How not to need all those dedicated interfaces per VDOMS?

Forum|Forum|1 year ago
September 13, 2024
2 replies
1588 views

Hello all. I have for long time thinking about how i can remove the bundles of dedicated interfaces per VDOM and relying only on vdom-link to go and come from other VDOMS and a single or dual 10/25G interface to go to DC and internet for all VDOMs.

My structure is as follow:

2x FGT 600F in HA.

VPN VDOM 1: 2 UTP cables (interfaces) in LAG

Server VDOM 2: 4 UTP cables (interfaces) in LAG

User VDOM 3: 4 UTP cables (interfaces) in LAG

MPLS VDOM 4: 2 UTP cables (interfaces) in LAG

I have a BGP /24 ASN running on a pair of Mikrotik, and it is broken with /27 and /26 pointing via routes to VDOMs.

Each VDOM has a dedicated VLAN transit to my DC network and each of them receives my "internet VLAN from my Mikrotik" so every vdom has a public IP address on an vlan interface (same vlan id on all vdoms and on the Mikrotic so the internet gateway of every vdom is reachable from another) (outgoing internet policies are natted with this IP). My future goal is to have a single transit into my DC network and to the Mikrotik, lets say stablished on the server vdom with VLANs/routes pointing to and from. But i don't want to have to unifi DC and internet policies into a single sdwan interface. I still want to receive the internet VLAN on each VDOM but using the v-link. Is it possible? Imagine if i have 25 VDOMs, i would have to have 25 diferent interfaces, one to each VDOM. I want to remove all the cables used to receive the VLANs on the VDOMS and work only with vdom-links. Can it be done?

FortiGate

GLOBALAuthor

Visitor III

This is my relevant topology first physical and then logical.

topologia fisica.png topologia logica.png

funkylicious

SuperUser

Hi,

Any particular reason why you have a different vdom for each use case? But yes, you can achieve what you would desire but it would be a lot of work to be done reconfiguring all of this.

It seems to me that disabling multi-vdom would actually benefit you in this scenario.

As for 25 VDOMs, that would be not possible since it supports max 10 vdoms.

"jack of all trades, master of none"

GLOBALAuthor

Visitor III

Hi funkylicious, we have many reasons to use multi-vdom. For starters we have diferent access profiles for different operational teams, my first-tier responders analysts have access to the VPN VDOM. Second-tier analyst have access to the user vdom as well. The last tier has full access. This way i won't have someone that does not have the proper knowledge or clearence blocking my tax server from connecting somewhere it needs to. And if i have tennants, they that would dislike their network beign breached because a nuthead thought is would be wise to add a all to all rule. Even with 10 VDOMS all having backup cables (2x1Gb LAG) i will soon reach a point where i would need more troughput. My goal is to be able to give "unlimited" troughput to all my VDOMS as long as the NPU can handle or the unit has ports available. The 25 VDOMS was just a jest to get my point across. Alas i already found out i can get it to work using a combination of vdom-links and enhanced mac vlans and would not need that much work. Thanks to your reply thou, appreciate the help given.

Toshi_Esumi

SuperUser

Make sure you use npu-vlink instead of regular vdom-link to maximize the peromance.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded