Fortinet white logo
Fortinet white logo

Administration Guide

VRF with IPv6

VRF with IPv6

IPv6 routes support VRF. Static, connected, OSPF, and BGP routes can be isolated in different VRFs. BGP IPv6 routes can be leaked from one VRF to another.

config router bgp
    config vrf6
        edit <origin vrf-id>
            config leak-target
                edit <target vrf-id>
                    set route-map <route-map>
                    set interface <interface>
                next
            end
        next
    end
end

The origin or target VRF ID is an integer value from 0 - 31.

config router static6
    edit <id>
        set vrf <vrf-id>
    next
end

Using a VRF leak on BGP

In this example, the route 2000:5:5:5::/64 learned from Router 1 is leaked to VRF 20 through the interface vlan552. Conversely, the route 2009:3:3:3::/64 learned from Router 2 is leaked to VRF 10 through interface vlan55.

To configure VRF leaking in BGP:
  1. Configure the BGP neighbors:

    config router bgp
        set as 65412
        config neighbor
            edit "2000:10:100:1::1"
                set activate disable
                set remote-as 20
                set update-source "R150"
            next
            edit "2000:10:100:1::5"
                set activate disable
                set soft-reconfiguration enable
                set interface "R160"
                set remote-as 20
            next
        end
    end
  2. Configure the VLAN interfaces:

    config system interface
        edit "vlan55"
            set vdom "root"
            set vrf 10
            set ip 55.1.1.1 255.255.255.0
            set device-identification enable
            set role lan
            set snmp-index 51
            config ipv6
                set ip6-address 2000:55::1/64
            end
            set interface "npu0_vlink0"
            set vlanid 55
        next
        edit "vlan552"
            set vdom "root"
            set vrf 20
            set ip 55.1.1.2 255.255.255.0
            set device-identification enable
            set role lan
            set snmp-index 53
            config ipv6
                set ip6-address 2000:55::2/64
            end
            set interface "npu0_vlink1"
            set vlanid 55
        next
    end
  3. Configure the IPv6 prefixes:

    config router prefix-list6
        edit "1"
            config rule
                edit 1
                    set prefix6 2000:5:5:5::/64
                    unset ge
                    unset le
                next
            end
        next
        edit "2"
            config rule
                edit 1
                    set prefix6 2009:3:3:3::/64
                    unset ge
                    unset le
                next
            end
        next
    end
  4. Configure the route maps:

    config router route-map
        edit "from106"
            config rule
                edit 1
                    set match-ip6-address "1"
                next
            end
        next
        edit "from206"
            config rule
                edit 1
                    set match-ip6-address "2"
                next
            end
        next
    end
  5. Configure the IPv6 route leaking (leak route 2000:5:5:5::/64 learned from Router 1 to VRF 20, then leak route 2009:3:3:3::/64 learned from Router 2 to VRF 10):

    config router bgp
        config vrf6
            edit "10"
                config leak-target
                    edit "20"
                        set route-map "from106"
                        set interface "vlan55"
                    next
                end
            next
            edit "20"
                config leak-target
                    edit "10"
                        set route-map "from206"
                        set interface "vlan552"
                    next
                end
            next
        end
    end
To verify the VRF leaking:
  1. Check the routing table before the leak:

    # get router info6 routing-table bgp
    Routing table for VRF=10
    B       2000:5:5:5::/64 [20/0] via fe00::2000:0000:0000:00, R150, 00:19:45
    
    Routing table for VRF=20
    B       2008:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:18:49
    B       2009:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:18:49
  2. Check the routing table after the leak:

    # get router info6 routing-table bgp
    Routing table for VRF=10
    B       2000:5:5:5::/64 [20/0] via fe00::2000:0000:0000:0, R150, 00:25:45
    B       2009:3:3:3::/64 [20/0] via fe80::10:0000:0000:4245, vlan55, 00:00:17
    
    Routing table for VRF=20
    B       2000:5:5:5::/64 [20/0] via fe80::10:0000:0000:4244, vlan552, 00:00:16
    B       2008:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:24:49
    B       2009:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:24:49

Using VRF on a static route

In this example, a VRF is defined on static route 22 so that it will only appear in the VRF 20 routing table.

