Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nvisentin_FTNT
Staff
Staff

Created on ‎12-14-2018 07:22 AM Edited on ‎02-25-2025 09:08 AM By Moderator

Article Id 192843

Technical Tip: How to use emac-vlan to share the same VLAN across multiple VDOMs

Description

 
This article explains how FortiGate can share a VLAN across multiple VDOMs using emac-vlan interfaces.
 
 fgt6.0sche.jpg

 

Scope

 

FortiGate.


Solution

 
Scenario 1:
In the topology above, EMAC-VLAN is assigned to VLAN128 by creating an interface between both the V1 VDOM and V2 VDOM.
Each of the interfaces has its own MAC address. EMAC VLANs can ping each other, even though they are in different VDOM (no additional configuration is needed) but cannot ping VLAN128, this is by design. 
The explanation for this is that when EMAC VLAN sends an ARP request for the switch, the request will come from the same port where the VLAN 128 is, and the switch never sends back an ARP request from the same port it has received it.
So, the VLAN 128 interface will never receive the ARP request.
 
Note that an EMAC-VLAN interface cannot be used as a DHCP server.
A DHCP server, if required, will have to be configured on the VLAN interface itself. It cannot be configured on the EMAC-VLAN interface.
 
First, the VLAN interface must be created:
 
config system interface 
    edit "vlan128" 
        set vdom "root" 
        set interface "port9" 
        set ip 10.128.0.3 255.255.255.0            <--- Optional only if DHCP server is needed.
        set vlanid 128 
    next 
end
 
Then bind the emac-vlan interfaces to that VLAN interface :
 
config system interface 
    edit "vlan128-v1" 
        set vdom "v1" 
        set ip 10.128.0.1 255.255.255.0 
        set allowaccess ping 
        set type emac-vlan 
        set interface "vlan128" 
    next 
end 
 
config system interface 
    edit "vlan128-v2" 
        set vdom "v2" 
        set ip 10.128.0.2 255.255.255.0 
        set allowaccess ping 
        set type emac-vlan 
        set interface "vlan128" 
    next 
end
 
Verification:
 
get router info routing-table all 
Routing table for VRF=0 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP 
O - OSPF, IA - OSPF inter area 
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 
E1 - OSPF external type 1, E2 - OSPF external type 2 
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area 
* - candidate default 
 
C 10.128.0.0/24 is directly connected, vlan128-v1 
 
exe ping 10.128.0.254 
PING 10.128.0.254 (10.128.0.254): 56 data bytes 
64 bytes from 10.128.0.254: icmp_seq=0 ttl=64 time=0.5 ms 
64 bytes from 10.128.0.254: icmp_seq=1 ttl=64 time=0.1 ms 
^C 
--- 10.128.0.254 ping statistics --- 
2 packets transmitted, 2 packets received, 0% packet loss 
round-trip min/avg/max = 0.1/0.3/0.5 ms 
 
get router info routing-table all 
Routing table for VRF=0 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP 
O - OSPF, IA - OSPF inter area 
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 
E1 - OSPF external type 1, E2 - OSPF external type 2 
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area 
* - candidate default 
 
C 10.128.0.0/24 is directly connected, vlan128-v2 
 
exe ping 10.128.0.254 
PING 10.128.0.254 (10.128.0.254): 56 data bytes 
64 bytes from 10.128.0.254: icmp_seq=0 ttl=64 time=0.2 ms 
64 bytes from 10.128.0.254: icmp_seq=1 ttl=64 time=0.2 ms 
^C 
--- 10.128.0.254 ping statistics --- 
2 packets transmitted, 2 packets received, 0% packet loss 
round-trip min/avg/max = 0.2/0.2/0.2 ms 


Scenario 2: Aggregate interface.

 

Picture1.png

 

  1. Create the aggregate interface.

 

config system interface
    edit "lag"
        set vdom "root"
        set type aggregate
        set member "port6" "port7"
        set lldp-transmission enable
        set role lan
    next
end

 

  1. Create a VLAN interface under the aggregate interface:

 

config sys int
    edit "vlan215"
        set vdom root
        set interface lag
        set vlanid 215
    next
end

 

  1. Then bind the emac-vlan interfaces to that VLAN interface :

 

config system interface
    edit "vlan215_1"
        set vdom root
        set ip 192.168.200.1 255.255.255.0
        set allowaccess ping
        set type emac-vlan
        set interface "vlan215"
    next
end

 

config system interface
    edit "vlan215_2"
        set vdom "LAB"
        set ip 192.168.200.2 255.255.255.0
        set allowaccess ping
        set type emac-vlan
        set interface "vlan215"
    next
end

 

Picture2.png

 

Note:

  1. The config should be executed under global VDOM and not under specific VDOM.
  2. EMacvlan has an NPU offload issue when traffic crosses 2 VDOMS. For example, ICMP traffic hits VDOM1.

 

At left, and is sent out to 'vlan128-v1', and then hits VDOM2 'vlan128-v2', and is sent out of VDOM2. Although Ping's request at VDOM2, and Ping's reply at VDOM1 could be marked for offload, no packets are offloaded in reality. 

38144
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.