Hi Guys,
Today i have a topology where i have a nexus 7K, where there are multiple VRFs that terminate on 500-Es in active/standby.
One or more VRF is part of a zone on the fortigate. the fortigate doesnt have any VRF. Policies are used to control access to the different zones.
Like I have zones Like this to name a few:
Engineering
Corporate
Dev
Requirements from security consultants wants us to have multiple vdoms for each of these zones. Still the VRFs will terminate on those different vdoms.
I am a bit confused on how to go about creating those vdoms, today i have for example port 1 in zone engineering for example and port 2 for dev and 3 for Corporate etc... and i have port 5 for external traffic that talks to an external firewall.
how would i go to create those vdoms to match what i have currently?
Any help would for sure be highly appreciated.
Thanks
Jones
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1) create vdoms
2) create vlans
3) allocate vlans to particular vdoms
4) create policies, routing, etc.
That was not my question. I know how to create vdoms.
My question was i have different zones on the fortigate that talk to each other.
Now i will create vdoms, and each zone will be under 1 vdom.
i will have one interface connected to the core switch, where a vrf will drop into one vdom.
what other interface should i have on this vdom. Since i will have another vdom hosting another zone.
The question is more about design here, not how to create vdoms.
Thanks
Jones
If you need to send traffic between VDOMs/VRFs you should use inter-vdom link:
Engineering VRF -> VDOM Engineering ->inter-vdom link->VDOM Corporate -> Corporate VRF
You treat inter-vdom link as a normal interface, with routing, firewall policies, security profiles, etc. in place
https://cookbook.fortinet.com/inter-vdom-communication-with-static-routing-56/
Usually you don't need SNAT in policies between VDOMs, it simplifies routing. Packet from Engineering VRF will appear with its real source IP, not IP of the link between VDOMs. Hosts in all VRF don't need to know what is the IP between VDOMs.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.