vdom implementation - concept and problems

wsal · ‎11-21-2023

Hello, my UTM license is running out, while refreshing the license we are making a tradeup from FG 600E to 400F. At the same time, tradup plans to implement MultiVdom.

Currently, one Fortigate supports 4 related companies. Let's say that each company has its own vlans. And this is how segmentation is done.

I would like to propose an organizational order so that each company would be a separate vdom.

The problem is that I now have an aggregate between my Fortigate 600E and the core switch in which I have all the vlans (about 100 vlans) - The aggregate for the core switch uses two physical 10G ports.

Due to the fact that the new FG 400F has 8 10G ports, I wanted to allocate two physical ports for the company, i.e. two 10G peer vdom ports.

From what I see, I need to migrate vlans between vdom and to new physical ports by modifying the configuration file. The worst thing, however, is that vlans of different vdoms have to see each other, which causes problems in policies.

I see that there is something like: NPU vdom links, which allows traffic between vdoms.

As I begin to think, I will have a lot of traffic and policies between vlans, and I wonder whether this will have a significant impact on the disposal of the FG device? Is there a difference in traffic performance between vlans and vdom links in terms of performance?

The second thing is that I have an untrust zone that serves as a connection to edge routers.

I have about 100 VIPs on different public addresses that map to addresses in different vlans.

it looks like I have my asn in bgp. on FG I make vip and static route to blackole which I distribute via ospf to edge routers with bgp.

let's assume that I have the address 1.1.1.0/23 and VIPs:

1.1.1.10->map to 10.10.10.10(vlan 10 - 1vdom)
and for example :
1.1.1.11->map to 10.10.20.10(vlan 20 - 2vdom)

I recreated the configuration from FG600E to 400F and enable multivdom.
I now have all the configuration in vdom root. I added 2 new vdoms as companies and I have a problem.

Unturst in which there are ports from ospf to edge routers are in vdom root.

What is the easiest way to share this public addressing 1.1.1.0/23 between vdoms?

public addressing has been around for a long time and different external addresses map to different addresses in different vlans.

I wonder if my concept will complicate the configuration too much.

Thank you for your help

Renante_Era · ‎11-21-2023

As I understand, you want to share the public address between VDOMs.

There are several ways, but meshed VDOMs provides the most flexibility.

I recommend that you create an account at training.fortinet.com. Next, click Library>FCP Network Security>FortiGate Infrastructure>Enroll Now. In FortiGate Infrastructure 7.2 Study Guide, you'll find more details about Virtual Domains (VDOMs) on page 67 to 111.

Toshi_Esumi · ‎11-21-2023

As @Renante_Era pasted the image, in multivdom environment the root vdom would naturally becomes the to_internet vdom. Then other vdoms are per your customer and provide the separation between them. The separation basically means nothing is shared including routing-table, policies&objects. If the edge routers are per customers you need to connect them from the customer vdoms directly so they don't see each others until traffic hits the root vdom.

So, when two customers need to send/receive packets each other, the first option would be over the internet/root vdom via, as you said, NPU-vlink. You can put multiple VLANs on a pair of NPU-vlink so that you can have the vlan per vdom to get to the root vdom.

Since you have a good size of public subnet, I would split them to 5 chunks root and 4 vdoms then route one of them to each.

You should draw a diagram yourself and design this visually. It's the fun part of networking business.

Toshi