EMAC VLANs to share ISP connection over VDOMs - Confusion after handbook and KB

j_a_m_e_s · ‎07-08-2021

Dear All,

I'll try to keep this as short as possible, my hardware is 1500D running 6.0. With this design I'm trying to:

* Share two ISP connections across multiple VDOMs (named VD_APPA, VD_APPB, VD_APPY, VD_APPZ)

* All VDOMs are layer 3 (NAT mode)

* Need to run BGP to the North and South, so different MAC needed for each FGT virtual IF

* North and South switch ports to be a trunk and will have /27 assigned so several peerings can run across the vlan

I've attached a diagram and abbreviated config outline to help visualise it.

Having read the handbook I'm still a bit confused about the following:

[ol]

To which VDOM would the physical links (e.g. port1) and SVI (e.g. port1.100) belong (in my proposal, they all sit in "root", but the virtual IF of type "emac" (e.g. port1.100a) sits within the application VDOM)

The handbook talks about using npu-vlinks. Why would you need this, since emac can stretch a vlan over multiple VDOMS anyway? This is shown quite nicely in this KB.

In my proposal, presumably each emac virtual IF would get it's own MAC address, even though the VLAN ID stays the same? What has worried me is this quote from the handbook:

The VLAN ID and interface must be a unique pair, even if they belong to different VDOMs.

[/ol]

That has really confused me, because I need to stretch VLANs 100 and 200 across multiple VDOMs and run a peering up to the switch. I thought whole purpose of EMACs was to share a single VLAN over multiple VDOMs and to provide unique MACs on each EMAC IF.

4. On the south side, I don’t believe EMAC is necessary because the VLANs aren't being stretched - the physical port is simply a trunk and each VLAN leads to a separate VDOM.

Thank you to anyone who read through this. Maybe I have a misunderstanding of what EMAC does? I would be very grateful for any advice.

Kind regards

James.

# Approximate Cisco Config:

interface Eth1/1
 switchport trunk allowed vlan 100,200
exit
inter vlan 100
 vrf isp100
 ip address 10.0.0.14/27
exit
router bgp 65001
 vrf isp100
  neighbor 10.0.0.0/27
   address-family ipv4 unicast
    [...]
   exit
  exit
 exit
exit
---

Approximate FGT Config:

config sys interface
 edit port1
  set descr To:SwitchA-Eth1/1
  set vdom "root"
 exit
 edit port1.100
  set vdom "root"
  set vlanid 100
  set interface "port1"
 exit
 edit port1.100a
  set vdom "VD_APPA"
  set ip 10.0.0.1 255.255.255.224 # Will source BGP peering up to Cisco SVI 100
  set type emac-vlan
  set interface "port1.100"
exit

edit port1.100b
  set vdom "VD_APPB"
  set ip 10.0.0.2 255.255.255.224 # Will source BGP peering up to Cisco SVI 100
  set type emac-vlan
  set interface "port1.100"
exit
[...]
end

nomeursy · ‎07-23-2021

As far as I understand your setup, then the physical poort stays in the root VDOM. But the VLAN interfaces should be bound to the right VDOM (VD_APPA, VD_APPB, VD_APPY, VD_APPZ) Another setup, could be: Introducing an new VDOM, call “SDWAN”, or “Internet”, or “IPS” (if you want to set IPS here for all traffic in- and outbound) Then on this new VDOM, you can handle SD-WAN and BGP and so on. Then to connect the new VDOM to the existing, is where the NPU-vlinks come in. The can internally connect the VDOMs. So you can route all WWW traffic ot the new VDOM an thake it from there. If you apply NAT on the internal links depends on the size of your Public IP space, do you have enough, then you can set Public IP ranges on the NPU-vlinks (/31 if you like) and just route everything through the new internet facing VDOM.