Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

awazee
New Contributor

Created on ‎01-14-2021 07:28 PM

Is there a way for two vdoms to share a physical interface?

Hello, expert of everyone.

I have something to try with the FGT50E.
Is it possible for two vdoms to share the same physical interface?
vdom-A uses physical interfaces LAN1 and LAN2 as "virtual wire pair". Next, vdom-B uses physical interfaces LAN1 and LAN3 as "virtual wire pair".
In other words, the physical interface LAN1 is shared by different vdoms.
The configuration looks like this.
192.168.10.0/24 ---- LAN1 ---- vdom-A ---- LAN2
192.168.20.0/24 ---- LAN1 ---- vdom-B ---- LAN3
Is it possible?

thank you for reading.
Labels:
1471
0 Kudos
1 Solution
PC
New Contributor III

Created on ‎01-15-2021 08:41 AM

"virtual wire pair is two dedicated interfaces that have no IP addresses, with all traffic received by one interface being forwarded out the other, controlled by your firewall policies."

An interface that is used for a virtual wire pair can only be used for that virtual wire pair, so you can not use it for anything else including two VDOMs. 

View solution in original post

1433
0 Kudos
3 REPLIES 3
PC
New Contributor III

Created on ‎01-15-2021 08:41 AM

"virtual wire pair is two dedicated interfaces that have no IP addresses, with all traffic received by one interface being forwarded out the other, controlled by your firewall policies."

An interface that is used for a virtual wire pair can only be used for that virtual wire pair, so you can not use it for anything else including two VDOMs. 

1434
0 Kudos
DomiHalb1
New Contributor

Created on ‎01-15-2021 09:07 AM

For a virtual wire pair, it does not make sense to me.
But with emac vlan, you can share the same vlan of the same physical interface with 2 different vdoms.

May this could help you figuring out an other solution for your project.

https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/Interfaces/Enhanced%20MAC...

Regards,

Dominik
1433
0 Kudos
HERBINET_Maxime
New Contributor

Created on ‎01-19-2021 06:19 AM

Hello atsuo

They are probably many ways to design this - but please don't go to FortiGate torture - it will end-up bloody hell =)
Maybe you should consider transparent mode.
Sharing ports or chaining virtual wire pair is not properly handle by FortiGate kernel (due to L2 swaping and CAM table mishandling).

Can you give us an "anonymized"  diagram of current network infrastructure ?
What goals are you trying to accomplish ?
Did you look at intra-switch policy as well ?
Are you using the remaining ports ? LAN4, LAN5 and WAN ports ? or are they available ?
Do you have a manageable switch on internal side ? could you set-up VLANs for example ?

If you want to stick with 2 VDOMs, just do the following:
192.168.10.0/24 ---- LAN1 ---- vdom-A ---- LAN2
192.168.20.0/24 ---- LAN4 ---- vdom-B ---- LAN3

I presumed both 192.168. subnets are broadcasted into the same VLANs (or broadcast domain or unmanaged switch)
then connect both LAN1 and LAN4 to your internal switch
Don't worry, it won't create a spanning tree issue if you have properly break down interfaces as L3 itf.

However, with this design, you won't be able to route traffic between 192.168.10.0/24 and 192.168.20.0/24

Maxime
NSE8 and Trainer
1433
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.