Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Marek
New Contributor

Two Vdoms on one 802.1q port - is it possible?

Hi

 

Im rookie in networking so im asking here for help (please understand)

I have two FG600D in A-A cluster

i need to build network which contains 2 or more vdoms.

My L3 network should look like:

 

and my L2 network look like:

What i need to do is:

- Create 2 Vdoms with network policy between those Vdoms managed from root vdom (for ex. from vlan1 to vlan 11 allow ssh)

- share internet connection between those vdoms

- place whole that network traffic on a single wire

 

What i have

- BGP session established on virtual router on L3 switch (dedicated vlan like "WAN" port for BGP)

- from the same L3 switch i have uplinks to access switches for LAN (users) and DMZ (servers)

 

Why i need to do it like that?

- i have two server rooms seperatet geographically and i want to do that:

 

Every FG600 Has two sfp+ ports which i would like to use to communicate FG's with L3 (orange links) and use them as one single LAG for all and every VDOM ill build - in that case for 2

 

How Can i do that?

 

Regards

Marek

 

 

4 REPLIES 4
oheigl
Contributor II

You need to create the LAG interface for example in the root VDOM. After that, create the VLAN interfaces and put them in the VDOMs LAN and DMZ according to your plan. I have never created the LAG interface in one VDOM and used the "sub interfaces" in other VDOMs, but according to the handbook it should work just fine:

A VLAN subinterface can belong to a different VDOM than the physical interface it is part of. This is because the traffic on the VLAN is handled separately from the other traffic on that interface.

Between the VDOMs just create inter VDOM links, and you are good to go

Agent_1994
Contributor

I did something similar at a customer's: they had a link aggregation to an uplink switch (let's just call it "uplink") and there were several vlan interfaces on that uplink, some of the interfaces went to a vdom, and some to other vdom. 

 

All i did is create the uplink on the root/global vdom, create the vlan sub-interfaces and assign them from the global config.

 

HTH.

Marek

ok i did that... but what when i need to add other VDOM with possibility of management to "prof_admin" 

for example:

Vdom lan - pro admin X

Vdom dmz - pro admin Y

Vdom internal dmz -pro admin Z

 

all those vdoms also have their own vpn (ipsec site to site and ssl vpn) which i need to migrate from old FG600 configuration?

 

oheigl
Contributor II

You are able to create an admin user just for one VDOM, that's fine.

Regarding the VPNs - Is it possible to also tag the ISP/Internet multiple times to the LAG? I would make one VLAN for every VDOM, so they have their one public addresses. Otherwise you'd need to NAT through the VDOM link, that's a little bit more complicated

Labels
Top Kudoed Authors