How to Route to a Distant Server through Virtual Routers

In virtual routing, you can create multiple virtual routers to maintain separate routing tables for groups of interfaces, thereby achieve network separation. In some scenarios, you may need to access a server that is reachable only through a separate virtual router. This example provides the procedure that interconnects virtual routers to reach to a host that is multiple hops away.

Consider an example, where a member of the sales department of a garment company wants to look up at the stock maintained by the warehousing department of its factory unit. In a virtual routing environment, you need to leak route between virtual routers where destination (warehousing department) is multiple hops away from sales department. This route leaking is done by adding multihop route leak, where, you configure a static route in Sales virtual router(source) to an interface in Warehouse virtual router (destination). As the destination network is multi-hop away, you also need to configure the Warehouse virtual router with the route to the destination network, namely 10.50.0.0/24.

Interconnecting Two Virtual Routers - An Example

Before you begin

This example assumes that you have already configured Sales_Router1 to route traffic from 10.20.0.1/30 interface to 10.50.0.5/24.

Procedure

Step 1

Configure the inside interface (Gi0/1) of the device to be assigned to Sales virtual router:

  1. Choose Devices > Device Management > Interfaces.

  2. Edit the Gi0/1 interface:

    • Name—For this example, VR-Sales.

    • Select the Enabled checkbox.

    • In IPV4, for IP Type, choose Use Static IP.

    • IP Address—Enter 10.30.0.1/24.

  3. Click Ok.

  4. Click Save.

Step 2

Configure the inside interface (Gi0/2) of the device to be assigned to Warehouse virtual router:

  1. Choose Devices > Device Management > Interfaces.

  2. Edit the Gi0/2 interface:

    • Name—For this example, VR-Warehouse.

    • Select the Enabled checkbox.

    • In IPV4, for IP Type, choose Use Static IP.

    • IP Address—Leave it blank. The system does not allow you to configure interfaces with same IP address (10.30.0.1/24), as you are yet to create user-defined virtual routers.

  3. Click Ok.

  4. Click Save.

Step 3

Create Sales and Warehouse virtual routers and assign their interfaces:

  1. Choose Devices > Device Management, and edit the threat defense device.

  2. Choose Routing > Manage Virtual Routers.

  3. Click Add Virtual Router and create Sales.

  4. Click Add Virtual Router and create Warehouse.

  5. Select Sales from virtual router drop-down, in Virtual Router Properties, add VR-Sales as Selected Interface and save.

  6. Select Warehouse from virtual router drop-down, in Virtual Router Properties, add VR-Warehouse as Selected Interface and save.

Step 4

Revisit the VR-Warehouse interface configuration:

  1. Choose Devices > Device Management > Interfaces.

  2. Click Edit against VR-Warehouse interface. Specify the IP Address as 10.30.0.1/24. The system now allows you to configure with same IP address of VR-Sales, because the interfaces are seperately assigned to two different virtual routers.

  3. Click Ok.

  4. Click Save.

Step 5

Create network objects for the warehouse server—10.50.0.0/24, and for the warehouse gateway— 10.40.0.2/30:

  1. Choose Object > Object Management.

  2. Choose Add Network > Add Object:

    • Name—For this example, Warehouse-Server.

    • Network—Click Network and enter 10.50.0.0/24.

  3. Click Save.

  4. Choose Add Network > Add Object:

    • Name—For this example, Warehouse-Gateway.

    • Network—Click Host and enter 10.40.0.2.

  5. Click Save.

Step 6

Define the route leak in Sales that points to the VR-Warehouse interface:

  1. Choose Devices > Device Management, and edit the threat defense device.

  2. Choose Routing.

  3. Choose Sales virtual router from the drop-down, and then click Static Route.

  4. Click Add Route. In Add Static Route Configuration, specify the following:

    • Interface—Select VR-Warehouse.

    • Network—Select the Warehouse-Server object.

    • Gateway—Leave it blank. When leaking a route into another virtual router, do not select the gateway.

  5. Click Ok.

  6. Click Save.

Step 7

In the Warehouse virtual router, define the route that points to the Warehouse Router 2 gateway:

  1. Choose Warehouse virtual router from the drop-down, and then click Static Route.

  2. Click Add Route. In Add Static Route Configuration, specify the following:

    • Interface—Select VR-Warehouse.

    • Network—Select the Warehouse-Server object.

    • Gateway—Select the Warehouse-Gateway object.

  3. Click Ok.

  4. Click Save.

Step 8

Configure access control rule that allows access to the warehouse server. For creating the access control rule, you need to create security zones. Use Object > Object Management > Interface. Choose Add > Security Zone and create security zones for VR-Sales and VR-Warehouse; for Warehouse-Server network object, create a Warehouse-Server interface group (Choose Add > Interface Group).

Step 9

Choose Policies > Access Control and configure an access control rule to allow traffic from the source interfaces in the Sales virtual router to the destination interfaces in the Warehouse virtual router for the destination Warehouse-Server network object.

For example, if the interfaces in Sales are in the Sales-Zone security zone, and those in Warehouse are in the Warehouse-Zone security zone, the access control rule would look similar to the following: