- The Topology of the network is as follows:
PC1---VRF10----FGT-----wan1--VRF0
- There are a few requirements in order to achieve that:
- It is necessary to enable Multiple VDOMs
- Allow overlapping subnets.
- It is possible to enable the Multiple VDOMs by the following command:
config system global
set vdom-mode multi-vdom
end
-
To allow overlapping subnet:
FG101E-2 (vdom) # edit root
current vf=root:0
FG101E-2 (root) # config system settings
FG101E-2 (settings) # set allow-subnet-overlap enable <----- Only allows to configuration of the same subnet on different interfaces. Cannot use the same subnet on different VRFs.
FG101E-2 (settings) # end
The configuration of the interfaces looks as follows:
-
- It is necessary to create a VDOM link as follows:
-
- The next step is to create static routes:
- Create a static route to send the traffic from VRF 10 to VRF 0:
2. The next step is to create a static route for the Local subnet 10.200.1.0 so that VRF 0 will know where to send this traffic if received for this subnet. In this case, it would need to be sent to VRF 10 via the VDOM link and the gateway is 1.1.1.2.
Creating Firewall policies:
- The first policy that is needed is to allow the traffic from VRF 10 to VRF 0:
In this example as port 1 is VRF 10, it is necessary to send it to VRF 0.
Important: NAT needs to be disabled, otherwise, the traffic is not going to flow properly.
- The second policy that we needed is to allow the VRF 10 traffic to be out to the internet. NAT needs to be enabled in this one.
- It should put internet after this:
Seconds method:
-
If it is not desired to define any IP addresses on the VDOM link that will work too and simplify the configuration as well. But in some scenarios, if it is necessary to use the IP addresses for VDOMs link, for Nating, or BGP peering for instance then it is possible to use the second scenario. The biggest advantage of this method is that it is not necessary to allow overlapping subnets as well.
-
In this case, leave the VDOM links without an IP address.
-
The static route configuration is simple as well and it is not necessary to define the gateway address.
Troubleshooting:
Some of the common mistakes that can be made in this process are:
- Enabling NAT on the Firewall policy: if enabling by mistake the NAT on the firewall policy that allows the traffic from VRF 10 to VRF0, one can find that in the debugs it will start showing the error denied via policy 0.
Disabling the NAT will help solve this problem.
- Missing static route: the second error that can be encountered is that it might be missing a static route back to the Local subnet in root VDOM. In the debugs an error message about 'reverse path check failed' can be observed.
It is necessary to create a static route VRF 0 in this example.
The routing table for VRF=0:
S* 0.0.0.0/0 [10/0] via 10.9.15.254, wan1, [1/0]
S 10.200.1.0/24 [10/0] is directly connected, VRF0-VRF10, [1/0]
If all of the above steps are correct and still facing issues, contact the TAC for further assistance.
|