{"id":282,"date":"2022-04-09T22:27:45","date_gmt":"2022-04-10T02:27:45","guid":{"rendered":"https:\/\/opentextbc.ca\/fortigatefirewall\/chapter\/inter-vdom-routing\/"},"modified":"2023-08-29T16:27:29","modified_gmt":"2023-08-29T20:27:29","slug":"inter-vdom-routing","status":"publish","type":"chapter","link":"https:\/\/opentextbc.ca\/fortigatefirewall\/chapter\/inter-vdom-routing\/","title":{"raw":"8.2 Inter-VDOM Routing","rendered":"8.2 Inter-VDOM Routing"},"content":{"raw":"
\n

Learning Objectives<\/p>\n\n<\/header>\n

\n
    \n \t
  • Configure a VDOM to pass traffic between VDOMs<\/li>\n \t
  • Configure an Inter-VDOM routing<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
    Scenario<\/strong>: Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM connection. We want to create a link between VDOM Sales and Accounting, then the traffic from WebTerm1 should be reached to WebTerm2.<\/div>\n\n[caption id=\"attachment_266\" align=\"alignnone\" width=\"906\"]\"Inter-VDOM Figure 8.19: Main scenario[\/caption]\n\n\n\n\n\n\n
    Table 8.2: Devices configuration<\/caption>\n
    Device<\/th>\nIP address<\/th>\nAccess<\/th>\n<\/tr>\n
    WebTerm1<\/td>\n192.168.1.2\/24<\/td>\n-<\/td>\n<\/tr>\n
    WebTerm2<\/td>\n172.16.1.2\/24<\/td>\n-<\/td>\n<\/tr>\n
    FortiGate<\/td>\nPort 1: DHCP Client\n\nPort 2: 172.16.1.1\/24\n\nPort 3: 192.168.1.1\/24<\/td>\nPort 1: https, ping<\/td>\n<\/tr>\n
    Cloud1<\/td>\n<\/td>\n-<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
      \n \t
    1. First, enable VDOMs in the firewall.\n
      \n\nFGVM01TM19008000 # config system global<\/em>\n\nFGVM01TM19008000 (global) # set vdom-mode multi-vdom<\/em>\n\nFGVM01TM19008000 (global) # end<\/em>\n\n<\/div><\/li>\n \t
    2. Create two VDOMs, Sales<\/strong> and Accounting.<\/strong>\n\n[caption id=\"attachment_268\" align=\"aligncenter\" width=\"450\"]\"Create Figure 8.20: Create a VDOM Sales[\/caption]\n\n[caption id=\"attachment_268\" align=\"aligncenter\" width=\"450\"]\"Create Figure 8.21: Create a VDOM Accounting[\/caption]<\/li>\n \t
    3. Configure IP addresses for the Interfaces Port2 and Port3. Assign port3 to Sales Vdom and port2 to Accounting Vdom.\n\n[caption id=\"attachment_271\" align=\"alignnone\" width=\"1145\"]\"port2 Figure 8.22: Port2 and Port3 IP address configuration[\/caption]\n\n[caption id=\"attachment_271\" align=\"alignnone\" width=\"1129\"]\"Port2 Figure 8.23: Port2 configuration[\/caption]\n\n[caption id=\"attachment_271\" align=\"alignnone\" width=\"1185\"]\"Port3 Figure 8.24: Port3 configuration[\/caption]<\/li>\n \t
    4. Go to Global VDOM<\/strong> > Network Interfaces<\/strong> > Create a new VDOM<\/strong> Link, and configure it as Figure 8.25:\n\n[caption id=\"attachment_272\" align=\"aligncenter\" width=\"1192\"]\"Create Figure 8.25: Create a VDOM link between Sales and Accounting[\/caption]<\/li>\n \t
    5. In Accounting VDOM, Create two static routes:\n
        \n \t
      • Destination: <\/strong>192.168.1.0\/255.255.255.0<\/li>\n \t
      • Interface:<\/strong> Accounting-Sales<\/li>\n \t
      • Gateway:<\/strong> 10.10.10.2<\/li>\n<\/ul>\n[caption id=\"attachment_274\" align=\"aligncenter\" width=\"400\"]\"Create Figure 8.26: Create a static route in Accounting VDOM[\/caption]\n
          \n \t
        • Destination: <\/strong>172.16.1.0\/255.255.255.0<\/li>\n \t
        • Interface:<\/strong> Accounting-Sales<\/li>\n \t
        • Gateway:<\/strong> 10.10.10.2<\/li>\n<\/ul>\n[caption id=\"attachment_274\" align=\"aligncenter\" width=\"400\"]\"Create Figure 8.27: Create a static route in Accounting VDOM[\/caption]<\/li>\n \t
        • In Accounting VDOM, Create two Firewall Policies:\n
            \n \t
          • Incoming:<\/strong> Port 2<\/li>\n \t
          • Outgoing:<\/strong> AS0<\/li>\n \t
          • NAT Disable<\/li>\n<\/ul>\n[caption id=\"attachment_276\" align=\"aligncenter\" width=\"400\"]\"Create Figure 8.28: Create a Firewall Policy in Accounting VDOM from Port2 to AS0[\/caption]\n\nIncoming:\n
              \n \t
            • Incoming:<\/strong> AS0<\/li>\n \t
            • Outgoing<\/strong>: Port2<\/li>\n \t
            • NAT Disable<\/li>\n<\/ul>\n[caption id=\"attachment_276\" align=\"aligncenter\" width=\"400\"]\"Create Figure 8.29: Create a Firewall Policy in Accounting VDOM from AS0 to Port2[\/caption]<\/li>\n \t
            • In Sales VDOM, Create two static routes:\n
                \n \t
              • Destination:<\/strong> 192.168.1.0\/255.255.255.0<\/li>\n \t
              • Interface:<\/strong> AS1<\/li>\n \t
              • Gateway:<\/strong> 10.10.10.1<\/li>\n<\/ul>\n[caption id=\"attachment_278\" align=\"aligncenter\" width=\"400\"]\"Create Figure 8.30: Create a static route in Sales VDOM[\/caption]\n
                  \n \t
                • Destination:<\/strong> 172.16.1.0\/255.255.255.0<\/li>\n \t
                • Interface:<\/strong> AS1<\/li>\n \t
                • Gateway:<\/strong> 10.10.10.1<\/li>\n<\/ul>\n[caption id=\"attachment_278\" align=\"aligncenter\" width=\"400\"]\"Create Figure 8.31: Create a static route in Sales VDOM[\/caption]<\/li>\n \t
                • In Sales VDOM, Create two Firewall Policies:\n
                    \n \t
                  • Incoming:<\/strong> Port3<\/li>\n \t
                  • Outgoing:<\/strong> AS1<\/li>\n \t
                  • NAT Disable<\/strong><\/li>\n<\/ul>\n[caption id=\"attachment_280\" align=\"aligncenter\" width=\"400\"]\"Create Figure 8.32: Create a Firewall Policy in Sales VDOM from Port3 to AS1[\/caption]\n
                      \n \t
                    • Incoming:<\/strong> AS1<\/li>\n \t
                    • Outgoing:<\/strong> Port3<\/li>\n \t
                    • NAT Disable<\/li>\n<\/ul>\n[caption id=\"attachment_280\" align=\"aligncenter\" width=\"400\"]\"Create Figure 8.33: Create a Firewall Policy in Sales VDOM from AS1 to Port3[\/caption]<\/li>\n \t
                    • Now, you should verify your configuration and should be able to ping from WebTerm1 to WebTerm2.\n\n[caption id=\"attachment_281\" align=\"aligncenter\" width=\"711\"]\"you Figure 8.34: Verify configuration[\/caption]\n\nTo delete a VDOM link in the CLI:\n
                      \n\nconfig system vdom-link<\/em>\n\ndelete <VDOM-LINK-Name><\/em>\n\nend<\/em>\n\n<\/div><\/li>\n<\/ol>","rendered":"
                      \n
                      \n

