Technical Tip: BGP peering over inter-VDOM links

peter7979 · ‎05-30-2022

Description

This article explains how to create BGP peering using inter-VDOM links.

Scope

FortiGate.

Solution

Inter-VDOM routing allows two VDOMs on the same FortiGate to communicate internally. Traffic between VDOMs flows through an inter-VDOM link, which contains a pair of virtual interfaces, one on each VDOM.

Basic considerations:

Each BGP peer selects a Router ID that must be unique within the entire BGP domain. It is recommended to use loopback interfaces.
Although it is not a necessity to assign IP addresses to inter-VDOM link interfaces, with dynamic routing this is a requirement.
The assigned IP addresses on both sides of the Inter-VDOM link should be on the same subnet.

CLI CONFIGURATION:

VDOM-A

# config system interface

edit "VdomRouting0"

set vdom "VDOM-A"

set ip 12.12.12.1 255.255.255.0

set allowaccess ping https ssh

set type vdom-link

set description "VDOM-A link"

set vdom "VDOM-A"

set ip 10.255.255.1 255.255.255.255

set allowaccess ping

set type loopback

set vdom "VDOM-A"

set ip 10.10.10.1 255.255.255.0

set allowaccess ping https ssh http

set type physical

set alias "LAN VDOM-A"

# config router bgp

set as 65500

set router-id 10.255.255.1

config neighbor

edit "12.12.12.2"

set interface "VdomRouting0"

set remote-as 65500

config network

edit 1

set prefix 10.10.10.0 255.255.255.0

VDOM-B

# config system interface

edit "VdomRouting1"

set vdom "VDOM-B"

set ip 12.12.12.2 255.255.255.0

set allowaccess ping https ssh

set type vdom-link

set description "VDOM-B link"

set vdom "VDOM-B"

set ip 10.255.255.2 255.255.255.0

set allowaccess ping

set type loopback

set vdom "VDOM-B"

set ip 10.10.11.1 255.255.255.0

set allowaccess ping https ssh http

set type physical

set alias "LAN VDOM-B"

# config router bgp

set as 65500

set router-id 10.255.255.2

config neighbor

edit "12.12.12.1"

set capability-default-originate enable

set interface "VdomRouting1"

set remote-as 65500

config network

edit 1

set prefix 10.10.11.0 255.255.255.0

RESULT:

FGT (VDOM-A) # get router info routing-table details

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

V - BGP VPNv4

* - candidate default

Routing table for VRF=0

B* 0.0.0.0/0 [200/0] via 12.12.12.2 (recursive is directly connected, VdomRouting0), 00:04:43, [1/0]

C 10.10.10.0/24 is directly connected, port2

B 10.10.11.0/24 [200/0] via 12.12.12.2 (recursive is directly connected, VdomRouting0), 00:05:07, [1/0]

C 10.255.255.1/32 is directly connected, loopback_VDOM-A

C 12.12.12.0/24 is directly connected, VdomRouting0

FGT (VDOM-B) # get router info routing-table details

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

V - BGP VPNv4

* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 15.15.15.2, ISP1, [1/0]

B 10.10.10.0/24 [200/0] via 12.12.12.1 (recursive is directly connected, VdomRouting1), 00:06:18, [1/0]

C 10.10.11.0/24 is directly connected, port3

C 10.255.255.0/24 is directly connected, loopback_VDOM-B

C 12.12.12.0/24 is directly connected, VdomRouting1

C 15.15.15.0/24 is directly connected, ISP1