For When You Can't Have The Real Thing
[ start | index | login ]
start > FortiOS > 5.4 > Connecting Multiple vDOMs to the same VLAN

Connecting Multiple vDOMs to the same VLAN

Created by dave. Last edited by dave, 6 years and 22 days ago. Viewed 3,910 times. #8
[diff] [history] [edit] [rdf]
labels
attachments
(2018-02-26)

Problem

I have more vDOMs to connect to a VLAN than I have physical interfaces. (The easy way to glue vDOMs together on the same VLAN is to tag up different physical ports with the same VLAN, associated with different vDOMs. This doesn't scale.)

Solution, one VLAN

Let's say I have three vDOMs that need access to a given VLAN: root, E1, and E2.

Create a new vDOM in transparent mode, we'll call it "Aggregate":

conf vdom
    edit Aggregate
        set opmode transparent
        set manageip 10.0.0.250 255.255.255.255
    end
end

Next create the vdom-link interfaces:

conf global
    conf system vdom-link
        edit root
            set type ethernet
        next
        edit E1
            set type ethernet
        next
        edit E2
            set type ethernet
        end

When you create a vdom-link, it automatically creates two interfaces, ${NAME}0 and ${NAME}1. So end of each vdom-link needs to be connected to a vDOM. In this case we are putting IP addresses on each edge vDOM's side of the link as this will be visible on the VLAN.

(still in "global" mode)
config system interface
    edit "root10"
        set vdom "Aggregate"
    next
    edit "root11"
        set vdom "root"
        set ip 10.0.0.2 255.255.255.0
    next
    edit "E10"
        set vdom "Aggregate"
    next
    edit "E11"
        set vdom "E1"
        set ip 10.0.0.1 255.255.255.0
        set allowaccess ping
    next
    edit "E20"
        set vdom "Aggregate"
    next
    edit "E21"
        set vdom "E2"
        set ip 10.0.0.2 255.255.255.0
        set allowaccess ping
    next
end

You also have to attach a physical interface so that external devices on the VLAN can see the vDOMs:

config system interface
    edit internal3
        set vdom Aggregate
    next
end

I then created a single Zone in the Aggregate vDOM and attached all the Aggregate interfaces to it, clearing the "Block intra-zone traffic" check box -- that should permit traffic to flow across all interfaces. If you need different control you can create zones/policies as desired.

config vdom
edit Aggregate
config system zone
    edit "Aggregate"
        set intrazone allow
        set interface "E10" "E20" "internal3" "root10"
    next
    end
end
end

Now connect (in this case) internal3 to a switch port untagged on the appropriate VLAN and you are good to go.

Problem

With this solution, you have to burn a vDOM in transparent mode for each VLAN that you need to glue together for a bunch of other vDOMs.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt