- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VDOMs and shared interfaces?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 01-07-2010 11:56 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VDOMs and shared interfaces?
Hi All,
I' m new to the Fortinet boxes and to this forum... I' ve been reading the documentation, but can' t quite see how to accomplish a specific configuration so I' m after some help.
I would like to create multiple VDOMs that use a single internet connection and (potentially) a single server LAN. Each VDOM will terminate one or more IPSec L2L tunnels to different customers. The customers use overlapping private IP address space, so NAT will be used in each VDOM to allow the servers to communication with the clients and vice versa.
See attached for a diagram.
My problem is, once I define an interface (using VLAN ID 40 for example), I can’t then create a second interface using the same VLAN ID to assign to the second VDOM?
I was expecting to be able to create multiple interfaces using the same VLAN, ensuring that the IP addresses were unique.
Any ideas?
Many Thanks in advance.
Gareth
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Gareth Whitcomb My problem is, once I define an interface (using VLAN ID 40 for example), I can’t then create a second interface using the same VLAN ID to assign to the second VDOM? I was expecting to be able to create multiple interfaces using the same VLAN, ensuring that the IP addresses were unique.Hi, you will have to use a different physical interface and attach the VLAN interface there... cheers.roman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Roman,
Many Thanks for your response. Unfortunatly, I need 9 VDOMs but only have 2 physical interfaces...
Any other ideas?
Many Thanks,
Gareth
Not applicable
Created on 01-08-2010 02:47 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Gareth,
Welcome to the Forums.
You can use the same VLAN ID on different physical interfaces, and assign each VLAN to any VDOM.
However, VDOMs cannot share physical interfaces or VLANs sub-interfaces
For example :
VDOM1
physical interface port1
VLAN10-port1
VLAN20-port1
VDOM2
physical interface port2
VLAN10-port2
VDOM3
VLAN30-port1
VLAN30-port2
VDOM4
VLAN40-port1
VLAN40-port2
I hope that will help.
-J.
Not applicable
Created on 01-08-2010 05:15 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your quick responses.
Due my lack of physical interfaces, I think I' ll try and work-around this limitation in the switches. I' m hoping to configure them to bridge (or proxy-arp) multiple VLAN' s. This should allow me to present the one ' real' VLAN as multiple VLANs to the Fortigate boxes.
Gareth
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Solution to this is Intra-VDOM Links, so you build up hierarchical VDOMs.
Have a " Provider VDOM" that faces your VLAN40 and the Internet.
the other " Customer VDOMs" are connected to the Provider VDOM with Intra-VDOM Links. Those can be unnumbered or numbered.
--vlan10-----(cust-vdom-1)*1----vdl1-------*2|-------------|
--vlan11-----(cust-vdom-2)*1----vdl2-------*2| prov-vdom---|--------(Internet)
--vlan12-----(cust-vdom-3)*1----vdl3-------*2|-------------|
You say SNAT is needed (from customer towards internet). So you need SNAT on each *1 Side of the Intra-VDOM Link. In that case the ease solution is using " half-numbered Interfaces" there - jst put an IP (on the Intra-VDOM Link Interface) on the customer VDOM facing side.
In the provider-VDOM you place static routing entries like
80.80.80.81/32 -> vdl1 (no gateway IP needed to enter)
If you like you also can use small transit Networks on the Intra-VDOM Links - but that may increase complexity and waste Adresses. So " half numbered" may do the trick better.
Of yourse you must have appropriate FW rules and proper routing set up in both Customer VDOMs and Provider-VDOM.
-R.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Increasing Log Visibility for IPSEC VPN... 125 Views
- How to Remove NAT for IPSEC... 162 Views
- Basic EMAC-VLAN question 184 Views
- 200F, 7.2.8, EMAC VLANS, and Ansible... 268 Views
- Using FortiSwitch Interfaces in multiple VDOMs 689 Views
Labels
-
FortiGate
7,164 -
FortiClient
1,415 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
374 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
108 -
SSL-VPN
105 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1064 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.