Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
krusty
New Contributor

Possible Asymmetric Routing Issues

Hi,

 

I have an unusual situation where we have one company that wants to split into two in the longer term.

 

I am looking at putting in a Fortigate split into a vdom for each new company. The plan is to use the same switch infrastructure but have vlans for each company. Diagram attached.

 

In the lab I have created the vdoms and defined the vlans on the switch. Each company vdom has a trunk down to the switch and i've set two areas for ospf. The first area is for the 3 vdoms and the second area is for the company vdoms and the switch.

 

The potential problem is the switch now has 2 default routes via each company vdom and the root has 2 equal routes for each vlan via each company vdom. I am only allowing the vlans relevant to each company via the company specific trunk links on the switch. I am also only allowing the company specific subnets on the outbound policy rules.

 

It seems to work perfectly in the lab. Is this configuration likely to cause asymmetric routing issues?

 

Thanks

 

Dan

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor II

I would simply split into two and no communication at those two org vdom level, just like you have two different FW devices for each. If you need them to share the same internet circuit, I would let "root" vdom terminate it and statically route toward those org vdoms over seperate vdom links.

As long as you use different vlans for two orgs on LAN side and keep the GWs on the VDOM side, every inter-network traffic comes to the vdom so no worry for any alternative paths. If org-to-org traffic needs to happen, they need to come to root vdom and routed to the other side.

The simplest is the best.

I know others would have different opinions though.

 

krusty

toshiesumi wrote:

I would simply split into two and no communication at those two org vdom level, just like you have two different FW devices for each. If you need them to share the same internet circuit, I would let "root" vdom terminate it and statically route toward those org vdoms over seperate vdom links.

As long as you use different vlans for two orgs on LAN side and keep the GWs on the VDOM side, every inter-network traffic comes to the vdom so no worry for any alternative paths. If org-to-org traffic needs to happen, they need to come to root vdom and routed to the other side.

The simplest is the best.

I know others would have different opinions though.

 

They will need org-org traffic but most of that can be done on the L3 switch. The primary objective is to give each company control over their internet access.

 

They are planning to have two internet connections, one for each company but they are happy for me to implement ecmp routing or SDWan terminating on the root vdom for the time being.