FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akamath
Staff
Staff
Article Id 195073

Description


This article describes how to configure VRF (virtual routing and forwarding) IDs directly on the interface from GUI.

Scope


FortiGate versions 6.0 and 6.2 only support VRF configuration through the CLI. 6.4.2 and later versions have added GUI support. On FortiOS 7.2.1, the number of VRFs per VDOM has increased from 32 to 64 to support large SD-WAN, VPN, and BGP deployments. Up to 64 VRFs can be configured per VDOM on devices that support 200 VDOMs.

 

The VRF ID range has changed to 0 - 63, but this is applicable only for devices that are running FortiOS 7.2.1+.

Starting from FortiOS v7.2.4, the number of VRFs per VDOMs has been increased to 252.

Solution

 

VRF IDs can be displayed in the routing monitor and can be used to create black hole static routes. 
VRF allows multiple routing table instances to co-exist on the same router. 
One or more interfaces have a VRF, and packets are only forwarded between interfaces with the same VRF. 
 
Enable Advanced Routing in  System -> Feature Visibility  to use this feature. 
 
Configure a VRF ID from the GUI:

 

  1. Configure the interface: 
     
    Go to  Network -> Interfaces, and select 'Create New Interface'. 
    Enter a value in the VRF ID field. 
    Configure the other settings as needed. 
    Select 'OK'.

    ppatel_0-1637156710573.png
  2. Add a blackhole static route using the VRF ID. 
    Go to  Network -> Static Routes  and select 'Create New'. 
    Enter the subnet. 
    In the Interface field, select 'Blackhole'. 
    In the VRF ID field, enter the ID created under 1. 
    Select 'OK'. 

 

ppatel_1-1637156710573.png

 

Configure a VRF ID from the CLI:

 

  1. Configure the interface. 

 

config system interface

    edit test_interface

    ...

        set vrf 14

    next

end

 

  1. Add a blackhole static route using the VRF ID.

     
    config router static
        edit 3
            set dst 8.8.8.8 255.255.255.255
            set blackhole enable 
            set vrf 14
        next 

      

There is no need to assign the VRF 14 in the static route configuration for 'test_interface'.

All routes relating to interface 'test_interface' are automatically isolated to the VRF 14 routing table. 

 

However, to create blackhole static routes in VRF 14, it is necessary to mention the VRF 14 in the static route configuration as the blackhole route is never bound to any interface. 

 

Command to check all VRF's routing table: 

 

get router info routing-table all 

  

Command to check specific VRF routing table: 


get router info routing-table all 
vrf <VRF_ID> 

get router info routing-table all vrf 14 

get router info routing-table all vrf 0 

 

Command to check specific VRF routing table database: 

 

get router info routing-table database vrf <VRF_ID> 

get router info routing-table database vrf 14 

get router info routing-table database vrf 0 

 

Likewise, if the OSPF is configured on interface VRF, verify the OSPF routes for that VRF using: 

 

get router info routing-table ospf vrf <VRF_ID> 

 

Related document:

Virtual routing and forwarding