Skip to main content
Marek
Marek
New Member
September 4, 2017
Question

Two Vdoms on one 802.1q port - is it possible?

  • September 4, 2017
  • 2 replies
  • 8647 views

Hi

 

Im rookie in networking so im asking here for help (please understand)

I have two FG600D in A-A cluster

i need to build network which contains 2 or more vdoms.

My L3 network should look like:

 

and my L2 network look like:

What i need to do is:

- Create 2 Vdoms with network policy between those Vdoms managed from root vdom (for ex. from vlan1 to vlan 11 allow ssh)

- share internet connection between those vdoms

- place whole that network traffic on a single wire

 

What i have

- BGP session established on virtual router on L3 switch (dedicated vlan like "WAN" port for BGP)

- from the same L3 switch i have uplinks to access switches for LAN (users) and DMZ (servers)

 

Why i need to do it like that?

- i have two server rooms seperatet geographically and i want to do that:

 

Every FG600 Has two sfp+ ports which i would like to use to communicate FG's with L3 (orange links) and use them as one single LAG for all and every VDOM ill build - in that case for 2

 

How Can i do that?

 

Regards

Marek

 

 

    2 replies

    oheigl
    oheigl
    New Member
    September 4, 2017

    You need to create the LAG interface for example in the root VDOM. After that, create the VLAN interfaces and put them in the VDOMs LAN and DMZ according to your plan. I have never created the LAG interface in one VDOM and used the "sub interfaces" in other VDOMs, but according to the handbook it should work just fine:

    A VLAN subinterface can belong to a different VDOM than the physical interface it is part of. This is because the traffic on the VLAN is handled separately from the other traffic on that interface.

    Between the VDOMs just create inter VDOM links, and you are good to go

    Agent_1994
    Agent_1994
    New Member
    September 4, 2017

    I did something similar at a customer's: they had a link aggregation to an uplink switch (let's just call it "uplink") and there were several vlan interfaces on that uplink, some of the interfaces went to a vdom, and some to other vdom. 

     

    All i did is create the uplink on the root/global vdom, create the vlan sub-interfaces and assign them from the global config.

     

    HTH.

    Marek
    MarekAuthor
    New Member
    September 4, 2017

    ok i did that... but what when i need to add other VDOM with possibility of management to "prof_admin" 

    for example:

    Vdom lan - pro admin X

    Vdom dmz - pro admin Y

    Vdom internal dmz -pro admin Z

     

    all those vdoms also have their own vpn (ipsec site to site and ssl vpn) which i need to migrate from old FG600 configuration?

     

    oheigl
    oheigl
    New Member
    September 5, 2017

    You are able to create an admin user just for one VDOM, that's fine.

    Regarding the VPNs - Is it possible to also tag the ISP/Internet multiple times to the LAG? I would make one VLAN for every VDOM, so they have their one public addresses. Otherwise you'd need to NAT through the VDOM link, that's a little bit more complicated

    Terms & ConditionsAccessibility statement