Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Enhanced MAC VLANs

Enhanced MAC VLANs

The media access control (MAC) virtual local area network (VLAN) feature in Linux allows you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

A FortiGate implements an enhanced MAC VLAN which consists of a MAC VLAN with bridge functionality. Because each MAC VLAN has a unique MAC address, virtual IP addresses (VIPs) and IP pools are supported, and you can disable Source Network Address Translation (SNAT) in policies. However, MAC VLAN can’t be used in a transparent mode virtual domain (VDOM). In a transparent mode VDOM, a packet leaves an interface with the MAC address of the original source instead of the interface’s MAC address. FortiGate solves this limitation by implementing an enhanced version of MAC VLAN, where it adds a MAC table in the MAC VLAN which learns various MAC addresses when traffic passes through.

If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a packet is sent to this interface, a VLAN tag is inserted in the packet, and the packet is sent to the driver of the underlying interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to this enhanced MAC VLAN interface.

Note

When using a VLAN ID, the ID and the underlying interface must be a unique pair, even if the belong to different VDOMs. This is because the underlying, physical interface uses the VLAN ID as the identifier to dispatch traffic among the VLAN and enhanced MAC VLAN interfaces.

If you use an interface in an enhanced MAC VLAN, you shouldn’t use it for other purposes, such as a management interface, HA heartbeat interface, or in transparent VDOMs.

If a physical interface is used by an EMAC VLAN interface, you can’t use it in a virtual wire pair.

To configure enhanced MAC VLAN – CLI:

config system interface

edit <interface-name>

set type emac-vlan

set vlan-id <VLAN-ID>

set interface <physical-interface>

next

end

Setting a VLAN ID is optional. If set, the ID and interface must be a unique pair, even if they belong to different VDOMs.

Enhanced MAC VLANs and HA

In high availability (HA) configurations, enhanced MAC VLAN is treated as a physical interface. It’s assigned a unique physical interface ID and the MAC table is synchronized to the secondary devices in the same HA cluster.

Example 1: Enhanced MAC VLAN configuration for multiple VDOMs that use the same interface or VLAN

In this example, a FortiGate is connected, through port 1, to a router that’s connected to the Internet. Three VDOMs share the same interface (port 1), which connects to the same router that’s connected to the Internet. Three enhanced MAC VLAN interfaces are configured on port 1 for the three VDOMs. The enhanced MAC VLAN interfaces are in the same IP subnet segment and each have unique MAC addresses.

The underlying interface (port 1) can be a physical interface, an aggregate interface, or a VLAN interface on a physical or aggregate interface.

In this scenario, the configuration for enhanced MAC VLAN is the following:

config system interface

edit port1.emacvlan1

set vdom VDOM1

set type emac-vlan

set interface port1

next

edit port 1.emacvlan2

set vdom VDOM2

set type emac-vlan

set interface port1

next

edit port1.emacvlan3

set vdom VDOM3

set type emac-vlan

set interface port1

next

end

Example 2: Enhanced MAC VLAN configuration for shared VDOM links among multiple VDOMs

In this example, multiple VDOMs can connect to each other using enhanced MAC VLAN on network processing unit (NPU) virtual link (vlink) interfaces.

Currently, FortiGate VDOM links (npu-vlink) are designed to be peer-to-peer connections and VLAN interfaces on NPU vlink ports use the same MAC address. It’s not practical to connect more than 2 VDOMs using NPU vlinks and VLAN interfaces.

In this scenario, the configuration for enhanced MAC VLAN is the following:

config system interface

edit npu0_vlink0.emacvlan1

set vdom VDOM1

set type emac-vlan

set interface npu0_vlink0

next

edit npu0_vlink0.emacvlan2

set vdom VDOM3

set type emac-vlan

set interface npu0_vlink0

next

edit npu0_vlink1.emacvlan1

set vdom VDOM2

set type emac-vlan

set interface npu0_vlink1

next

end

Example 3: Enhanced MAC VLAN configuration for unique MAC addresses for each VLAN interface on the same physical port

In some networks, a unique MAC address is needed for each VLAN interface when the VLAN interfaces share the same physical port. In this case, the enhanced MAC VLAN interface is used the same way as normal VLAN interfaces.

To configure this, you use the set vlanid command for the VLAN tag. The VLAN ID and interface must be a unique pair, even if they belong to different VDOMs.

