Three interfaces in different VDOMs but same subnet?
I' m setting up a 100D with three VDOMs; a root and two customer VDOMs. On the WAN side the 100D is connected to the ISP switch. The ISP typically issues you a subnet to be used for your firewall WAN interface(s) then you can register additional subnets of public IPs and have them routed to the WAN interface IP of a particular firewall.
As we wanted the two customer VDOMs to be separate and have their own ranges of public IPs we took three physical interfaces on the FG to act as WAN interfaces, so one physical WAN interface per VDOM. I then asked the VSP for a range of public IPs to use for these interfaces. I added the first IP (126.96.36.199/30) to the root VDOM WAN interface no problem, but when I then try to add the second IP (188.8.131.52/30) to one of the customer VDOM WAN interfaces the FG gives an error saying the IP subnet is in-use on another interface.
Is there any way around this or do I need to request separate interface IP subnet ranges from the ISP? They have to setup HSRP IPs and all sorts of stuff on each interface subnet they have to setup, so I' d prefer not to have to do this!
Thanks for any thoughts!
Bob' s suggestion, is correct, you might be better off with one inter-vdom. Do you really need 3 vdom is now the real question? Also how do you plan on any hardware redundancy (2nd 3rd 4th FGT down the line ? )
I would really look hard at why you think you need 3 vdoms. If it to provide management authority to 3 different orgs, than I would agreed with your scope and logic. But if not that, than you need to really look at the extra hassle for vdom' ing your firewall. Traffic is only going to go where your fwpolicies allow it to go :) If this is a true multi-tentant housting firewall, than vdom away :)
On the drawing, you had in the other thread ( btw, good job it shed a lot of light and reduce any confusion ) you mention the 3 context don' t necessary have to communicate today but the requirement might come up later, could you just apply fwpolicies between the various lans( vlans ) between vdom context 1 2 3 .
FWIW, I would rather leverage the ISP handoffs in a redundant WAN1 + WAN2 , than to see 3 separate handoffs with no redundancy.
Now with that said, most people enable multi-vdom & intervdom-routing to actually reduce the number of uplink interface or where the model has a limited number of ports to begin with. A 100D, would not be hamper by the pure number of uplinks.
On the Address overlap, try to avoid that if possible, but I don' t think that should be a case in your setup & should not be a issue ( i think ) in a multi-vdom firewall. I' m doing that today with a pair of cisco 5558X and the 2 contexts are in the same uplink subnet sharing a port-channel interface. Neither context knows that the other guy is in the same physical firewall.
The ports 15 and 16 in yoru case, should be 2 unique interfaces and in a unique vdom. And can be in the same subnet if I had to guess.
Can you share the config system interface and on what your trying todo? And when/where do you get any error messages?
Yeah we absolutely need at least two VDOMs as this is a multi-tenanted setup. I' ve left it out of the discussion to keep things simple, but there are actually two 100Ds in a cluster with redundant switches on the LAN side, and on the ISP side we actually connect to two separate ISP switches (so three connections in each). As I say I don' t mind going for the two VDOMs routing through the root-vdom but my reading of the documentation was that this would require setting routes/fwpolicies in the root-vdom which isn' t really a runner if either tenant needs to log into root to do this regularly. If we can just set it up once and leave it then that would be fine.
The other complication is that both tenants have fairly complex needs with probably 10 VPNs each, 64+ public IP addresses each etc. so my question was how this would be possible using just the one WAN interface into a root VDOM? Will each tenant be able to manage the NATing of their IPs and will they be able to terminate VPNs in their VDOM or will they need to terminate in the root-vdom and be routed into each VDOM?
I hadn' t actually turned on the overlap-subnet setting so as you think that should be OK (no broadcast storms :) ) I' ll do that and then see if I get any more error messages, pretty sure it will solve my problem of the three interfaces but wanted to check any longterm consequences before doing it, and also interested in the idea of routing through the root-vdom
I would definetely recommend to avoid subnet overlap.
What my first thought was, do your /30 subnets really NOT overlap?
Say, I' ve got a 10.11.12.1/28 from the ISP (as I am planning to subdivide the range into three /30s I will need an address space of at least 4x4 addresses):
.0 is broadcast
.1 to .14 is hosts
.15 is network
Now to subdivide, I use a /30 mask which gives me the subnets
.0 (usable: .1, .2)
.4 (usable: .5, .6)
.12 (usable: .13, .14)
My point is: if you are not very precise with your starting IP address you may get an overlap within one /30 subnet. Your example of using 184.108.40.206 will not allow a .5 and a .6 to be in different subnets, but .4/30 and .8/30 and .12/30 will.
It' s actually just a single /29 range we have to use as interface addresses. Of the /29 only 3 IPs are useable as one is network, one broadcast, one default gateway, one HSRP gateway address and not sure about the fifth. So we cannot divide down this subnet (firstly because it is too small, but secondly because the gateway address would only be available to one of the divided subnets :) ). As I say I could request two more ranges of addresses from the ISP for the other two WAN interfaces, but this seems like a waste of IPs and they might tell me to get lost :).
Any other thoughts? A few people have suggested routing everything through the root-vdom but I' m still unclear how this would work in-terms of VPNs and NATing all the ranges of IP addresses required in each customer vdom?
You can route /32' s into VDOMs from an ' Outside' VDOM (or use root). I do this in some situations. It' s a bit more complicated/annoying to deal with but it has it' s advantages. I will say, using anything but root for your ' outside' VDOM is going to cause you a huge pain in the ass when it comes to FortiGuard registration/etc.
See the very quick/dirty/simple diagram I' ve attached. You can still run VPNs to these IP' s, and NAT internal networks out, do port forwards, etc.
Have an common queries on inter VDOM communication, how many interVDOM link can create ? Is it limited or depends on hardware model?
For example if am creating more than 10 VDOM for different company, 5 VDOM need to communicate with other VDOM to access certain common applications. In that case how many interVDOM links need to create?
Is it necessary to configure separate inter-link for each VDOM communication?
Hope it's clear and let us know if need clarification on queries
As you can see above, vdom-link is limited by the number of interfaces per model. Should be well beyond you need. You can consider each vdom as a router. Then you can understand how to connect them via vdom-links instead of ethernet cables to share a resources attached to one vdom.