Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1727
Views
0
Helpful
4
Replies

FVRF with Global routing communication

Go to solution
smechira
Level 1
Level 1

‎01-11-2022 01:33 AM - last edited on ‎01-11-2022 02:54 PM by Community Manager

Dear Team,

Could you help me out to troubleshoot a scenario where I placed internet facing interface into the FVRF, the main aim is for all Site connection must pass the traffic through the default route which is configured in the FVRF.
In the FVRF the default route to the Internet is set by ="ip route vrf ISP 0.0.0.0/0 <Internet GW>" , the global routing table is running on EIGRP named mode, but to be frank where I stuck is I am not able to communicate my clients to the FVRF as it it s configured in the vrf routing table. Everything just works fine except the FVRF section.
If you want any further clarification on my lab I am here to provide and please help me that how can I communicate my VLAN clients to the rest of the world!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to smechira

‎01-11-2022 05:32 AM

Hi there,

I've no experience with Fortigate FWs so am not sure of their capabliites, but can it be virtualised to provide an additonal context which would give a seperate routing table and security policy from the one used for the interent edge function? If so, then I would use that and configure the interfaces as described above, although you would need to configure OSPF to redistribute between the EIGRP processes.

 

It is worth noting that a securitry compliance check would probably flag you using the same Fortigate chassis for two the functions and would most likely request that the trafic flows between VRFs go via a dedicated device.

 

cheers,

Seb.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-11-2022 02:35 AM - edited ‎01-11-2022 02:41 AM

Hi there,

If I understand your problem correctly you are trying to have devices which are routed in the default(?) VRF access an internet bound interface which is routed in the 'ISP' VRF. Normally this topology has been created for the purposes of securing devices and as such for any two devices located in different VRFs to communicate their traffic flows must flow through a security device such as a firewall. This is a simple as placing a firewall interface in each VRF, configuring the firewall to redistribute routes between the VRFs to facilate Layer3 routing through it and creating the relevant security policy.

 

If you don't have a firewall you could also look at 'route leaking' between the VRFs using BGP.

 

Edit -

 

Having just seen that an FVRF is a 'front door VRF', typically these are used when you don't want other VRFs to be able to route via it in the clear. Instead you would use the FVRF as the routing table for a tunnel source interface, provinding the other VRFs with a means to form tunnels without giving access to the underlay network. I worte about it here:

https://cs7networks.co.uk/2017/12/21/tunnel-vrf/

 

From what you describe, why not just place the internet bound interface in the default VRF?

 

cheers,

Seb.

0 Helpful

Go to solution
smechira
Level 1
Level 1
In response to Seb Rupik

‎01-11-2022 04:01 AM

Hi Serb

 hope you're doing well!

  thanks for your valuable information. I am just trying to upgrade all my devices to Cisco technology especially DMVPN to connect no. of locations respectively. Internet edge is Fotigate firewall and I have attached the topology which I am trying to implement in my workplace. 

The reason why I am not running default VRF is that if any device connecting from the remote site should pass the traffic through the secured HO internet edge and in site offices they run only routers, no firewalls.

The internet facing interface is only in FVRF and rest of the interfaces are as default vrf, please have a look at my attached topology and enlighten me how I can pass the traffic between default VRF clients to get the internet VRF which is placed on FVRF ???

   

Preview file
192 KB
0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to smechira

‎01-11-2022 05:32 AM

Hi there,

I've no experience with Fortigate FWs so am not sure of their capabliites, but can it be virtualised to provide an additonal context which would give a seperate routing table and security policy from the one used for the interent edge function? If so, then I would use that and configure the interfaces as described above, although you would need to configure OSPF to redistribute between the EIGRP processes.

 

It is worth noting that a securitry compliance check would probably flag you using the same Fortigate chassis for two the functions and would most likely request that the trafic flows between VRFs go via a dedicated device.

 

cheers,

Seb.

0 Helpful

Go to solution
smechira
Level 1
Level 1
In response to Seb Rupik

‎01-11-2022 10:35 AM

That sounds pretty interesting , let me try to route between vrf using the FG, and thanks for replying and giving valuable info.

 

Ciao

 

0 Helpful
Customers Also Viewed These Support Documents