Hot!Same vlan-ID in defferent Vdom

Author
amrshawky
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/29 14:53:01
  • Status: offline
2019/05/29 15:26:18 (permalink)
0

Same vlan-ID in defferent Vdom

Hi,
 
my topolgy will be 
 
3 main servers in vlan 10,20,30    >>>  connected to edge switch "1"  >>> FG 1 on port 1
3 backup servers in vlan 10,20,30 >>>  connected to edge switch "2"  >>> FG 1 on port 2
 
2 egde switch "1&2" will connected on 2 ports in Fortigate 
 
how i can make the FW is the getaway to this vlans 
i know that in normal setup i can not create same sub-interface in different physical port in fortigate 
is VDOM can help me in this topolgy ?
 
note that Fortigate is 81E doesnot support 802.3ad .
 
 
 
#1

15 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1650
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/05/30 08:27:59 (permalink)
    0
    I don't know where vdoms come in to your situation as you said on the subject line. But the common setup in your situation is to use a hard-switch (config sys virtual-switch) with FGxxD/E series and bind those two ports into one, so that both ports have exact same set of vlan-tagged interfaces when you configure the vlan sub-interfaces on it.
    #2
    amrshawky
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/29 14:53:01
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/05/30 13:24:35 (permalink)
    0
    thanks alot but could you share with an KB that related to this hard-switch (config sys virtual-switch) with FGxxD/E
     
    i asked about VDOM if there is help me or not ?
    Fortigate 81E doesnot support Aggregated.
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1650
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/05/31 08:43:28 (permalink)
    0
    For anything new, look for it at the online help first:
    https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/Interfaces/Virtual%20Switch.htm
     
    Sounds like nothing to do with vdoms. Hard-switch would solve your problem.
    #4
    amrshawky
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/29 14:53:01
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/05/31 15:41:30 (permalink)
    0
    i have attached the needed topology to be more clear.
     
    did you mean that vodm will not help . ok tahnks.
     
    could i make a virtual-switch between Port1, and Port2 
    then divided this virtual switch to sub-interfaces?
    10.10.10.1/24
    10.10.20.1/24
    10.10.30.1/24
     
    kindly review the attached topology and did you mean the port 1 and 2 in Vswitch and assign all sub-interfaces . right ?
     
     
    if i understand right .
     
    what is the deference between Virtual switch  in interface level and 802.3ad aggregated ?
     
    many thanks in advance
     

    Attached Image(s)

    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1650
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/05/31 15:58:28 (permalink)
    0
    "Virtual-Switch" in cli or "hard-switch" in more general term is just FTNT's terminology to refer their own way to put multiple ports into one logical port and a broadcast domain inside of one FGT unit so that all VLAN subinterfaces you create on the logical interface are equally distributed to all member ports. You can't see any of this from outside of the FGT. Each physical port is still just 1Gig trunk port. Nothing to do with standard like 802.3ad aggregation, combine multiple ports and make it to 1Gig x num of ports. And more importantly this is a standard and inter-operable between different vendor equipment.
     
    Yes. You just need to configure those vlan 10, 20, 30 subinterfaces on the logical "hard-switch" interface after putting port1 and port2 in it. Then those two ports have the same set of vlans on both. Just like you configure the same set of VLANs on multiple trunk ports on a L2 switch.
    #6
    amrshawky
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/29 14:53:01
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/06/02 17:20:56 (permalink)
    0
    great ...
     
    the only difference between 803.3ad and V-Switch"Hard-Switch"  are the 802.3ad is standard and bundle the interfaces B.W ? its right ?
     
    SO thanks to check the attached configuration and i keep the V-switch interface with no ip and assign sub-interfaces L3-interfaces
     

    #7
    Toshi Esumi
    Expert Member
    • Total Posts : 1650
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/06/03 08:34:41 (permalink)
    0
    No, they're two completely different concepts. Those two hard-switch interfaces connect to two different devices, while 802.3ad intfaces connect to the same (at least logically) device.
    #8
    amrshawky
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/29 14:53:01
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/06/03 12:08:29 (permalink)
    0
    did you mean in my topology the 802.3ad doesn't help ?
     
    connect port1 in FG to SW1 and port2 in FG in SW2 then make port1&2 as aggregated in FG . not help in this toplogy ???
    #9
    Toshi Esumi
    Expert Member
    • Total Posts : 1650
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/06/03 12:39:06 (permalink)
    0
    No, you're misunderstanding the concept for the link-aggregation/802.3ad. The other end of two FGT ports need to be connected to one switch (or two switches in one "stacked (Cisco)" or "Virtual Chassis(Juniper)" switch). And you need to configure the aggregation on the switch. Then the link capacity between the FGT and the switch becomes 2Gbps. That's what link-aggregation does, and no help for your situation.
    #10
    amrshawky
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/29 14:53:01
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/06/03 15:08:17 (permalink)
    0
    great... 
     
    if the 2 switch not in Stack the aggregated will not be fine ? why 
    FG understand that he has 2 port act as 1 port . and switches see the mac address of this bundle . right 
     
    #11
    Toshi Esumi
    Expert Member
    • Total Posts : 1650
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/06/03 15:55:44 (permalink)
    0
    Because the CPU needs to decide which physical interface to go out when it received a packet to go out to the "link".
    I would suggest you read an explanation about link-aggregation or 802.3ad like below:
    https://en.wikipedia.org/wiki/Link_aggregation
     
    #12
    amrshawky
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/29 14:53:01
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/06/14 21:18:08 (permalink)
    0
    is this feature is new in version 6.2 or already exist in version 5 ?
    #13
    emnoc
    Expert Member
    • Total Posts : 5252
    • Scores: 347
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Same vlan-ID in defferent Vdom 2019/06/15 01:05:13 (permalink)
    0
    Link aggregation has been around probably since vr MR4 or earlier.
     https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-networking-54/Interfaces/Aggregate%20Interfaces.htm
     
    You didn't say what type of FGT but moats 3 digits models support it, 2 digit model typically don't 
     
    i.e my FWF50 does not
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #14
    amrshawky
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/29 14:53:01
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/06/16 15:55:31 (permalink)
    0
    no iam asking about virtual switch not aggregated .
     
    my Fortigate is 81E
     
    i know that it this not support aggregated.
     
    it support Virtual-Switch ?
    #15
    amrshawky
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/29 14:53:01
    • Status: offline
    Re: Same vlan-ID in defferent Vdom 2019/06/19 17:47:55 (permalink)
    0
    any update
     
    #16
    Jump to:
    © 2019 APG vNext Commercial Version 5.5