VDOMs (5.6.1)
This section describes new VDOM features added to FortiOS 5.6.1.
Create a virtual switch that allows multiple VDOMs to use the same physical interface or
VLAN (436206)
This feature allows multiple VDOMs to access the same network or the Internet using the same physical interface rather than requiring each VDOM to have its own Internet-facing interface.
To create this configuration, consider a FortiGate with three VDOMs:
config vdom edit root
next edit vdom1
next edit vdom2
end
Create inter-VDOM links for vdom1 and vdom2. The inter-VDOM links should have their type set to ethernet.
config system vdom-link edit “vlnk1” set type ethernet
next edit “vlnk2” set type ethernet
end
These commands create the following four interfaces:
- vlnk1 creates the interfaces vlnk10 and vlnk11 l vlnk2 creates the interfaces vlnk20 and vlnk21
Then create a virtual switch, add it to the root VDOM, and add the first interface created for each inter-VDOM link to it along with the physical interface or VLAN that the VDOMs will use to connect to the external network. In this example, the VDOMs will all connect to the Internet through the wan1 interface.
config system switch-interface edit “vs1” set vdom “root”
set member “wan1” “vlnk10” “vlnk20”
end
Then distribute the interfaces in the virtual switch to the respective VDOMs and configure the required IP settings. In this example:
- wan1, vlnk10, and vlnk20 are added to the root VDOM l vlnk11 is added to vdom1 l vlnk21 is added to vdom2 l wan1, vlnk11 and vlnk21 are configured with IP addresses on the same subnet. The example uses internal IP addresses that may not be appropriate for your network.
config system interface edit “wan1”
VoIP/SIP
set vdom “root”
set ip 10.1.1.101 255.255.255.0
next edit “vlnk10” set vdom “root” set type vdom-link
next edit “vlnk20” set vdom “root” set type vdom-link
next edit “vlnk11” set vdom “vdom1”
set ip 10.1.1.102 255.255.255.0 set type vdom-link
next edit “vlnk21” set vdom “vdom2”
set ip 10.1.1.103 255.255.255.0 set type vdom-link
end
On my FG100D, the CLI doesn’t show my wan1 (which is unpurposed and is in the root vdom) as an available interface to add to the software switch.
So it is completely unused and has no references anywhere in the Gate already? (policies, address objects, zones, etc)
AFAICT, yes, but there might have been something I missed. I did get my wan2 to show up after clearing out some configs it had on it from the factory default settings.
However, I completely backed out of using this configuration as it won’t work within the context of a virtual cluster. I have 4 vdoms and am balancing 2 on each member of the HA-pair. When getting to the last part of the config, you can’t assign the right side of a vdom-link to a vdom that is not primarily assigned to that particular HA-member.
It looks like that you can’t add an IP to the wan1 interface after you add it to the software switch interface. You have to set the IP to the software switch interface instead, which makes sense. This is the case in 5.6.2. Also, the switch interface functionality is broken in 5.6.3, so don’t upgrade to it if you use it. Fortinet Support confirmed they will log a bug for it.
Anyone had any joy implementing this feature at all?
I’m on 5.6.3, and the I am so far unable to add the VDOM links to the software switch.
I’ve also noticed that the release notes state that you add an IP to the wan1 interface after adding it to the software switch, which looks wrong.