Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mudassar216
New Contributor

Placement of aggregate interface when using vdoms.

I was using fortigate without vdoms. Now I have enabled vdoms and my configuration has moved to root vdom. I’m using aggregate interfaces for connectivity from which I have created vlan interfaces. My question is that can I have the main aggregate interface in root vdom and it’s vlan interfaces in other vdoms?
6 REPLIES 6
emnoc
Esteemed Contributor III

yes that is doable and what most people do.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Mudassar216

Thanks for the reply. I was thinking that it would be something Palo Alto have that main interface cannot reside in any vsys and vlan interfaces can be part of any vsys.
Yurisk
Valued Contributor

This is the only way MSSPs can divide traffic to different client VDOMs - different VLAN for each client/VDOM passing over the same physical Aggregate interface.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Mudassar216

@Yurisk

I think I need to rephrase my question here.

 

Consider the below scenario,

I have an aggregate interface let's say ae1 which is in root VDOM (not Global), and I have an VLAN interface from same ae interface also in root VDOM.

 

Now, I want to create a new VLAN interface from ae1 but for VDOM_1. Will it work?

 

As per my understanding, the main aggregate interface (ae1) should be in Global VDOM in order for the above scenario to work.

Yurisk
Valued Contributor

Mudassar216 wrote:

As per my understanding, the main aggregate interface (ae1) should be in Global VDOM in order for the above scenario to work.

No, it should not, I cant say by convention or by some Fortinet rule, but I always have Aggregate interface in root VDOM, and VLANs running on this interface each in its own VDOM.

Moreover, you HAVE to assign VDOM to the aggregate, configuration will not allow it to be in Global. 

So per your example:

ae1 - LAG interface in root

ae1.vlan3 - VDOM A

ae1.vlan4 - VDOM B

....

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Mudassar216

Thanks for the reply Yurisk.

 

So basically, root vdom is like an admin/management vdom and no config should be done in this vdom?

 

Interfaces/sub-interfaces should be assigned to actual vdoms where the actual configuration will be done.

 

When I enabled vdom feature on FortiGate now everything is moved to root vdom. I created a new vdom and tried moving config from root to that new vdom but was unable to do that because of dependencies. How can I move the existing config from root to new vdom?

Labels
Top Kudoed Authors