                      Learning Objectives<\/p>\n<\/header>\n

                      \n
                        \n
                      • Configure a VDOM to pass traffic between VDOMs<\/li>\n
                      • Configure an Inter-VDOM routing<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
                        Scenario<\/strong>: Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM connection. We want to create a link between VDOM Sales and Accounting, then the traffic from WebTerm1 should be reached to WebTerm2.<\/div>\n
                        \"Inter-VDOM
                        Figure 8.19: Main scenario<\/figcaption><\/figure>\n\n\n\n\n\n\n\n
                        Table 8.2: Devices configuration<\/caption>\n
                        Device<\/th>\nIP address<\/th>\nAccess<\/th>\n<\/tr>\n
                        WebTerm1<\/td>\n192.168.1.2\/24<\/td>\n–<\/td>\n<\/tr>\n
                        WebTerm2<\/td>\n172.16.1.2\/24<\/td>\n–<\/td>\n<\/tr>\n
                        FortiGate<\/td>\nPort 1: DHCP Client<\/p>\n

                        Port 2: 172.16.1.1\/24<\/p>\n

                        Port 3: 192.168.1.1\/24<\/td>\n

                        		Port 1: https, ping<\/td>\n<\/tr>\n
                        Cloud1<\/td>\n<\/td>\n–<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
                          \n
                        1. First, enable VDOMs in the firewall.\n
                          \n

