Route leaking between VRFs with BGP
Route leaking allows you to configure communication between VRFs. If route leaking is not configured, then the VRFs are isolated. This example shows route leaking with BGP using virtual inter-VDOM links.
In this example, a hub FortiGate forms BGP neighbors with two branches. It learns the networks 192.168.101.0/24 and 192.168.102.0/24 from the neighbors and separates them into VRF 10 and VRF 20.
To leak the learned routes to each other, an inter-VDOM link (IVL) is formed. An IVL normally bridges two VDOMs, but in this case the links reside on the same VDOM and are used to bridge the two VRFs. NPU links could also be used on models that support it to deliver better performance.
VRF 10 has a leaked route to 192.168.102.0/24 on IVL link-10-20-0, and VRF 20 has a leaked route to 192.168.101.0/24 on IVL link-10-20-1,
To configure route leaking:
-
Allow interface subnets to use overlapping IP addresses:
config system settings set allow-subnet-overlap enable end
-
Configure the inter-VDOM links:
config system vdom-link edit link-10-20- next end
-
Configure the interface settings:
config system interface edit link-10-20-0 set vdom "root" set vrf 10 set ip 10.1.1.1/30 next edit link-10-20-1 set vdom "root" set vrf 20 set ip 10.1.1.2/30 next end
-
Create the prefix lists:
These objects define the subnet and mask that are leaked.
config router prefix-list edit VRF10_Route config rule edit 1 set prefix 192.168.101.0 255.255.255.0 next end next edit VRF20_Route config rule edit 1 set prefix 192.168.102.0 255.255.255.0 next end next end
-
Create the route map:
The route map can be used to group one or more prefix lists.
config router route-map edit "Leak_from_VRF10_to_VRF20" config rule edit 1 set match-ip-address "VRF10_Route" next end next edit "Leak_from_VRF20_to_VRF10" config rule edit 1 set match-ip-address "VRF20_Route" next end next end
-
Configure the VRF leak in BGP, specifying a source VRF, destination VRF, an the route map to use:
config router bgp config vrf-leak edit "10" config target edit "20" set route-map "Leak_from_VRF10_to_VRF20" set interface "link-10-20-0" next end next edit "20" config target edit "10" set route-map "Leak_from_VRF20_to_VRF10" set interface "link-10-20-1" next end next end end
-
Create policies to allow traffic between the VRFs.
Without a policy permitting traffic on the route between the VRFs, the VRFs are still isolated.