Connecting Multiple vDOMs to the same VLAN
(2018-02-26)
Problem
I have more vDOMs to connect to a VLAN than I have physical interfaces. (The easy way to glue vDOMs together on the same VLAN is to tag up different physical ports with the same VLAN, associated with different vDOMs. This doesn't scale.)
Solution, one VLAN
Let's say I have three vDOMs that need access to a given VLAN: root, E1, and E2.
Create a new vDOM in transparent mode, we'll call it "Aggregate":
conf vdom
edit Aggregate
set opmode transparent
set manageip 10.0.0.250 255.255.255.255
end
end
Next create the vdom-link interfaces:
conf global
conf system vdom-link
edit root
set type ethernet
next
edit E1
set type ethernet
next
edit E2
set type ethernet
end
When you create a vdom-link, it automatically creates two interfaces, ${NAME}0 and ${NAME}1. So end of each vdom-link needs to be connected to a vDOM. In this case we are putting IP addresses on each edge vDOM's side of the link as this will be visible on the VLAN.
(still in "global" mode)
config system interface
edit "root10"
set vdom "Aggregate"
next
edit "root11"
set vdom "root"
set ip 10.0.0.2 255.255.255.0
next
edit "E10"
set vdom "Aggregate"
next
edit "E11"
set vdom "E1"
set ip 10.0.0.1 255.255.255.0
set allowaccess ping
next
edit "E20"
set vdom "Aggregate"
next
edit "E21"
set vdom "E2"
set ip 10.0.0.2 255.255.255.0
set allowaccess ping
next
end
You also have to attach a physical interface so that external devices on the VLAN can see the vDOMs:
config system interface
edit internal3
set vdom Aggregate
next
end
I then created a single Zone in the Aggregate vDOM and attached all the Aggregate interfaces to it, clearing the "Block intra-zone traffic" check box -- that should permit traffic to flow across all interfaces. If you need different control you can create zones/policies as desired.
config vdom
edit Aggregate
config system zone
edit "Aggregate"
set intrazone allow
set interface "E10" "E20" "internal3" "root10"
next
end
end
end
Now connect (in this case) internal3 to a switch port untagged on the appropriate VLAN and you are good to go.
Problem
With this solution, you have to burn a vDOM in transparent mode for each VLAN that you need to glue together for a bunch of other vDOMs.