Route leaking between multiple VRFs

In this example, routing leaking between three VRFs in a star topology is configured. This allows the solution to be scaled to more VRFs without building full mesh, one-to-one connections between each pair of VRFs. VLAN subinterfaces are created on VDOM links to connect each VRF to the central VRF, allowing routes to be leaked from a VRF to the central VRF, and then to the other VRFs. Static routes are used for route leaking in this example.

For instructions on creating route leaking between two VRFs, see Route leaking between VRFs with BGP.

Physical topology:

Logical topology:

In this example, a specific route is leaked from each of the VRFs to each of the other VRFs. VLAN subinterfaces are created based on VDOM links to connect each VRF to the core VRF router.

Multi VDOM mode is enabled so that NP VDOM links can be used. The setup could be configured without enabling multi VDOM mode by manually creating non‑NP VDOM links, but this is not recommended as the links are not offloaded to the NPU.

After VDOMs are enabled, all of the configuration is done in the root VDOM.

To configure the FortiGate:
  1. Enable multi VDOM mode:

    config system global
        set vdom-mode multi-vdom
    end

    If the FortiGate has an NP, the VDOM links will be created:

    # show system interface
    config system interface
        ...
        edit "npu0_vlink0"
            set vdom "root"
            set type physical
        next
        edit "npu0_vlink1"
            set vdom "root"
            set type physical
        next
        ...
    end

    If multi VDOM mode is not used, the VDOM links can be manually created:

    config system vdom-link
        edit <name of vdlink>
        next
    end
  2. Allow interface subnets to use overlapping IP addresses:

    config vdom
        edit root
            config system settings
                set allow-subnet-overlap enable
            end
  3. Configure the inter-connecting VLAN subinterfaces between VRF based on VDOM-LINK:

    config system interface
        edit "vlink0_Vlan_10"
            set vdom "root"
            set vrf 10
            set ip 10.1.1.1 255.255.255.252
            set allowaccess ping https ssh http
            set alias "vlink0_Vlan_10"
            set role lan
            set interface "npu0_vlink0"
            set vlanid 10
        next
        edit "vlink1_Vlan_10"
            set vdom "root" 
            set vrf 31
            set ip 10.1.1.2 255.255.255.252
            set allowaccess ping https ssh http
            set alias "vlink1_Vlan_10"
            set role lan
            set interface "npu0_vlink1"
            set vlanid 10
        next
        edit "vlink0_Vlan_11"
            set vdom "root"
            set vrf 11
            set ip 11.1.1.1 255.255.255.252
            set allowaccess ping https ssh http
            set alias "vlink0_Vlan_11"
            set role lan
            set interface "npu0_vlink0"
            set vlanid 11
        next
        edit "vlink1_Vlan_11"
            set vdom "root" 
            set vrf 31
            set ip 11.1.1.2 255.255.255.252
            set allowaccess ping https ssh http
            set alias "vlink1_Vlan_11"
            set role lan
            set interface "npu0_vlink1"
            set vlanid 11
        next
        edit "vlink0_Vlan_12"
            set vdom "root"
            set vrf 12
            set ip 12.1.1.1 255.255.255.252
            set allowaccess ping