In this recipe, we will look at how a common VLAN can be shared with multiple VDOMs using FortiOS.
There are many circumstances where a security architecture may call for multiple virtual firewalls (VDOMs) to be connected to the same shared segment, usually in the form of a VLAN tagged on a single logical interface on a physical FortiGate. The default rules regarding interfaces and VDOMs is that any given logical interface can only belong to a single VDOM, which effectively prevents this scenario from being deployed. However, the use of a feature of transparent VDOMs called “forwarding domains” can provide a solution.
In the diagram a typical scenario more common to MSSPs and enterprises but also seen in other niche usage cases is represented. A singular VLAN representing a given subnet is connected to a physical interface on the FortiGate and must be shared to multiple VDOMs which must all access the same subnet. While this scenario may be addressed by using the same VLAN number on multiple physical interfaces mapped to each distinct VDOM, this quickly becomes an issue as the number of VDOM augments as each requires a distinct physical port on both the firewall and the switching infrastructure. This becomes even more prohibitive when physical interfaces used are high end 10/40/100Gbps whereas the usual approach is to use link-aggregation.
As pictured above, a very effective means to address this issue while deriving some additional benefits is to use a transparent mode VDOM, called “switch” in our example. Our example has 3 additional NAT/route VDOMs called “vdomA”, “vdomB” and “vdomC”.
A transparent mode VDOM behaves in a unique manner with VLAN tags, whereas it will strip incoming VLAN information for configured interfaces and replace those with another identifier called “forwarding domain ID”. This happens internally and isn’t seen on external traffic.
A forwarding domain’s behaviour is simple: all interfaces belonging to the same forwarding domain will effectively be layer 2 bridged. That is, so long as the policies allow the traffic – policies are very much still an enforcement criteria in transparent mode VDOMs and in fact, most policy aspects are identical to NAT/route mode operation. Behind the scene however, each forwarding domain is a separate “inner VLAN” in which MAC addresses learned from each interface belonging to the same domain populate the domain’s forwarding table.
As mentioned previously, VLAN information is stripped on arrival and inserted when leaving. This is important to our solution as it allows us to perform VLAN rewriting and therefore make use of additional VLAN IDs when exchanging traffic over the NPU vlink between “switch” and the other VDOMs.
This recipe is documented in CLI but the majority of this configuration can be accomplished through the GUI. Note that this is an expert recipe which assumes good comfort level with FortiOS.
Configuration: Transparent mode VDOMThe below configuration creates the transparent VDOM and assigns the external VLAN100 logical interface along with three logical interfaces on npu0-vlink0 (VLANs 1001,1002,1003 – arbitrary values) to VDOM “switch”. We then create a policy allowing layer2 traffic to flow between all four interfaces in forwarding domain 10. Note that there is a great level of flexibility in what you chose to do at this layer: UTM features and traffic-shaping profiles can be applied to traffic. A minimalist, often implemented measure when this is used for multi-tenant environments is to allow traffic between the shared VLAN and the VDOMs, but not between the VDOMs (tenants) themselves. Finally, the author is using a somewhat bogon IP address for the transparent VDOM manageip – feel free to use any unused address that will not transit through the transparent VDOM. If you require the VDOM to leverage external features that require it to communicate with the outside world, you would configure a valid address. In this case we are managing the appliance from the root VDOM which isn’t shown in this example. |
config vdom
edit switch
config sys settings
set opmode transparent
set manageip 1.1.1.1/32
end
end
config global
config sys interface
edit "VLAN100"
set vdom "switch"
set forward-domain 10
set interface "port9"
set vlanid 100
next
edit "VLAN100_vdomA"
set vdom "switch"
set forward-domain 10
set interface "npu0_vlink0"
set vlanid 1001
next
edit "VLAN100_vdomB"
set vdom "switch"
set forward-domain 10
set interface "npu0_vlink0"
set vlanid 1002
next
edit "VLAN100_vdomC"
set vdom "switch"
set forward-domain 10
set interface "npu0_vlink0"
set vlanid 1003
next
end
end
config vdom
edit switch
config firewall policy
edit 0
set name "Allow all switched traffic"
set srcintf "VLAN100" "VLAN100_vdomA" "VLAN100_vdomB" "VLAN100_vdomC"
set dstintf "VLAN100" "VLAN100_vdomA" "VLAN100_vdomB" "VLAN100_vdomC"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
end
|
Configuration: Routed VDOMsThe routed VDOMs connected to the transparent VDOM have little that warrants extensive explanations, short of that they use the same matching VLAN on the opposing npu0-vlink1 interface. For more information on NPU-vlink, consult FortiOS Handbook on NPU-accelerated VDOM-links. This example is specifically limited to platforms equipped with NPU ASICs, however one could implement similar switching behaviour in software using standard vdom-link interfaces. |
config vdom
edit vdomA
next
edit vdomB
next
edit vdomC
end
config global
config sys interface
edit "vdomA-wan"
set vdom "vdomA"
set ip 192.168.100.101 255.255.255.0
set allowaccess ping
set interface "npu0_vlink1"
set vlanid 1001
next
edit "vdomB-wan"
set vdom "vdomB"
set ip 192.168.100.102 255.255.255.0
set allowaccess ping
set interface "npu0_vlink1"
set vlanid 1002
next
edit "vdomC-wan"
set vdom "vdomC"
set ip 192.168.100.103 255.255.255.0
set allowaccess ping
set interface "npu0_vlink1"
set vlanid 1003
next
end
end
|
The post Shared VLAN using Transparent Mode switching appeared first on Fortinet Cookbook.