Hi,
I have read many times about emac-vlan and how it is supposed to be implemented. But finally when I tried to do it, it doesnt work like expected.
Topology is like this:
TRUNK
undo port trunk vlan 1 (no default/untagged vlan)
(vlan 10) [L3SW | 10.1.10.254] <---> [10.1.10.1 | Forti vdom root] <- this is main connection to ROOT.Vdom, with internet, MGMT int. and all
(vlan 11) [L3SW | 10.1.11.254] <---> [10.1.11.1 | Forti Vdom1]
(vlan 11) [L3SW | 10.1.11.254] <---> [10.1.11.2 | Forti Vdom2]
(vlan 11) [L3SW | 10.1.11.254] <---> [10.1.11.3 | Forti Vdom2]
The goal was to implement emac-vlan interfaces on vdoms1-3, but after setting vdom1 (with vlan tag 11), i cant do it on Vdom2 - getting info that vlan is used by another software switch.
I have similar setup on the WAN side, difference is that I want to use two different ports for one vlan 13 - one for root, one for vdoms. And its the same story, after setting vdom1 with emac in vlan 13, next one cant be configured.
Official cookbook is realy tough to understand for non native eng. It says:
If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a packet is sent to this interface, a VLAN tag is inserted in the packet and the packet is sent to the driver of the underlying interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to this enhanced MAC VLAN interface.
When using a VLAN ID, the ID and the underlying interface must be a unique pair, even if the belong to different VDOMs. This is because the underlying, physical interface uses the VLAN ID as the identifier to dispatch traffic among the VLAN and enhanced MAC VLAN interfaces.
Underlying port is a just a normal phisical port with no IP/vlan
Does this mean, I should throw at it some random vlan number, or none even?
Solved! Go to Solution.
Not following your question but I'll write out how it suppose to look
config sys interface
edit vlan11
set vdom root
set vlanid 11
set interface 11
end
Now you build your three interfaces
config sys int
edit cust1
set cust1-vdom
set type emac
set vdom vdom1
set interface vlan11
set ip 10.11.1.1/24
set allow access ping
next
edit cust1
set cust2-vdom
set type emac
set vdom vdom2
set interface vlan11
set ip 10.11.1.2/24
set allow access ping
next
edit cust1
set cust3-vdom
set type emac
set vdom vdom3
set interface vlan11
set ip 10.11.1.3/24
set allow access ping
next
end
Hope that helps
Ken Felix
PCNSE
NSE
StrongSwan
Not following your question but I'll write out how it suppose to look
config sys interface
edit vlan11
set vdom root
set vlanid 11
set interface 11
end
Now you build your three interfaces
config sys int
edit cust1
set cust1-vdom
set type emac
set vdom vdom1
set interface vlan11
set ip 10.11.1.1/24
set allow access ping
next
edit cust1
set cust2-vdom
set type emac
set vdom vdom2
set interface vlan11
set ip 10.11.1.2/24
set allow access ping
next
edit cust1
set cust3-vdom
set type emac
set vdom vdom3
set interface vlan11
set ip 10.11.1.3/24
set allow access ping
next
end
Hope that helps
Ken Felix
PCNSE
NSE
StrongSwan
emnoc wrote:Not following your question but I'll write out how it suppose to look
Ok, so with Your method it works ok. On WAN side, with seperate cable to port 2, too. I kinda understand this logic, but I have second site, where WAN isnt access port like mine port2, only Trunk. So i wonder if when this trunk has only permit vlan 13, none other, mac-vlan should work with not entering Vlan Tag.
Its a shame that Fg VMs dont have emac support, its sometime hard to test out on produktion enviros.
Disclaimer: I have no actual experience with EMAC
I think if I understand Darkstar's question, the answer based on what I see in the config Ken provided is "yes of course you can use EMAC VLAN with a trunk"
Let me see if I understand what you mean...you have a trunk to the firewall carrying several VLANs on the same port: say VLAN 11, 12, 13, 14. These are all on, let's say, port11, so you have what Ken said, plus more, like this:
config sys interface edit vlan11 set vdom root set vlanid 11 set interface 11
next
edit vlan12 set vdom root set vlanid 12 set interface 11
next
edit vlan13
set vdom root set vlanid 13 set interface 11
next
edit vlan14
set vdom root set vlanid 14 set interface 11
next
end
As far as I understand it, I don't see why you wouldn't still be able to add the EMAC interfaces for VLAN 11 the same way that Ken described.
Does that help?
lobstercreed wrote:
Does that help?
Lets say you have Trunk with 5 vlans, and I want to create emac-vlan interfaces in vlan 5, for 10 Vdoms, each with 1 emac-vlan interface in the same subnet from vlan 5. How will he distinguish that traffic, if I dont provide a ROOT "Vlan interface" with no ip address, which serves as base for emac-vlans.
In my site 2 sytuation, I have trunk port from switch with 1 vlan connected to 2 WAN ports. I cant create root base 'vlan inteface' without IP, because it already exists and serves communication. So i need to push emac-vlan based on port 2, which works when this port is access (site 1).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.