Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
Contributor

Created on ‎12-06-2024 08:47 AM

Can Root VDOM share the same IPs as other VDOMs?

I know that you can have like VDOM-A and VDOM-B that both have the same IP space, such as 10.10.0.0/16 when Root is just passing traffic to physical interfaces.  However, can you have Root have the same IP space as VDOM-A if all traffic runs through root without having any 'leakage' between VDOMs?  
For example, you've got 1 port to the internet that all VDOM traffic (including root) runs through and 1 port that all traffic runs too for the VM stack.  So all traffic runs through the Root vdom but VDOM-A would share the same IP space without leakage? 

Screenshot_1.jpg

Labels:
129
0 Kudos
3 REPLIES 3
dingjerry_FTNT
Staff
Staff

Created on ‎12-06-2024 09:03 AM

Hi @IrbkOrrum ,

 

You may treat the VDOMs as individual sub-FortiGate devices.  So yes, of course, the root VDOM can use the same IPs as other VDOMs.

 

However, when the traffic from other VDOMs entering into the root VDOM, it has to be NATted.  Otherwise, it will confuse the root VDOM how to return the traffic, or the root VDOM will drop the traffic due to RPF check:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Details-about-FortiOS-RPF-Reverse-Path-For...

Regards,

Jerry
120
0 Kudos
sjoshi
Staff
Staff

Created on ‎12-06-2024 09:41 AM

Yes, it is possible to have same IP range on 2 different VDOM on FGT.

So does the traffic from Inet, VM  stack have to reach VDOMA?

Let us know if this helps.
Salon Raj Joshi
107
0 Kudos
IrbkOrrum
Contributor
In response to sjoshi

Created on ‎12-09-2024 05:47 AM

Yes, kind of.  My thought process is that "root" could be the "primary production" site and then VDOM-A would be a "bubble" that's only for Disaster recovery testing.  The only thing that would get into VDOM-A would be an IPSec VPN connection for clients that need to test a DR recovery.  This would share the same IP space as production so it's important that we not have any crossover.  I've tested this with a VDOM-A and a VDOM-B and it works fine.  Never tried it where the primary production is taking place in the Root vdom though.

55
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.