To configure the VRF on the static route:
config router static6
    edit 22
        set dst 2010:2:2:2::/64
        set blackhole enable
        set vrf 20
    next
end

VRF with IPv6

VRF with IPv6

IPv6 routes support VRF. Static, connected, OSPF, and BGP routes can be isolated in different VRFs. BGP IPv6 routes can be leaked from one VRF to another.

config router bgp
    config vrf6
        edit <origin vrf-id>
            config leak-target
                edit <target vrf-id>
                    set route-map <route-map>
                    set interface <interface>
                next
            end
        next
    end
end

The origin or target VRF ID is an integer value from 0 - 31.

config router static6
    edit <id>
        set vrf <vrf-id>
    next
end

Using a VRF leak on BGP

In this example, the route 2000:5:5:5::/64 learned from Router 1 is leaked to VRF 20 through the interface vlan552. Conversely, the route 2009:3:3:3::/64 learned from Router 2 is leaked to VRF 10 through interface vlan55.

To configure VRF leaking in BGP:
  1. Configure the BGP neighbors:

    config router bgp
        set as 65412
        config neighbor
            edit "2000:10:100:1::1"
                set activate disable
                set remote-as 20
                set update-source "R150"
            next
            edit "2000:10:100:1::5"
                set activate disable
                set soft-reconfiguration enable
                set interface "R160"
                set remote-as 20
            next
        end
    end
  2. Configure the VLAN interfaces:

    config system interface
        edit "vlan55"
            set vdom "root"
            set vrf 10
            set ip 55.1.1.1 255.255.255.0
            set device-identification enable
            set role lan
            set snmp-index 51
            config ipv6
                set ip6-address 2000:55::1/64
            end
            set interface "npu0_vlink0"
            set vlanid 55
        next
        edit "vlan552"
            set vdom "root"
            set vrf 20
            set ip 55.1.1.2 255.255.255.0
            set device-identification enable
            set role lan
            set snmp-index 53
            config ipv6
                set ip6-address 2000:55::2/64
            end
            set interface "npu0_vlink1"
            set vlanid 55
        next
    end
  3. Configure the IPv6 prefixes:

    config router prefix-list6
        edit "1"
            config rule
                edit 1
                    set prefix6 2000:5:5:5::/64
                    unset ge
                    unset le
                next
            end
        next
        edit "2"
            config rule
                edit 1
                    set prefix6 2009:3:3:3::/64
                    unset ge
                    unset le
                next
            end
        next
    end
  4. Configure the route maps:

    config router route-map
        edit "from106"
            config rule
                edit 1
                    set match-ip6-address "1"
                next
            end
        next
        edit "from206"
            config rule
                edit 1
                    set match-ip6-address "2"
                next
            end
        next
    end
  5. Configure the IPv6 route leaking (leak route 2000:5:5:5::/64 learned from Router 1 to VRF 20, then leak route 2009:3:3:3::/64 learned from Router 2 to VRF 10):

    config router bgp
        config vrf6
            edit "10"
                config leak-target
                    edit "20"
                        set route-map "from106"
                        set interface "vlan55"
                    next
                end
            next
            edit "20"
                config leak-target
                    edit "10"
                        set route-map "from206"
                        set interface "vlan552"
                    next
                end
            next
        end
    end
To verify the VRF leaking:
  1. Check the routing table before the leak:

    # get router info6 routing-table bgp
    Routing table for VRF=10
    B       2000:5:5:5::/64 [20/0] via fe00::2000:0000:0000:00, R150, 00:19:45
    
    Routing table for VRF=20
    B       2008:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:18:49
    B       2009:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:18:49
  2. Check the routing table after the leak:

    # get router info6 routing-table bgp
    Routing table for VRF=10
    B       2000:5:5:5::/64 [20/0] via fe00::2000:0000:0000:0, R150, 00:25:45
    B       2009:3:3:3::/64 [20/0] via fe80::10:0000:0000:4245, vlan55, 00:00:17
    
    Routing table for VRF=20
    B       2000:5:5:5::/64 [20/0] via fe80::10:0000:0000:4244, vlan552, 00:00:16
    B       2008:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:24:49
    B       2009:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:24:49

Using VRF on a static route

In this example, a VRF is defined on static route 22 so that it will only appear in the VRF 20 routing table.

To configure the VRF on the static route:
config router static6
    edit 22
        set dst 2010:2:2:2::/64
        set blackhole enable
        set vrf 20
    next
end