Skip to main content
A
Anonymous_User
Contributor
January 7, 2010
Question

VDOMs and shared interfaces?

  • January 7, 2010
  • 4 replies
  • 9376 views
Hi All, I' m new to the Fortinet boxes and to this forum... I' ve been reading the documentation, but can' t quite see how to accomplish a specific configuration so I' m after some help. I would like to create multiple VDOMs that use a single internet connection and (potentially) a single server LAN. Each VDOM will terminate one or more IPSec L2L tunnels to different customers. The customers use overlapping private IP address space, so NAT will be used in each VDOM to allow the servers to communication with the clients and vice versa. See attached for a diagram. My problem is, once I define an interface (using VLAN ID 40 for example), I can’t then create a second interface using the same VLAN ID to assign to the second VDOM? I was expecting to be able to create multiple interfaces using the same VLAN, ensuring that the IP addresses were unique. Any ideas? Many Thanks in advance. Gareth

    4 replies

    romanr
    romanr
    New Member
    January 7, 2010
    ORIGINAL: Gareth Whitcomb My problem is, once I define an interface (using VLAN ID 40 for example), I can’t then create a second interface using the same VLAN ID to assign to the second VDOM? I was expecting to be able to create multiple interfaces using the same VLAN, ensuring that the IP addresses were unique.
    Hi, you will have to use a different physical interface and attach the VLAN interface there... cheers.roman
    A
    Anonymous_UserAuthor
    Contributor
    January 8, 2010
    Hi Roman, Many Thanks for your response. Unfortunatly, I need 9 VDOMs but only have 2 physical interfaces... Any other ideas? Many Thanks, Gareth
    A
    Anonymous_UserAuthor
    Contributor
    January 8, 2010
    Hello Gareth, Welcome to the Forums. You can use the same VLAN ID on different physical interfaces, and assign each VLAN to any VDOM. However, VDOMs cannot share physical interfaces or VLANs sub-interfaces For example : VDOM1 physical interface port1 VLAN10-port1 VLAN20-port1 VDOM2 physical interface port2 VLAN10-port2 VDOM3 VLAN30-port1 VLAN30-port2 VDOM4 VLAN40-port1 VLAN40-port2 I hope that will help. -J.
    A
    Anonymous_UserAuthor
    Contributor
    January 8, 2010
    Thanks for your quick responses. Due my lack of physical interfaces, I think I' ll try and work-around this limitation in the switches. I' m hoping to configure them to bridge (or proxy-arp) multiple VLAN' s. This should allow me to present the one ' real' VLAN as multiple VLANs to the Fortigate boxes. Gareth
    red_adair
    red_adair
    New Member
    January 8, 2010
    The Solution to this is Intra-VDOM Links, so you build up hierarchical VDOMs. Have a " Provider VDOM" that faces your VLAN40 and the Internet. the other " Customer VDOMs" are connected to the Provider VDOM with Intra-VDOM Links. Those can be unnumbered or numbered. --vlan10-----(cust-vdom-1)*1----vdl1-------*2|-------------| --vlan11-----(cust-vdom-2)*1----vdl2-------*2| prov-vdom---|--------(Internet) --vlan12-----(cust-vdom-3)*1----vdl3-------*2|-------------| You say SNAT is needed (from customer towards internet). So you need SNAT on each *1 Side of the Intra-VDOM Link. In that case the ease solution is using " half-numbered Interfaces" there - jst put an IP (on the Intra-VDOM Link Interface) on the customer VDOM facing side. In the provider-VDOM you place static routing entries like 80.80.80.81/32 -> vdl1 (no gateway IP needed to enter) If you like you also can use small transit Networks on the Intra-VDOM Links - but that may increase complexity and waste Adresses. So " half numbered" may do the trick better. Of yourse you must have appropriate FW rules and proper routing set up in both Customer VDOMs and Provider-VDOM. -R.
    Terms & ConditionsAccessibility statement