| Description | This article explains how FortiGate can share a VLAN across multiple VDOMs using EMAC-VLAN interfaces. |
| Scope | FortiGate |
| Solution |
Solution: Scenario 1: In the topology above, an EMAC-VLAN is assigned to VLAN128 by creating an interface between both the VDOM V1and VDOM V2.
Each of the interfaces has its own unique MAC address. EMAC VLANs can communicate (ping) with each other even though they are in different VDOMs, no additional configuration is required for this behavior. However, they cannot ping VLAN 128 interface itself, which is by design.
This occurs because when an EMAC-VLAN interface sends an ARP request for the switch, the request is transmitted out of the same physical port on which VLAN 128 exists. Since the switch does not forward ARP requests back out the same port on which they were received, the ARP request never reaches the VLAN 128 interface. As a result, the VLAN 128 interface never responds, and connectivity fails.
Note: An EMAC-VLAN interface cannot be used as a DHCP server.
First, the VLAN interface must be created:
config system interface
edit "vlan128"
set vdom "root"
set interface "port9"
set ip 10.128.0.3 255.255.255.0 <----- Optional only if DHCP server is needed.
set vlanid 128
next
end
Then bind the EMAC-VLAN interfaces to that VLAN interface:
config system interface
edit "vlan128-v1"
set vdom "v1"
set ip 10.128.0.1 255.255.255.0
set allowaccess ping
set type emac-vlan
set interface "vlan128"
next
end
config system interface
edit "vlan128-v2"
set vdom "v2"
set ip 10.128.0.2 255.255.255.0
set allowaccess ping
set type emac-vlan
set interface "vlan128"
next
end
Verification:
get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.128.0.0/24 is directly connected, vlan128-v1
exe ping 10.128.0.254
PING 10.128.0.254 (10.128.0.254): 56 data bytes
64 bytes from 10.128.0.254: icmp_seq=0 ttl=64 time=0.5 ms
64 bytes from 10.128.0.254: icmp_seq=1 ttl=64 time=0.1 ms
^C
--- 10.128.0.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.3/0.5 ms
get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.128.0.0/24 is directly connected, vlan128-v2
exe ping 10.128.0.254
PING 10.128.0.254 (10.128.0.254): 56 data bytes
64 bytes from 10.128.0.254: icmp_seq=0 ttl=64 time=0.2 ms
64 bytes from 10.128.0.254: icmp_seq=1 ttl=64 time=0.2 ms
^C
--- 10.128.0.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms
config system interface
config sys int
config system interface
config system interface
Note:
At left, and is sent out to 'vlan128-v1', and then hits VDOM2 'vlan128-v2', and is sent out of VDOM2. Although Ping's request at VDOM2, and Ping's reply at VDOM1 could be marked for offload, no packets are offloaded in reality.
Refer to the following document for more details on EMAC VLAN: |
