Description
This article explains how FortiGate can share a VLAN across multiple VDOMs using emac-vlan interfaces.
Scope
FortiGate.
Solution
Scenario 1:
In the topology above, EMAC-VLAN is assigned to VLAN128 by creating an interface between both the V1 VDOM and V2 VDOM.
Each of those interfaces has its own MAC address. EMAC VLANs can ping each other but cannot ping VLAN128.
Each of those interfaces has its own MAC address. EMAC VLANs can ping each other but cannot ping VLAN128.
Note that an EMAC-VLAN interface cannot be used as a DHCP server.
A DHCP server, if required, will have to be configured on the VLAN interface itself. It cannot be configured on the EMAC-VLAN interface.
First, the VLAN interface must be created :
config system interface
edit "vlan128"
set vdom "root"
set interface "port9"
set ip 10.128.0.3 255.255.255.0 <<<<------ Optional only if DHCP server is needed
set vlanid 128
next
end
Then bind the emac-vlan interfaces to that VLAN interface :
config system interface
edit "vlan128-v1"
set vdom "v1"
set ip 10.128.0.1 255.255.255.0
set allowaccess ping
set type emac-vlan
set interface "vlan128"
next
end
config system interface
edit "vlan128-v2"
set vdom "v2"
set ip 10.128.0.2 255.255.255.0
set allowaccess ping
set type emac-vlan
set interface "vlan128"
next
end
Verification:
get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.128.0.0/24 is directly connected, vlan128-v1
exe ping 10.128.0.254
PING 10.128.0.254 (10.128.0.254): 56 data bytes
64 bytes from 10.128.0.254: icmp_seq=0 ttl=64 time=0.5 ms
64 bytes from 10.128.0.254: icmp_seq=1 ttl=64 time=0.1 ms
^C
--- 10.128.0.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.3/0.5 ms
get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.128.0.0/24 is directly connected, vlan128-v2
exe ping 10.128.0.254
PING 10.128.0.254 (10.128.0.254): 56 data bytes
64 bytes from 10.128.0.254: icmp_seq=0 ttl=64 time=0.2 ms
64 bytes from 10.128.0.254: icmp_seq=1 ttl=64 time=0.2 ms
^C
--- 10.128.0.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms
Scenario 2: Aggregate interface.
- Create the aggregate interface.
config system interface
edit "lag"
set vdom "root"
set type aggregate
set member "port6" "port7"
set lldp-transmission enable
set role lan
next
end
- Create a VLAN interface under the aggregate interface:
config sys int
edit "vlan215"
set vdom root
set interface lag
set vlanid 215
next
end
- Then bind the emac-vlan interfaces to that VLAN interface :
config system interface
edit "vlan215_1"
set vdom root
set ip 192.168.200.1 255.255.255.0
set allowaccess ping
set type emac-vlan
set interface "vlan215"
next
end
config system interface
edit "vlan215_2"
set vdom "LAB"
set ip 192.168.200.2 255.255.255.0
set allowaccess ping
set type emac-vlan
set interface "vlan215"
next
end