In this scenario, the configuration for enhanced MAC VLAN is the following:

config system interface

edit interface-name

set type emac-vlan

set vlanid <VLAN-ID>

set interface <physical-interface>

end

Enhanced MAC VLANs

Enhanced MAC VLANs

The media access control (MAC) virtual local area network (VLAN) feature in Linux allows you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

A FortiGate implements an enhanced MAC VLAN which consists of a MAC VLAN with bridge functionality. Because each MAC VLAN has a unique MAC address, virtual IP addresses (VIPs) and IP pools are supported, and you can disable Source Network Address Translation (SNAT) in policies. However, MAC VLAN can’t be used in a transparent mode virtual domain (VDOM). In a transparent mode VDOM, a packet leaves an interface with the MAC address of the original source instead of the interface’s MAC address. FortiGate solves this limitation by implementing an enhanced version of MAC VLAN, where it adds a MAC table in the MAC VLAN which learns various MAC addresses when traffic passes through.

If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a packet is sent to this interface, a VLAN tag is inserted in the packet, and the packet is sent to the driver of the underlying interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to this enhanced MAC VLAN interface.

Note

When using a VLAN ID, the ID and the underlying interface must be a unique pair, even if the belong to different VDOMs. This is because the underlying, physical interface uses the VLAN ID as the identifier to dispatch traffic among the VLAN and enhanced MAC VLAN interfaces.

If you use an interface in an enhanced MAC VLAN, you shouldn’t use it for other purposes, such as a management interface, HA heartbeat interface, or in transparent VDOMs.

If a physical interface is used by an EMAC VLAN interface, you can’t use it in a virtual wire pair.

To configure enhanced MAC VLAN – CLI:

config system interface

edit <interface-name>

set type emac-vlan

set vlan-id <VLAN-ID>

set interface <physical-interface>

next

end

Setting a VLAN ID is optional. If set, the ID and interface must be a unique pair, even if they belong to different VDOMs.

Enhanced MAC VLANs and HA

In high availability (HA) configurations, enhanced MAC VLAN is treated as a physical interface. It’s assigned a unique physical interface ID and the MAC table is synchronized to the secondary devices in the same HA cluster.

Example 1: Enhanced MAC VLAN configuration for multiple VDOMs that use the same interface or VLAN

In this example, a FortiGate is connected, through port 1, to a router that’s connected to the Internet. Three VDOMs share the same interface (port 1), which connects to the same router that’s connected to the Internet. Three enhanced MAC VLAN interfaces are configured on port 1 for the three VDOMs. The enhanced MAC VLAN interfaces are in the same IP subnet segment and each have unique MAC addresses.

The underlying interface (port 1) can be a physical interface, an aggregate interface, or a VLAN interface on a physical or aggregate interface.

In this scenario, the configuration for enhanced MAC VLAN is the following:

config system interface

edit port1.emacvlan1

set vdom VDOM1

set type emac-vlan

set interface port1

next

edit port 1.emacvlan2

set vdom VDOM2

set type emac-vlan

set interface port1

next

edit port1.emacvlan3

set vdom VDOM3

set type emac-vlan

set interface port1

next

end

Example 2: Enhanced MAC VLAN configuration for shared VDOM links among multiple VDOMs

In this example, multiple VDOMs can connect to each other using enhanced MAC VLAN on network processing unit (NPU) virtual link (vlink) interfaces.

Currently, FortiGate VDOM links (npu-vlink) are designed to be peer-to-peer connections and VLAN interfaces on NPU vlink ports use the same MAC address. It’s not practical to connect more than 2 VDOMs using NPU vlinks and VLAN interfaces.

In this scenario, the configuration for enhanced MAC VLAN is the following:

config system interface

edit npu0_vlink0.emacvlan1

set vdom VDOM1

set type emac-vlan

set interface npu0_vlink0

next

edit npu0_vlink0.emacvlan2

set vdom VDOM3

set type emac-vlan

set interface npu0_vlink0

next

edit npu0_vlink1.emacvlan1

set vdom VDOM2

set type emac-vlan

set interface npu0_vlink1

next

end

Example 3: Enhanced MAC VLAN configuration for unique MAC addresses for each VLAN interface on the same physical port

In some networks, a unique MAC address is needed for each VLAN interface when the VLAN interfaces share the same physical port. In this case, the enhanced MAC VLAN interface is used the same way as normal VLAN interfaces.

To configure this, you use the set vlanid command for the VLAN tag. The VLAN ID and interface must be a unique pair, even if they belong to different VDOMs.

In this scenario, the configuration for enhanced MAC VLAN is the following:

config system interface

edit interface-name

set type emac-vlan

set vlanid <VLAN-ID>

set interface <physical-interface>

end