Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way for two vdoms to share a physical interface?
Hello, expert of everyone.
I have something to try with the FGT50E.
Is it possible for two vdoms to share the same physical interface?
vdom-A uses physical interfaces LAN1 and LAN2 as "virtual wire pair". Next, vdom-B uses physical interfaces LAN1 and LAN3 as "virtual wire pair".
In other words, the physical interface LAN1 is shared by different vdoms.
The configuration looks like this.
192.168.10.0/24 ---- LAN1 ---- vdom-A ---- LAN2
192.168.20.0/24 ---- LAN1 ---- vdom-B ---- LAN3
Is it possible?
thank you for reading.
I have something to try with the FGT50E.
Is it possible for two vdoms to share the same physical interface?
vdom-A uses physical interfaces LAN1 and LAN2 as "virtual wire pair". Next, vdom-B uses physical interfaces LAN1 and LAN3 as "virtual wire pair".
In other words, the physical interface LAN1 is shared by different vdoms.
The configuration looks like this.
192.168.10.0/24 ---- LAN1 ---- vdom-A ---- LAN2
192.168.20.0/24 ---- LAN1 ---- vdom-B ---- LAN3
Is it possible?
thank you for reading.
Solved! Go to Solution.
Labels:
- Labels:
-
Next Generation Firewall
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"A virtual wire pair is two dedicated interfaces that have no IP addresses, with all traffic received by one interface being forwarded out the other, controlled by your firewall policies."
An interface that is used for a virtual wire pair can only be used for that virtual wire pair, so you can not use it for anything else including two VDOMs.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"A virtual wire pair is two dedicated interfaces that have no IP addresses, with all traffic received by one interface being forwarded out the other, controlled by your firewall policies."
An interface that is used for a virtual wire pair can only be used for that virtual wire pair, so you can not use it for anything else including two VDOMs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For a virtual wire pair, it does not make sense to me.
But with emac vlan, you can share the same vlan of the same physical interface with 2 different vdoms.
May this could help you figuring out an other solution for your project.
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/Interfaces/Enhanced%20MAC...
Regards,
Dominik
But with emac vlan, you can share the same vlan of the same physical interface with 2 different vdoms.
May this could help you figuring out an other solution for your project.
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/Interfaces/Enhanced%20MAC...
Regards,
Dominik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello atsuo
They are probably many ways to design this - but please don't go to FortiGate torture - it will end-up bloody hell =)
Maybe you should consider transparent mode.
Sharing ports or chaining virtual wire pair is not properly handle by FortiGate kernel (due to L2 swaping and CAM table mishandling).
Can you give us an "anonymized" diagram of current network infrastructure ?
What goals are you trying to accomplish ?
Did you look at intra-switch policy as well ?
Are you using the remaining ports ? LAN4, LAN5 and WAN ports ? or are they available ?
Do you have a manageable switch on internal side ? could you set-up VLANs for example ?
If you want to stick with 2 VDOMs, just do the following:
192.168.10.0/24 ---- LAN1 ---- vdom-A ---- LAN2
192.168.20.0/24 ---- LAN4 ---- vdom-B ---- LAN3
I presumed both 192.168. subnets are broadcasted into the same VLANs (or broadcast domain or unmanaged switch)
then connect both LAN1 and LAN4 to your internal switch
Don't worry, it won't create a spanning tree issue if you have properly break down interfaces as L3 itf.
However, with this design, you won't be able to route traffic between 192.168.10.0/24 and 192.168.20.0/24
Maxime
NSE8 and Trainer
They are probably many ways to design this - but please don't go to FortiGate torture - it will end-up bloody hell =)
Maybe you should consider transparent mode.
Sharing ports or chaining virtual wire pair is not properly handle by FortiGate kernel (due to L2 swaping and CAM table mishandling).
Can you give us an "anonymized" diagram of current network infrastructure ?
What goals are you trying to accomplish ?
Did you look at intra-switch policy as well ?
Are you using the remaining ports ? LAN4, LAN5 and WAN ports ? or are they available ?
Do you have a manageable switch on internal side ? could you set-up VLANs for example ?
If you want to stick with 2 VDOMs, just do the following:
192.168.10.0/24 ---- LAN1 ---- vdom-A ---- LAN2
192.168.20.0/24 ---- LAN4 ---- vdom-B ---- LAN3
I presumed both 192.168. subnets are broadcasted into the same VLANs (or broadcast domain or unmanaged switch)
then connect both LAN1 and LAN4 to your internal switch
Don't worry, it won't create a spanning tree issue if you have properly break down interfaces as L3 itf.
However, with this design, you won't be able to route traffic between 192.168.10.0/24 and 192.168.20.0/24
Maxime
NSE8 and Trainer
