Fortinet black logo

New Features

Add VDOM support for NSX-T 6.4.3

Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:804215
Download PDF

Add VDOM support for NSX-T 6.4.3

By configuring the service chain and service index, NSX-T east-west traffic can be redirected to a designated FortiGate VDOM.

The following commands have been added:

config nsxt setting
    set liveness {enable | disable}
    set service <service name>
end
config nsxt service-chain
    edit <ID>
        set name <chain name>
        config service-index
            edit <forward index>
                set reverse-index <integer>
                set name <index name>
                set vd <VDOM>
            next
        end
    next
end

Where:

reverse-index <integer>

Value from (1 - 255, default = 1).

Note

After upgrading, the nsxt setting and nsxt service-chain are automatically configured and redirect traffic to the root VDOM.

To redirect traffic from the root to the vd1 VDOM:
  1. Enable liveness detection:
    (global) # config nsxt setting
        set liveness enable
    end
  2. Configure the service chain and service index:
    (global) # config nsxt service-chain
        edit 1
            config service-index
                edit 1
                    set vd "vd1"
                next
            end
        next
    end
  3. Configure the GENEVE interface linked with port2:
    (vd1) #config system geneve
        edit "vd1-int"
            set interface "port2"
            set vni 1
            set remote-ip 10.0.0.1
        next
        edit "vd1-ext"
            set interface "port2"
            set vni 2
            set remote-ip 10.0.0.1
        next
    end
  4. Configure the GENEVE interface as a virtual wire pair:
    (vd1) #config system virtual-wire-pair
        edit "1"
            set member "vd1-int" "vd1-ext"
        next
    end
    
  5. Configure the firewall policy:
    (vd1) # config firewall policy
        edit 1
            set srcintf "vd1-int" "vd1-ext"
            set dstintf "vd1-int" "vd1-ext"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set ssl-ssh-profile "certificate-inspection"
            set logtraffic all
            set capture-packet enable
            set auto-asic-offload disable
        next
    end
  6. Verify the traffic:
    (vd1) # diagnose sniffer packet any icmp 4
    Using Original Sniffing Mode
    interfaces=[any]
    filters=[icmp]
    1.088228 vd1-int in 172.16.10.92 -> 172.16.20.94: icmp: echo request
    1.088244 vd1-ext out 172.16.10.92 -> 172.16.20.94: icmp: echo request
    1.088618 vd1-ext in 172.16.10.92 -> 172.16.20.94: icmp: echo request
    1.088626 vd1-int out 172.16.10.92 -> 172.16.20.94: icmp: echo request

Add VDOM support for NSX-T 6.4.3

By configuring the service chain and service index, NSX-T east-west traffic can be redirected to a designated FortiGate VDOM.

The following commands have been added:

config nsxt setting
    set liveness {enable | disable}
    set service <service name>
end
config nsxt service-chain
    edit <ID>
        set name <chain name>
        config service-index
            edit <forward index>
                set reverse-index <integer>
                set name <index name>
                set vd <VDOM>
            next
        end
    next
end

Where:

reverse-index <integer>

Value from (1 - 255, default = 1).

Note

After upgrading, the nsxt setting and nsxt service-chain are automatically configured and redirect traffic to the root VDOM.

To redirect traffic from the root to the vd1 VDOM:
  1. Enable liveness detection:
    (global) # config nsxt setting
        set liveness enable
    end
  2. Configure the service chain and service index:
    (global) # config nsxt service-chain
        edit 1
            config service-index
                edit 1
                    set vd "vd1"
                next
            end
        next
    end
  3. Configure the GENEVE interface linked with port2:
    (vd1) #config system geneve
        edit "vd1-int"
            set interface "port2"
            set vni 1
            set remote-ip 10.0.0.1
        next
        edit "vd1-ext"
            set interface "port2"
            set vni 2
            set remote-ip 10.0.0.1
        next
    end
  4. Configure the GENEVE interface as a virtual wire pair:
    (vd1) #config system virtual-wire-pair
        edit "1"
            set member "vd1-int" "vd1-ext"
        next
    end
    
  5. Configure the firewall policy:
    (vd1) # config firewall policy
        edit 1
            set srcintf "vd1-int" "vd1-ext"
            set dstintf "vd1-int" "vd1-ext"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set ssl-ssh-profile "certificate-inspection"
            set logtraffic all
            set capture-packet enable
            set auto-asic-offload disable
        next
    end
  6. Verify the traffic:
    (vd1) # diagnose sniffer packet any icmp 4
    Using Original Sniffing Mode
    interfaces=[any]
    filters=[icmp]
    1.088228 vd1-int in 172.16.10.92 -> 172.16.20.94: icmp: echo request
    1.088244 vd1-ext out 172.16.10.92 -> 172.16.20.94: icmp: echo request
    1.088618 vd1-ext in 172.16.10.92 -> 172.16.20.94: icmp: echo request
    1.088626 vd1-int out 172.16.10.92 -> 172.16.20.94: icmp: echo request