                          FGVM01TM19008000 # config system global<\/em><\/p>\n

                          FGVM01TM19008000 (global) # set vdom-mode multi-vdom<\/em><\/p>\n

                          FGVM01TM19008000 (global) # end<\/em><\/p>\n<\/div>\n<\/li>\n

                        2. Create two VDOMs, Sales<\/strong> and Accounting.<\/strong>
                          \n
                          \"Create
                          Figure 8.20: Create a VDOM Sales<\/figcaption><\/figure>\n
                          \"Create
                          Figure 8.21: Create a VDOM Accounting<\/figcaption><\/figure>\n<\/li>\n
                        3. Configure IP addresses for the Interfaces Port2 and Port3. Assign port3 to Sales Vdom and port2 to Accounting Vdom.
                          \n
                          \"port2
                          Figure 8.22: Port2 and Port3 IP address configuration<\/figcaption><\/figure>\n
                          \"Port2
                          Figure 8.23: Port2 configuration<\/figcaption><\/figure>\n
                          \"Port3
                          Figure 8.24: Port3 configuration<\/figcaption><\/figure>\n<\/li>\n
                        4. Go to Global VDOM<\/strong> > Network Interfaces<\/strong> > Create a new VDOM<\/strong> Link, and configure it as Figure 8.25:
                          \n
                          \"Create
                          Figure 8.25: Create a VDOM link between Sales and Accounting<\/figcaption><\/figure>\n<\/li>\n
                        5. In Accounting VDOM, Create two static routes:\n
                            \n
                          • Destination: <\/strong>192.168.1.0\/255.255.255.0<\/li>\n
                          • Interface:<\/strong> Accounting-Sales<\/li>\n
                          • Gateway:<\/strong> 10.10.10.2<\/li>\n<\/ul>\n
                            \"Create
                            Figure 8.26: Create a static route in Accounting VDOM<\/figcaption><\/figure>\n
                              \n
                            • Destination: <\/strong>172.16.1.0\/255.255.255.0<\/li>\n
                            • Interface:<\/strong> Accounting-Sales<\/li>\n
                            • Gateway:<\/strong> 10.10.10.2<\/li>\n<\/ul>\n
                              \"Create
                              Figure 8.27: Create a static route in Accounting VDOM<\/figcaption><\/figure>\n<\/li>\n
                            • In Accounting VDOM, Create two Firewall Policies:\n
                                \n
                              • Incoming:<\/strong> Port 2<\/li>\n
                              • Outgoing:<\/strong> AS0<\/li>\n
                              • NAT Disable<\/li>\n<\/ul>\n
                                \"Create
                                Figure 8.28: Create a Firewall Policy in Accounting VDOM from Port2 to AS0<\/figcaption><\/figure>\n

                                Incoming:<\/p>\n

                                  \n
                                • Incoming:<\/strong> AS0<\/li>\n
                                • Outgoing<\/strong>: Port2<\/li>\n
                                • NAT Disable<\/li>\n<\/ul>\n
                                  \"Create
                                  Figure 8.29: Create a Firewall Policy in Accounting VDOM from AS0 to Port2<\/figcaption><\/figure>\n<\/li>\n
                                • In Sales VDOM, Create two static routes:\n
                                    \n
                                  • Destination:<\/strong> 192.168.1.0\/255.255.255.0<\/li>\n
                                  • Interface:<\/strong> AS1<\/li>\n
                                  • Gateway:<\/strong> 10.10.10.1<\/li>\n<\/ul>\n
                                    \"Create
                                    Figure 8.30: Create a static route in Sales VDOM<\/figcaption><\/figure>\n
                                      \n
                                    • Destination:<\/strong> 172.16.1.0\/255.255.255.0<\/li>\n
                                    • Interface:<\/strong> AS1<\/li>\n
                                    • Gateway:<\/strong> 10.10.10.1<\/li>\n<\/ul>\n
                                      \"Create
                                      Figure 8.31: Create a static route in Sales VDOM<\/figcaption><\/figure>\n<\/li>\n
                                    • In Sales VDOM, Create two Firewall Policies:\n
                                        \n
                                      • Incoming:<\/strong> Port3<\/li>\n
                                      • Outgoing:<\/strong> AS1<\/li>\n
                                      • NAT Disable<\/strong><\/li>\n<\/ul>\n
                                        \"Create
                                        Figure 8.32: Create a Firewall Policy in Sales VDOM from Port3 to AS1<\/figcaption><\/figure>\n
                                          \n
                                        • Incoming:<\/strong> AS1<\/li>\n
                                        • Outgoing:<\/strong> Port3<\/li>\n
                                        • NAT Disable<\/li>\n<\/ul>\n
                                          \"Create
                                          Figure 8.33: Create a Firewall Policy in Sales VDOM from AS1 to Port3<\/figcaption><\/figure>\n<\/li>\n
                                        • Now, you should verify your configuration and should be able to ping from WebTerm1 to WebTerm2.
                                          \n
                                          \"you
                                          Figure 8.34: Verify configuration<\/figcaption><\/figure>\n

                                          To delete a VDOM link in the CLI:<\/p>\n

                                          \n

                                          config system vdom-link<\/em><\/p>\n

                                          delete <VDOM-LINK-Name><\/em><\/p>\n

                                          end<\/em><\/p>\n<\/div>\n<\/li>\n<\/ol>\n","protected":false},"author":124,"menu_order":6,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-282","chapter","type-chapter","status-publish","hentry"],"part":245,"_links":{"self":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/users\/124"}],"version-history":[{"count":1,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/282\/revisions"}],"predecessor-version":[{"id":283,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/282\/revisions\/283"}],"part":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/parts\/245"}],"metadata":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/282\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/media?parent=282"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapter-type?post=282"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/contributor?post=282"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/license?post=282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}