|
FortiGate has been configured with one physical interface 'port3' which belongs to the default VRF and one loopback named 'loopback_Test' on VRF 1.
The routing table looks like this:
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.110.80.1, port10 [1/0]
C 10.0.0.0/8 is directly connected, port3
Routing table for VRF=1
C 172.16.10.0/24 is directly connected, loopback_Test
Test 1: A device installed on port3 starts to generate ICMP packets to 8.8.8.8 and it is possible to observe that traffic is entering port3 and exiting port10 since the default route is configured on it [Expected result].
diagnose sniffer packet any 'host 8.8.8.8 and icmp' 4 10 l
2023-12-12 14:23:06.771674 port3 in 10.0.1.63 -> 8.8.8.8: icmp: echo request
2023-12-12 14:23:06.771834 port10 out 10.0.1.63 -> 8.8.8.8: icmp: echo request
Test 2: This time instead of 8.8.8.8 the device generates ICMP packets to IP address 172.16.10.1 [Loopback configured on VRF 1] and it is generally expected that traffic will still match the default route on port10 since it should be contained inside the default VRF, however:
diagnose sniffer packet any 'host 172.16.10.1 and icmp' 4 10 l
2023-12-12 14:28:22.069203 port3 in 10.0.1.63 -> 172.16.10.1: icmp: echo request
2023-12-12 14:28:22.069291 port3 out 172.16.10.1 -> 10.0.1.63: icmp: echo reply
As it can be observed traffic instead of matching the default route is forwarded via port10. A reply from port3 itself will be received.
This is happening because there is no VRF isolation on VRF0 as it is considered a special global VRF that contains all routes from other VRFs as well.
|
