Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Divya_N
Staff
Staff

Created on ‎08-22-2024 10:41 AM Edited on ‎10-22-2024 07:24 AM By Moderator

Article Id 335605

Technical Tip: How to configure an EMAC VLAN in the VDOM setup with route leaking

Description This article describes how to configure an EMAC VLAN in the VDOM setup to reach the internet using the single default gateway.
Scope FortiOS.
Solution

To achieve the configuration, the given topology is referred to:

 

Topology EMAC.png

 

This scenario is useful in the case of multi-tenant VDOMs where there will be very limited public IP addresses like /29 subnets, in these cases, it is possible to block a public IP subnet and configure the EMAC VLAN interfaces over the physical interfaces.

 

EMAC VLAN interfaces are the virtual interface which has a unique MAC address than the parent interfaces, unlike the VLAN interfaces.

 

As a result, it is possible to make the individual vdoms talk to the internet with the help of EMAC vlans, meaning a single gateway sufficient to reach the internet from all the VDOMs.

 

For lab purposes, private IPs were used in this example (see How to configure inter-vdom links).

 

To achieve the configuration, port2 will be configured with a /20 subnet just for illustration purposes.

 

As a first step, create two EMAC VLAN interfaces on port 2, place them in VRF 0, and the respective VDOMs.

 

In the global VDOM:

 

Create EMAC VLAN interfaces by navigating to Network -> Interfaces -> Create new -> Set the name to EMAC LAN -> Change the type to EMAC VLAN and place it in LAN VDOM and VRF 0, then assign the IP address in the range of port 2.

 

EMAC interface.png

 

Similarly, follow the same steps for another EMAC VLAN -> EMAC DMZ and place it in the DMZ VDOM.

 

Once the interfaces are configured, it should look similar to this:

 

interfaces.png

 

On the VDOMs:

  • Place inter-VDOM links and the port 3 and port 4 interfaces in the respective VRF 11 and VRF 12.
  • Place LAN_root0 and DMZ _root 0 vlinks in the respective VRFs 11 and 12.
  • Place LAN_root1 and DMZ _root1 vlinks in VRF 0 as they are connected to root VDOM and root VDOM is segregated with virtual router 0(VRF0).

After finishing these steps, configure the default route on the root VDOM with a gateway from port2. For testing, 10.109.31.254 was used as the gateway.

 

static root.png

 

On the LAN VDOM, configure the static route pointing towards the EMAC VLAN interface with the same default gateway.

 

static.lan.png

 

Follow the same for the DMZ VDOM.

After these steps, the routing table on the root VDOM should look like the following, and it should be possible to reach the internet:

 

root routing.png

 

On the LAN VDOM routing table and results with route leaking, the routing table can be seen for VRF 0 and 11:

 

LAN ping.png

                                              
LAN routing.png

 

Results on DMZ route leaking:

 

DMZ routing and results.png

 

Refer to the following documents for more details on route leaking and EMAC VLANs:
1068
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.