Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
j_a_m_e_s
New Contributor III

EMAC VLANs to share ISP connection over VDOMs - Confusion after handbook and KB

Dear All,

 

I'll try to keep this as short as possible, my hardware is 1500D running 6.0. With this design I'm trying to:

 

* Share two ISP connections across multiple VDOMs (named VD_APPA, VD_APPB, VD_APPY, VD_APPZ) 

* All VDOMs are layer 3 (NAT mode)

* Need to run BGP to the North and South, so different MAC needed for each FGT virtual IF

* North and South switch ports to be a trunk and will have /27 assigned so several peerings can run across the vlan

 

I've attached a diagram and abbreviated config outline to help visualise it.

 

Having read the handbook I'm still a bit confused about the following:

[ol]
  • To which VDOM would the physical links (e.g. port1) and SVI (e.g. port1.100) belong (in my proposal, they all sit in "root", but the virtual IF of type "emac" (e.g. port1.100a) sits within the application VDOM)
  • The handbook talks about using npu-vlinks. Why would you need this, since emac can stretch a vlan over multiple VDOMS anyway? This is shown quite nicely in this KB.
  • In my proposal, presumably each emac virtual IF would get it's own MAC address, even though the VLAN ID stays the same? What has worried me is this quote from the handbook: 
    The VLAN ID and interface must be a unique pair, even if they belong to different VDOMs.
    [/ol]

    That has really confused me, because I need to stretch VLANs 100 and 200 across multiple VDOMs and run a peering up to the switch. I thought whole purpose of EMACs was to share a single VLAN over multiple VDOMs and to provide unique MACs on each EMAC IF.

     

    4. On the south side, I don’t believe EMAC is necessary because the VLANs aren't being stretched - the physical port is simply a trunk and each VLAN leads to a separate VDOM.

     

     

    Thank you to anyone who read through this. Maybe I have a misunderstanding of what EMAC does? I would be very grateful for any advice.

     

    Kind regards

     

    James.

     

    # Approximate Cisco Config:

     

    interface Eth1/1
     switchport trunk allowed vlan 100,200
    exit
    inter vlan 100
     vrf isp100
     ip address 10.0.0.14/27
    exit
    router bgp 65001
     vrf isp100
      neighbor 10.0.0.0/27
       address-family ipv4 unicast
        [...]
       exit
      exit
     exit
    exit
    ---

     

    Approximate FGT Config:

    config sys interface
     edit port1
      set descr To:SwitchA-Eth1/1
      set vdom "root"
     exit
     edit port1.100
      set vdom "root"
      set vlanid 100
      set interface "port1"
     exit
     edit port1.100a
      set vdom "VD_APPA"
      set ip 10.0.0.1 255.255.255.224 # Will source BGP peering up to Cisco SVI 100
      set type emac-vlan
      set interface "port1.100"
    exit

     edit port1.100b
      set vdom "VD_APPB"
      set ip 10.0.0.2 255.255.255.224 # Will source BGP peering up to Cisco SVI 100
      set type emac-vlan
      set interface "port1.100"
    exit
    [...]
    end

  • 1 REPLY 1
    nomeursy
    New Contributor III

    As far as I understand your setup, then the physical poort stays in the root VDOM. But the VLAN interfaces should be bound to the right VDOM (VD_APPA, VD_APPB, VD_APPY, VD_APPZ) Another setup, could be: Introducing an new VDOM, call “SDWAN”, or “Internet”, or “IPS” (if you want to set IPS here for all traffic in- and outbound) Then on this new VDOM, you can handle SD-WAN and BGP and so on. Then to connect the new VDOM to the existing, is where the NPU-vlinks come in. The can internally connect the VDOMs. So you can route all WWW traffic ot the new VDOM an thake it from there. If you apply NAT on the internal links depends on the size of your Public IP space, do you have enough, then you can set Public IP ranges on the NPU-vlinks (/31 if you like) and just route everything through the new internet facing VDOM.