Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkungatti_FTNT
Staff
Staff

Created on ‎03-20-2019 08:38 AM

Article Id 192714

Technical Note: OSPF Support for multiple virtual routing and forwarding VRFs

Description
This article explains how to configure OSPF support for multiple virtual routing and forwarding (VRFs) on a FortiGate

Scope
From FortiOS version 6.0.0 and above there is OSPF support for multiple virtual routing and forwarding (VRFs) on a FortiGate
Solution
OSPF multi-VRF allows you to split the router into multiple virtual routers, where each router contains its own set of :
- Interfaces,
- Routing tables
- Forwarding tables
OSPF multi-VRF gives you the ability to segment parts of your network and configure those segments to perform specific functions while still maintaining correct routing information.

No specific debug or show commands are associated with this feature. You can verify the success of the OSPF multi-VRF configuration by using the mentioned below.
CLI syntax
config system interface
edit <name>
set vrf <VRF ID>
next
end
Where vrf is a value of 0 to 31. FortiOS supports 32 VRFs (numbered 0 to 31) per VDOM.

Verifying the OSPF Multi-VRF Configuration
get router info ospf neighbor
get router info ospf interface
get router info routing-table ospf
Example for Core /Hub Firewall Interface:
config system interface
    edit "VPN-OSPF" ---> VPN Tunnel interface
        set vdom "root"
        set vrf 20
        set ip 10.20.10.2 255.255.255.255
        set type tunnel
        set remote-ip 10.20.10.1 255.255.255.255
        set snmp-index 15
        set interface "port2"
    next
end
edit "port3"
        set vdom "root"
        set ip 172.31.139.173 255.255.240.0
        set allowaccess ping https ssh http telnet
        set type physical
        set explicit-web-proxy enable
        set security-mode captive-portal
        set snmp-index 3
        config ipv6
            set ip6-address fd01::1/64
            set ip6-allowaccess ping
            set ip6-send-adv enable
        end
    next
end
OSPF Configuration:

config router ospf
set router-id 4.4.4.4
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "Spoke1"
set interface "port3" -->Port 1 interface belongs to VRF 0
set dead-interval 40
set hello-interval 10
next
edit "Spoke2"
set interface " VPN-OSPF " --> VPN-OSPF interface belongs to VRF 20
set dead-interval 40
set hello-interval 10
next
end
config network
edit 2
set prefix 172.31.139.0 255.255.255.0
next
edit 3
set prefix 192.168.1.1 255.255.255.255
next
edit 4
set prefix 10.20.10.0 255.255.255.0
next
end
Diagnose output:
get router info ospf neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           1   Full/DR         00:00:39    172.31.132.177  port3
1.1.1.1           1   Full/Backup     00:00:30    172.31.133.44   port3

OSPF process 20, VRF 20:
Neighbor ID     Pri   State           Dead Time   Address         Interface
5.5.5.5           1   Full/ -         00:00:36    10.20.10.1      VPN-OSPF

# get router info routing-table ospf

Routing table for VRF=0
O E2    1.1.1.1/32 [110/10] via 172.31.133.44, port3, 00:02:05
                   [110/10] via 172.31.132.177, port3, 00:02:05
O E2    10.10.10.2/32 [110/10] via 172.31.133.44, port3, 00:02:05
O E2    10.10.10.3/32 [110/10] via 172.31.132.177, port3, 00:02:05
O E2    10.146.0.0/20 [110/10] via 172.31.133.44, port3, 00:02:05
                      [110/10] via 172.31.132.177, port3, 00:02:05
O E2    169.254.1.1/32 [110/10] via 172.31.133.44, port3, 00:02:05

Routing table for VRF=20
O E2    10.5.48.0/20 [110/10] via 10.20.10.1, VPN-OSPF, 00:02:09

get router info ospf interface

port3 is up, line protocol is up
  Internet Address 172.31.139.173/20, Area 0.0.0.0, MTU 1500
  Process ID 0, VRF 0, Router ID 4.4.4.4, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State DROther, Priority 1
  Designated Router (ID) 3.3.3.3, Interface Address 172.31.132.177      
  Backup Designated Router (ID) 1.1.1.1, Interface Address 172.31.133.44
  Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:05
  Neighbor Count is 2, Adjacent neighbor count is 2
  Crypt Sequence Number is 350803
  Hello received 52 sent 27, DD received 8 sent 8
  LS-Req received 2 sent 3, LS-Upd received 11 sent 4
  LS-Ack received 7 sent 7, Discarded 6

VPN-OSPF is up, line protocol is up
  Internet Address 10.20.10.2/32, Area 0.0.0.0, MTU 1438
  Process ID 20, VRF 20, Router ID 4.4.4.4, Network Type POINTOPOINT, Cost: 100
  Transmit Delay is 1 sec, State Point-To-Point
  Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:08
  Neighbor Count is 1, Adjacent neighbor count is 1
  Crypt Sequence Number is 350803
  Hello received 26 sent 27, DD received 3 sent 4
  LS-Req received 0 sent 1, LS-Upd received 1 sent 1
  LS-Ack received 1 sent 1, Discarded 0





Labels:
20832
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.