and VRF 20.

To leak the learned routes to each other, an inter-VDOM link (IVL) is formed. An IVL normally bridges two VDOMs, but in this case the links reside on the same VDOM and are used to bridge the two VRFs. NPU links could also be used on models that support it to deliver better performance.

VRF 10 has a leaked route to 192.168.102.0/24 on IVL link-10-20-0, and VRF 20 has a leaked route to 192.168.101.0/24 on IVL link-10-20-1,

To configure route leaking:
  1. Configure inter-VDOM links:

    config global
        config system vdom-link
            edit link-10-20-
            next
        end
        config system interface
            edit link-10-20-0
                set vdom “root”
                set vrf 10
                set ip 10.1.1.1/30
            next
            edit link-10-20-1
                set vdom “root”
                set vrf 20
                set ip 10.1.1.2/30
            next
        end
    end
  2. Create prefix lists:

    These object define the subnet and mask that are leaked.

    config router prefix-list
        edit VRF10_Route
            config rule
                edit 1
                    set prefix 192.168.101.0 255.255.255.0
                next
            end
        next
        edit VRF20_Route
            config rule
                edit 1
                    set prefix 192.168.102.0 255.255.255.0
                next
            end
        next
    end
  3. Create the route map:

    The route map can be used to group one or more prefix lists.

    config router route-map
        edit "Leak_from_VRF10_to_VRF20"
            config rule
                edit 1
                    set match-ip-address "VRF10_Route"
                next
            end
        next
        edit "Leak_from_VRF20_to_VRF10"
            config rule
                edit 1
                    set match-ip-address "VRF20_Route"
                next
            end
        next
    end
  4. Configure the VRF leak in BGP, specifying a source VRF, destination VRF, an the route map to use:

    config router bgp
        config vrf-leak
            edit "10"
                config target
                    edit "20"
                        set route-map "Leak_from_VRF10_to_VRF20"
                        set interface "link-10-20-0"
                    next
                end
            next
            edit "20"
                config target
                    edit "10"
                        set route-map "Leak_from_VRF20_to_VRF10"
                        set interface "link-10-20-1"
                    next
                end
            next
        end
    end
  5. Create policies to allow traffic between the VRFs.

    Without a policy permitting traffic on the route between the VRFs, the VRFs are still isolated.

Route leaking between VRFs

Route leaking between VRFs

Route leaking allows you to configure communication between VRFs. If route leaking is not configured, then the VRFs are isolated. This example shows route leaking with BGP using virtual inter-VDOM links.

In this example, a hub FortiGate forms BGP neighbors with two branches. It learns the networks 192.168.101.0/24 and 192.168.102.0/24 from the neighbors and separates them into VRF 10 and VRF 20.

To leak the learned routes to each other, an inter-VDOM link (IVL) is formed. An IVL normally bridges two VDOMs, but in this case the links reside on the same VDOM and are used to bridge the two VRFs. NPU links could also be used on models that support it to deliver better performance.

VRF 10 has a leaked route to 192.168.102.0/24 on IVL link-10-20-0, and VRF 20 has a leaked route to 192.168.101.0/24 on IVL link-10-20-1,

To configure route leaking:
  1. Configure inter-VDOM links:

    config global
        config system vdom-link
            edit link-10-20-
            next
        end
        config system interface
            edit link-10-20-0
                set vdom “root”
                set vrf 10
                set ip 10.1.1.1/30
            next
            edit link-10-20-1
                set vdom “root”
                set vrf 20
                set ip 10.1.1.2/30
            next
        end
    end
  2. Create prefix lists:

    These object define the subnet and mask that are leaked.

    config router prefix-list
        edit VRF10_Route
            config rule
                edit 1
                    set prefix 192.168.101.0 255.255.255.0
                next
            end
        next
        edit VRF20_Route
            config rule
                edit 1
                    set prefix 192.168.102.0 255.255.255.0
                next
            end
        next
    end
  3. Create the route map:

    The route map can be used to group one or more prefix lists.

    config router route-map
        edit "Leak_from_VRF10_to_VRF20"
            config rule
                edit 1
                    set match-ip-address "VRF10_Route"
                next
            end
        next
        edit "Leak_from_VRF20_to_VRF10"
            config rule
                edit 1
                    set match-ip-address "VRF20_Route"
                next
            end
        next
    end
  4. Configure the VRF leak in BGP, specifying a source VRF, destination VRF, an the route map to use:

    config router bgp
        config vrf-leak
            edit "10"
                config target
                    edit "20"
                        set route-map "Leak_from_VRF10_to_VRF20"
                        set interface "link-10-20-0"
                    next
                end
            next
            edit "20"
                config target
                    edit "10"
                        set route-map "Leak_from_VRF20_to_VRF10"
                        set interface "link-10-20-1"
                    next
                end
            next
        end
    end
  5. Create policies to allow traffic between the VRFs.

    Without a policy permitting traffic on the route between the VRFs, the VRFs are still isolated.