Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Inter VDOM dynamic routing : OSPF or BGP ?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inter VDOM dynamic routing : OSPF or BGP ?
Hi guys,
I have the following scenario implemented, all Vdoms are connected among themselves through a Transparent vdom (only one allow all policy applied so transparent vdom acts as a L2 switch).
Now I would like to implement dynamic routing protocol so i can redistribute BGP routes from WAN vdom to others, and others can redistribute connected networks to other vdoms etc.
I did not find nothing about doing such thing on internet. I would create an OSPF area0 and put all vdoms associated to it.
Some colleagues advice I should do iBGP. Not sure about this.
Any thought about the setup ?
thank you very much for your feedback.
Running 6.2.4 on 600E
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess that would work, but I would not waste a vdom between outer edge and inside vdom. I would just stacked them and run a interior routing protocol.
stacked vdom https://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html
You can now filter routes to the inside. Please do not do a full-bgp view and redistribute these routes into IGP.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken,
thank you very much for your explanations, i understand the fact that wasting a vdom is not ideal, but in our case all vdoms need to talk with each others, so making a full mech topology would be a pain (we have 5 vdoms so far).
Not sure to understand "Please do not do a full-bgp view and redistribute these routes into IGP."
I will go for OSPF and obviously filter redistribution between the OSPF and BGP.
Thank you for your advice !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure to understand "Please do not do a full-bgp view and redistribute these routes into IGP." I will go for OSPF and obviously filter redistribution between the OSPF and BGP.
Just keep in mind that routes take memory. So If your redistributing a 0.0.0.0/0 into ospf & sharing it down stream into the 2other vdom and advertising a few routes into bgp you would be fine. That's all that I'm implying here. I still think a simpler mesh stack would be better.
edge ASNxxxx ( what ever your asn# )
ebgp peer to vdom1 AS65001
ebgp peer to vdom2 AS65002
What would be even more better is to not use a inter-vdom-link so if you have the need for HA you can run 1 or 2 vdom on the 2nd FGT ha member , and would not be bound by any virtual interface link speeds limits. A 600E has quite a few interfaces . You could cable down a lacp-bundle 2 members to your core-switch and if your in a cisco or juniper virtual switch chassis you could easily build redundancy.
FWIW; You gain absolutely nothing with the additional "transparent vdom" just one more area that could cause issues, another area for management of policy , and if you have issues, you have very little options to eliminate it from the equation.
And the next obvious reasons ; " vdom1/2 and vdomMain you have the same sessions now in triplets regardless if you just have an "any" policy in the transparent vdom or specific "policy-id" rules.
think about this more and it would be clear ;
A host in vdom1 connecting to www.example.com
vdom1 = 1 session
vdom-transparent = 1 session
vdom-main = 1 session
total session = 3 for one client connection.
A host in vdom1 connecting to a server in vdom2
vdom1 = 1 session
vdom-transparent = 1 session
vdom2 = 1 session
total session = 3 for one client connection.
A host in vdom1 connecting to a server in vdomMain
vdom1 = 1 session
vdom-transparent = 1 session
vdommain = 1 session
total session = 3 for one client connection.
and so on.....No matter what you do, unless the traffic stays internal to that vdom, you now have 3 sessions before you even get to your own edge-router. A bad and poor design imho.
Thinking deeper and if your edge space is big enough, emac-vlan would be better if the 3 vdoms ( vdom1/vdom2/vdomMain ) need connectivity to the same edge-router.
Another option that is doable and we just did this 5 years ago is to run the main vdom down to a internal core-router. So vdomMain, vdom1,vdom2 all connects to this router on 802.1q tags, So traffic between vdom1<>vdom2 goes to the router and do not touch the mainvdom. This saves you a vdom, this saves having to have a 3rd session, reduce the resources use by firewall overall. Etc.......
This reduce the complexity of the design and make it easier over all to diagnose if and when you have issues. One of my colleague design that (d.bohls) with internal router running in a vrf-lite. As you add more customers/tenant ( i.e a vdom ) you only have to rip off a new 802.1q tag assign a /31 and move on.
No need for a "ménage à trois" of 3 firewalls just to send traffic to you edge ;)
And finally in regards to this comment
"only one allow all policy applied so transparent vdom acts as a L2 switch"
If it's transparent vdom it's still managing traffic at layer3 and upwards. IT IS NOT ACTING AS A L2 SWITCH in the tru sense of switching.
just my 2ct observation and based on my experience. But you have better designs that are simpler
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken,
thank you for your clear and detailed answer, the performance aspect and poor deign are some point i definitely take into consideration.
Colleagues told that the transparent VDOM solution was the only way found, back in the days, to propagate a vlan across several vdoms. There are actually Enhanced-MAC vlans (which i was not aware of until today), that seem to work just fine, i'm testing this in lab right now.
If this works the way i want, this plus your advice will make us save some resources and complexity.
If i get trouble or questions related to EMAC vlan i will post another thread but this really seems like the way to go for what we want to do.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/212317/enhanced-mac-vlans
Example 1 is what we achieve using transparent VDOM, i guest we've been doing it the wrong way.
I really appreciate the time you took to answer and your valuable feedback.
Florian
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,775 -
FortiClient
1,783 -
5.2
801 -
FortiManager
739 -
5.4
639 -
FortiAnalyzer
565 -
FortiSwitch
479 -
Fortiap
475 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
323 -
SSL-VPN
253 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
193 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
108 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
Fortivoice
57 -
High Availability
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
Radius
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiGate-VM
22 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1741 | |
| 1109 | |
| 755 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.