VDOMs and shared interfaces?

Report Inappropriate Content · ‎01-07-2010

Hi All, I' m new to the Fortinet boxes and to this forum... I' ve been reading the documentation, but can' t quite see how to accomplish a specific configuration so I' m after some help. I would like to create multiple VDOMs that use a single internet connection and (potentially) a single server LAN. Each VDOM will terminate one or more IPSec L2L tunnels to different customers. The customers use overlapping private IP address space, so NAT will be used in each VDOM to allow the servers to communication with the clients and vice versa. See attached for a diagram. My problem is, once I define an interface (using VLAN ID 40 for example), I canâ€™t then create a second interface using the same VLAN ID to assign to the second VDOM? I was expecting to be able to create multiple interfaces using the same VLAN, ensuring that the IP addresses were unique. Any ideas? Many Thanks in advance. Gareth

romanr · ‎01-07-2010

ORIGINAL: Gareth Whitcomb My problem is, once I define an interface (using VLAN ID 40 for example), I canâ€™t then create a second interface using the same VLAN ID to assign to the second VDOM? I was expecting to be able to create multiple interfaces using the same VLAN, ensuring that the IP addresses were unique.

Hi, you will have to use a different physical interface and attach the VLAN interface there... cheers.roman

Report Inappropriate Content · ‎01-08-2010

Hi Roman, Many Thanks for your response. Unfortunatly, I need 9 VDOMs but only have 2 physical interfaces... Any other ideas? Many Thanks, Gareth

Report Inappropriate Content · ‎01-08-2010

Hello Gareth, Welcome to the Forums. You can use the same VLAN ID on different physical interfaces, and assign each VLAN to any VDOM. However, VDOMs cannot share physical interfaces or VLANs sub-interfaces For example : VDOM1 physical interface port1 VLAN10-port1 VLAN20-port1 VDOM2 physical interface port2 VLAN10-port2 VDOM3 VLAN30-port1 VLAN30-port2 VDOM4 VLAN40-port1 VLAN40-port2 I hope that will help. -J.

Report Inappropriate Content · ‎01-08-2010

Thanks for your quick responses. Due my lack of physical interfaces, I think I' ll try and work-around this limitation in the switches. I' m hoping to configure them to bridge (or proxy-arp) multiple VLAN' s. This should allow me to present the one ' real' VLAN as multiple VLANs to the Fortigate boxes. Gareth

red_adair · ‎01-08-2010

The Solution to this is Intra-VDOM Links, so you build up hierarchical VDOMs. Have a " Provider VDOM" that faces your VLAN40 and the Internet. the other " Customer VDOMs" are connected to the Provider VDOM with Intra-VDOM Links. Those can be unnumbered or numbered. --vlan10-----(cust-vdom-1)*1----vdl1-------*2|-------------| --vlan11-----(cust-vdom-2)*1----vdl2-------*2| prov-vdom---|--------(Internet) --vlan12-----(cust-vdom-3)*1----vdl3-------*2|-------------| You say SNAT is needed (from customer towards internet). So you need SNAT on each *1 Side of the Intra-VDOM Link. In that case the ease solution is using " half-numbered Interfaces" there - jst put an IP (on the Intra-VDOM Link Interface) on the customer VDOM facing side. In the provider-VDOM you place static routing entries like 80.80.80.81/32 -> vdl1 (no gateway IP needed to enter) If you like you also can use small transit Networks on the Intra-VDOM Links - but that may increase complexity and waste Adresses. So " half numbered" may do the trick better. Of yourse you must have appropriate FW rules and proper routing set up in both Customer VDOMs and Provider-VDOM. -R.

VDOMs and shared interfaces?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website