Technical Tip: How to route traffic from one VDOM to another one using the inter VDOM link connection

ojacinto · ‎01-03-2017

Description

This article describes how to forward the traffic from one VDOM to another one using the inter VDOM link connection.

Scope

Requirements and prerequisites:

Make sure VDOMs are enabled refer to the following guide Enable multi VDOM mode.

Diagram:

Internet===========[port2]===========interVDOM-Links========[port3]=============[WindowsServer10.222.3.251/20]

Port2 associated with the 'root' VDOM / VLAN222 10.222.5.72/20
Port3 associated with the 'SERVERS' VDOM / VLAN250 10.250.5.72/20
A full-numbered scenario will be used:InterVDOM-Link 192.168.100.0/30 root: 192.168.100.1; SERVERS: 192.168.100.2

Solution

Step 1: Configure the inter-VDOM link.

Configure the Inter-VDOM link from GLOBAL using the web based manager or the CLI:

Step 2: Configure the IP addresses for each VDOM:

Step 3: Verify connectivity between these two points:

config vdom

edit SERVERS

execute ping 192.168.100.1 <- The IP of the root VDOM.
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=255 time=0.1 ms
^C
--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.1 ms

The presence of virtual interfaces is one of the key differences between inter-VDOM links and regular interfaces.
Inter-VDOM links do not require IP addresses.
This introduces three possible situations with an inter-VDOM line:

Unnumbered: an inter VDOM link with no IP addresses for either end of the tunnel.
Half-numbered: an inter VDOM link with one IP address for one end and none for the other end.
Full-numbered: an inter VDOM link with two IP addresses, one for each end. <- Scenario in use

Note:

Half or full-numbered interfaces are required for NAT. Either SNAT or DNAT as an IP number is needed on both ends to translate between.
Use unnumbered interfaces in static routing by naming the interface and using 0.0.0.0 for the gateway.

Running the tracer route will not show the interface in the list of hops.

However, the interface is visible when sniffing packets, which is useful for troubleshooting.

Step 3: Define the Inter-VDOM routing and firewall policies on each VDOM to allow the traffic.

The default gateway for the Internal VDOM communication will be the External VDOM (VDOM root in this example).

Internal VDOM (SERVERS):

Configure the static route by using the following command:

config vdom

edit SERVERS

config router static

edit 1

set gateway 192.168.100.1

set device "VDOM_link1"

set dst 0.0.0.0/0

Configure the policy using the following command:

edit SERVERS

config firewall policy

edit 1

set name "SRV2INT"
set uuid 7c34242c-5ff9-51ef-c915-84ce7d2213f2
set srcintf "port2"
set dstintf "VDOM_link1"
set action accept
set srcaddr "10.222.0.0/20"
set dstaddr "all"
set schedule "always"
set service "ALL"

External VDOM (root):

Configure the static route using the following command:

config vdom

edit root

config router static

edit 2

set dst 10.222.0.0/20 <- Servers subnet.

set device VDOM_link0

set gateway 192.168.100.2

end

Configure the Policy using the following command:

config vdom

edit root

config firewall policy

edit 1

set name "SRV_SUB"
set uuid c3b04978-5ffb-51ef-b826-1b22e711c8a8
set srcintf "VDOM_link0" <- VDOM interface.
set dstintf "port1" <- WAN Interface.
set action accept
set srcaddr "10.222.0.0/20"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable

Step 4: Verify connectivity from the Windows Server: