Hot!Placement of aggregate interface when using vdoms.

Author
Mudassar216
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/04/16 07:13:49
  • Status: offline
2021/04/16 08:39:05 (permalink)
0

Placement of aggregate interface when using vdoms.

I was using fortigate without vdoms. Now I have enabled vdoms and my configuration has moved to root vdom.
I’m using aggregate interfaces for connectivity from which I have created vlan interfaces.

My question is that can I have the main aggregate interface in root vdom and it’s vlan interfaces in other vdoms?
#1

6 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 6097
    • Scores: 414
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Placement of aggregate interface when using vdoms. 2021/04/16 08:58:12 (permalink)
    3 (1)
    yes that is doable and what most people do.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #2
    Mudassar216
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/16 07:13:49
    • Status: offline
    Re: Placement of aggregate interface when using vdoms. 2021/04/16 11:20:09 (permalink)
    0
    Thanks for the reply.

    I was thinking that it would be something Palo Alto have that main interface cannot reside in any vsys and vlan interfaces can be part of any vsys.
    #3
    Yurisk
    Gold Member
    • Total Posts : 233
    • Scores: 35
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Location: Israel
    • Status: offline
    Re: Placement of aggregate interface when using vdoms. 2021/04/17 22:50:45 (permalink)
    4 (1)
    This is the only way MSSPs can divide traffic to different client VDOMs - different VLAN for each client/VDOM passing over the same physical Aggregate interface.
     

    Yuri
    https://yurisk.info/ blog: All things Fortinet, no ads.
    #4
    Mudassar216
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/16 07:13:49
    • Status: offline
    Re: Placement of aggregate interface when using vdoms. 2021/04/18 02:51:44 (permalink)
    0
    @Yurisk
    I think I need to rephrase my question here.
     
    Consider the below scenario,
    I have an aggregate interface let's say ae1 which is in root VDOM (not Global), and I have an VLAN interface from same ae interface also in root VDOM.
     
    Now, I want to create a new VLAN interface from ae1 but for VDOM_1. Will it work?
     
    As per my understanding, the main aggregate interface (ae1) should be in Global VDOM in order for the above scenario to work.
    #5
    Yurisk
    Gold Member
    • Total Posts : 233
    • Scores: 35
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Location: Israel
    • Status: offline
    Re: Placement of aggregate interface when using vdoms. 2021/04/18 03:02:10 (permalink)
    0
    Mudassar216
    As per my understanding, the main aggregate interface (ae1) should be in Global VDOM in order for the above scenario to work.

    No, it should not, I cant say by convention or by some Fortinet rule, but I always have Aggregate interface in root VDOM, and VLANs running on this interface each in its own VDOM.
    Moreover, you HAVE to assign VDOM to the aggregate, configuration will not allow it to be in Global. 
    So per your example:
    ae1 - LAG interface in root
    ae1.vlan3 - VDOM A
    ae1.vlan4 - VDOM B
    ....
     

    Yuri
    https://yurisk.info/ blog: All things Fortinet, no ads.
    #6
    Mudassar216
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/16 07:13:49
    • Status: offline
    Re: Placement of aggregate interface when using vdoms. 2021/04/26 04:48:33 (permalink)
    0
    Thanks for the reply Yurisk.
     
    So basically, root vdom is like an admin/management vdom and no config should be done in this vdom?
     
    Interfaces/sub-interfaces should be assigned to actual vdoms where the actual configuration will be done.
     
    When I enabled vdom feature on FortiGate now everything is moved to root vdom. I created a new vdom and tried moving config from root to that new vdom but was unable to do that because of dependencies. How can I move the existing config from root to new vdom?
    #7
    Jump to:
    © 2021 APG vNext Commercial Version 5.5