hey, I'm planning to implement vdom but I encountered a problem that I don't know how to solve or how to approach it.
I am planning to use 4 vdom on my fortigate 400f.
in each vdom I will have VIPs on public IP addresses, which I distribute to my edge routers via static blackhole.
I did it in the lab and it seems to work. I have a public subnet with a /23 mask and various VIPs from my subnet, distributed from different vdoms to routers.
the problem is that on each vdom I will have a large number of connected vlans which I wanted to distribute between vdoms vdom link also via ospf.
the only problem here is that I don't see how I can add a new ospf process to use other interfaces (vdom_link) to distribute connected vlans.
I can broadcast vlans to routers via OSPF, but I would like the traffic between vlans in vdom to be via vdom link. It seems to me a better idea than using WAN interfaces.
I can use rip to vdom link to distribute vlans to vdom, but I prefer ospf.
Do you think my concept is correct?
VDOM-link or npu-vlink are only internal bridge between VDOMs. They don't interface with outside routers. You need to use physical interfaces for that purpose.
Instead of advertizing those chunks to R1/R2, I would recommend using a "internet" vdom like root vdom to aggregate them over vdom-link/npu-vlink, then advertise the full /23 subnet to R1/R2 with BGP (EGP) for simplicity. R1/R2 must be using BGP toward the internet anyway. You can manipulate route distributions more easily. Then over the vdom-link/npu-vlink you can use even static routes. Because vdom-link/npu-vlink are internal so vlans on them would die at the same time when the entire box dies. Of course nothing is wrong with using OSFP for that part if many.
Just my thought.
Toshi
hey, thank you for your reply. for each vdom, he extracted physical interfaces for each vdom, on which ospf is located to routers r1 and r2. Through these physical interfaces, I distribute static for VIP so that the router knows where to direct Internet traffic. on routers r1 and r2 it has bgp configured with my isp where I advertise my /23 subnet. the problem is that one VIP maps to the IP in the vlan that is in vdom 1, and another VIP maps to vdom 2. That's why I advertise directly from vdom. I was thinking about using vdom internet, but then I have to create a vip that maps to vdom, so I'm wondering if it's a good idea? then it would be easier with ospf because only vdom the internet would distribute routes to routers but then vip would map to different vdoms. another thing is that I would like to distribute vlans between vdoms using vlink, I want vdom1 to know that the subnets from vdom2 are on the vlink interface and then there is traffic between vlans in vdoms - interlink. I don't want to create a vlan there, I just want to tell other vdoms that there are subnets of other vdoms behind the vlink, is that a good idea?
Created on 11-29-2023 08:52 AM Edited on 11-29-2023 08:53 AM
A VDOM is a router. You just need to route the /32 or /30 or whatever the chunk used in a vdom for VIPs to the vdom. If it's by the internet/root vdom, just over one connection(vdom-link/npu-vlink) so can be just a set of static routes. A VIP works only inside a vdom/router.
If I can do VIP only within vdom, things change. I thought I could do something like this, e.g. src int port1 (where port 1 is ospf for edge routers) dstint I will give a vdom link, srcip all and dstip vip where extip is the ip from my subnet /23 and mapp ip is the ip from the vlan e.g. vdom1 . as for ospf via vlink. if I have 50 vlans on each vdom, I will have to make 50 static routes to each vdom, which gives 150 routes on each vdom, which can be a pain. that's why I wanted to do OSPF between vdom on vlink so as not to do it manually. but I already use the ospf process for routers and that's the problem. on cisco, I would do ospf process 2, add the vdom vlink interfaces there and select redisteibute connected
This is the concept diagram.
Created on 11-29-2023 09:25 AM Edited on 11-29-2023 09:25 AM
By the way, if the physical interfaces connected to R1/R2 routers and to the device:192.168.1.1 in the diagram are under the same NPU, the entire packet flow from right->left and left->right are off-loaded to the NPU for acceleration by default as long as you use npu-vlink (not vdom-link), except first a few packets of the sessions.
Toshi
what you drew seems to make sense. only in this scheme what is important is what I did not write, but is important for your concept. Other devices in the network than this Fortigate 400f use the /23 addressing. and these devices communicate with routers also via OSPF so that the routers can see where VIP is. If I had 1 device, I would point /23 from the routers directly to vdom root in fortigate 400f, as you drew. what you drew makes me think, I have to think about what you drew and I will come back tomorrow with the answer. thank you for your commitment!
I assume the main purpose of separating those 4 vdoms are to separate your customers. Then you shouldn't leak the customer's routes/subnets like 192.168.1.0/24 in my diagram to even the root vdom or R1/R2. When those customers need to connect each other they should talk over SNAT/DNAT(VIP) with the pubic IPs like 1.1.0.1. The root vdom is a part of the internet (untrusted). Otherwise it would defeat the purpose of the vdom separation.
Toshi
my company has 3 other smaller companies under it. these 3 smaller companies use some of the resources of the main company or other companies. now all vlans, vips, etc. are on one device. Unfortunately for me, these vdoms must communicate with each other. by dividing it into VDOM, I will at least divide the company into companies. this is a big undertaking for me. I'm only afraid that the device may not be able to communicate between vdom . I can't find information about the bandwidth. I have never used vdom and I don't know how it behaves if I send data between vdom vllink and normally between vlans in a configuration without vdom. i.e. if my root will talk to vdom1, vdom2 and vdom3 all the time, and also other vdoms among themselves. how it will behave in terms of performance
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.