Skip to main content
wsal
wsal
Explorer II
November 29, 2023
Question

ospf multiple process in vdom

  • November 29, 2023
  • 1 reply
  • 6330 views

hey, I'm planning to implement vdom but I encountered a problem that I don't know how to solve or how to approach it.

I am planning to use 4 vdom on my fortigate 400f.

ospf vdom.jpg

 

in each vdom I will have VIPs on public IP addresses, which I distribute to my edge routers via static blackhole.

I did it in the lab and it seems to work. I have a public subnet with a /23 mask and various VIPs from my subnet, distributed from different vdoms to routers.

the problem is that on each vdom I will have a large number of connected vlans which I wanted to distribute between vdoms vdom link also via ospf.

the only problem here is that I don't see how I can add a new ospf process to use other interfaces (vdom_link) to distribute connected vlans.

I can broadcast vlans to routers via OSPF, but I would like the traffic between vlans in vdom to be via vdom link. It seems to me a better idea than using WAN interfaces.

I can use rip to vdom link to distribute vlans to vdom, but I prefer ospf.

Do you think my concept is correct?

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
November 29, 2023

VDOM-link or npu-vlink are only internal bridge between VDOMs. They don't interface with outside routers. You need to use physical interfaces for that purpose.
Instead of advertizing those chunks to R1/R2, I would recommend using a "internet" vdom like root vdom to aggregate them over vdom-link/npu-vlink, then advertise the full /23 subnet to R1/R2 with BGP (EGP) for simplicity. R1/R2 must be using BGP toward the internet anyway. You can manipulate route distributions more easily.  Then over the vdom-link/npu-vlink you can use even static routes. Because vdom-link/npu-vlink are internal so vlans on them would die at the same time when the entire box dies. Of course nothing is wrong with using OSFP for that part if many.

Just my thought.

 

Toshi

    wsal
    wsalAuthor
    Explorer II
    November 29, 2023

    hey, thank you for your reply. for each vdom, he extracted physical interfaces for each vdom, on which ospf is located to routers r1 and r2. Through these physical interfaces, I distribute static for VIP so that the router knows where to direct Internet traffic. on routers r1 and r2 it has bgp configured with my isp where I advertise my /23 subnet. the problem is that one VIP maps to the IP in the vlan that is in vdom 1, and another VIP maps to vdom 2. That's why I advertise directly from vdom. I was thinking about using vdom internet, but then I have to create a vip that maps to vdom, so I'm wondering if it's a good idea? then it would be easier with ospf because only vdom the internet would distribute routes to routers but then vip would map to different vdoms. another thing is that I would like to distribute vlans between vdoms using vlink, I want vdom1 to know that the subnets from vdom2 are on the vlink interface and then there is traffic between vlans in vdoms - interlink. I don't want to create a vlan there, I just want to tell other vdoms that there are subnets of other vdoms behind the vlink, is that a good idea?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    November 29, 2023

    A VDOM is a router. You just need to route the /32 or /30 or whatever the chunk used in a vdom for VIPs to the vdom. If it's by the internet/root vdom, just over one connection(vdom-link/npu-vlink) so can be just a set of static routes. A VIP works only inside a vdom/router.

      Terms & ConditionsAccessibility statement