Cloud-hosted workloads require buyer site visitors isolation and separate routing on the logical stage however by widespread {hardware}. By utilizing Digital Route Forwarding (VRF) approach A number of routing tables will be configured inside the identical router. VRFs are used to divide the routing performance at Layer 3, together with routes, tables, and interfaces into separate items. Packet forwarding happens between interfaces inside the identical VRF.
In at present’s matter we’ll discover ways to configure route routing between Digital Route Forwarding (VRFS). FortiGate utilizing the command line interface (CLI)
What’s VRFS FortiGate?
Digital Routing and Forwarding (VRFS) offers digital router performance over bodily routers. Every VRF operates in isolation and maintains its personal routing desk, configurations, and interfaces. Every VRF is itself unaware of the existence of others. FortiGate is sort of a guardian that facilitates communication between these remoted VRFs. It has the flexibility to deal with these delicate connections. FortiGate protects the trail between VRFs.
Configuring Route Egress Between VRFs FortiGate CLI
Routes from the VRF desk will be leaked into the worldwide routing desk to allow site visitors communication. This situation requires a BGP neighbor to be enabled and configured.
1. Configure wdom mode
Step 1:
Arrange FortiGate Multimode mode To create two inter-domain hyperlinks and assign them to separate VRFs. Multiwidom creates one other digital firewall on the identical bodily field. The created intervdm will reside within the root vdm.
Configure System Globa 2
VDOM-Mode Set multidom
2. Subnet overlapping
Step 2:
By default, FortiGate doesn’t permit duplicate or overlapping networks to be configured on the identical VDOM. The 2 inter-domain hyperlinks should be on the identical subnet.
VDOM configuration
Edit the foundation
Configure system settings
Set Allow permit subnet-overlap
3. Formation of Inter-Vedum Hyperlinks
Step 3:
Configure two inter-domain hyperlinks, on the identical subnet. Hyperlinks are mapped to their respective VRFs utilizing set VRF(to).
Configuring the VDOM
Edit the foundation
Configuration system interface
Edit “npu1_vlink0”.
Set the VDOM “root”.
Set VRF 2
Set IP 10.300.0.1 255.255.255.0
Set Enable Ping SSH SNMP HTTP HTTPS
Decide the physique sort
Set SNMP-Index 11
Subsequent
Edit “npu1_vlink1”.
Set the VDOM “root”.
Set VRF 3
Set IP 10.300.0.2 255.255.255.0
Set Acceaccess Ping SSH SNMP Telnet HTTP HTTPS
Decide the physique sort
Set SNMP-Index to fifteen
Add bodily or digital interfaces to the respective VRFs utilizing the next command.
Configuration system interface
Edit “WAN12”.
Set the VDOM “root”.
Set VRF 2
Set IP XXXX 255.255.255.252
Subsequent
Edit “Vlan200”.
Set the VDOM “root”.
Set VRF 3
Set IP 10.200.0.254 255.255.255.0
Lastly
WAN12 is added to VRF 2 in order that the configured route from VRF2 to VRF 3 leaks in order that VLAN 200 can entry the Web.
4. Creation of prefix checklist
Create a preliminary checklist of routes you propose to leak. Right here we’ll leak the default path to the supply subnet 10.200.0.0/24 of VRF3 and VRF2.
Configure router prefix checklist
Edit “1”.
Formation rule
Modification 1
Set prefix 0.0.0.0 to 0.0.0.0
unset ge
Unset Lee
Subsequent
Lastly
Subsequent
Edit “2”.
Formation rule
Modification 1
Set prefix 10.200.0.0 to 255.255.255.0
unset ge
Unset Lee
Subsequent
Lastly
Subsequent
Lastly
5. Creation of route map
The route map is used to determine the subnet used within the VRF leak and is matched in opposition to the prefix checklist.
Configure router route map
Edit “Vrf2routes”.
Formation rule
Modification 1
Set match-ip handle to “1”.
unset set-ip-neckstop
unset set-ip6-nextstop
unset set-ip6-neckstop native
unset set originator-id
Subsequent
Lastly
Subsequent
Edit “VRF3 Routes”.
Formation rule
Modification 1
Set match-ip handle to “2”.
unset set-ip-neckstop
unset set-ip6-nextstop
unset set-ip6-neckstop native
unset set originator-id
Subsequent
Lastly
Subsequent
Lastly
6. Formation of root leakage
The BGP neighbor connects to the DMZ interface and is specified within the configuration utilizing the set-update-source command in your interface. Any neighbor is required to leak VRF to work.
config router bgp
Set as 65533
Set the router-id to 2.2.2.2
Neighbor formation
Edit “198.168.2.254”.
Set remote-AS 65534
Set the replace supply to “DMZ”.
Subsequent
Lastly
Create “Attachment”
Allow standing
Lastly
Redistribute the configuration “RIP”.
Lastly
Configure Redistribute “OSPF”
Lastly
Redistribute the “static” configuration
Allow standing
Lastly
Redistribute formation “ISIS”.
Lastly
config redistribute6 “hooked up”
Lastly
configure redistribute6 “RIP”
Lastly
configure redistribute6 “OSPF”
Lastly
configure redistribute6 “static”
Lastly
config redistribute6 “isis”
Lastly
Configure VRF-leak
Edit “2”.
Formation goal
Edit “1”.
Configure the route map “VRF3 routes”.
Set interface “NPU1_VLINK1”.
Subsequent
Lastly
Subsequent
Edit “1”.
Formation goal
Edit “2”.
Set the route map “VRF2Routes”.
Set interface “NPU1_VLINK0”.
Subsequent
Lastly
Subsequent
Lastly
Lastly
7. Configure firewall insurance policies
Configure a coverage from a bodily or VLAN interface to VDOM-link in VRF 3 after which a coverage from VDOM-LINK Van Interface in VRF 2.
