Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Multitenancy and VDOMs

This section covers the following topics:

FortiSwitch ports dedicated to VDOMs

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

Starting in FortiOS 6.2.0, the following features are supported on FortiSwitch ports shared between VDOMs:

  • POE pre-standard detection (on a per-port basis if the FortiSwitch model supports this feature)
  • Learning limit for dynamic MAC addresses on ports, trunks, and VLANs (if the FortiSwitch unit supports this feature)
  • QoS egress CoS queue policy (if the FortiSwitch unit supports this feature)
  • Port security policy
The following example shows how to share FortiSwitch ports between VDOMs:
  1. In the tenant VDOM named bbb, create a VLAN interface using the following CLI commands (not supported in the GUI):

     

    FG5H0E3917900081 (bbb) #

    config system interface

    edit "bbb-vlan99"

    set vdom "bbb"

    set allowaccess ping

    set device-identification enable

    set role lan

    set snmp-index 58

    set switch-controller-dhcp-snooping enable

    set interface "flink-lag" // this is the FortiLink interface in the root VDOM

    set vlanid 99

    next

    end

     

    config switch-controller global

    set default-virtual-switch-vlan "bbb-vlan99"

    end

     

  2. Go back to the root VDOM. Pick a switch port to share between VDOMs, port10 in this case.

     

    FG5H0E3917900081 (vdom) # edit root

    current vf=root:0

    FG5H0E3917900081 (root) # config switch-controller managed-switch

    FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

    FG5H0E3917900081 (S548DF4K15000276) # config ports

    FG5H0E3917900081 (ports) # edit port10

    FG5H0E3917900081 (port10) # set export-to bbb

     

    If you want to use the virtual-pool feature instead:

     

    FG5H0E3917900081 (root) # config switch-controller virtual-port-pool

    edit "bbb-pool"

    set description "bbb-vlan-pool"

    end

     

    FG5H0E3917900081 (root) # config switch-controller managed-switch

    FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

    FG5H0E3917900081 (S548DF4K15000276) # config port

    FG5H0E3917900081 (ports) # edit port11

    FG5H0E3917900081 (port11) # set export-to-pool bbb-pool

     

  3. Go back to the bbb VDOM to claim port11 because it is in the virtual pool but not directly exported to the VDOM yet. (The administrator might want to pre-assign some ports in the tenant VDOM and let the tenant VDOM administrator claim them before they are used.)

     

    FG5H0E3917900081 (bbb) # execute switch-controller virtual-port-pool request S548DF4K15000276 port11

    FG5H0E3917900081 (bbb) # config switch-controller managed-switch // The switch port is now in the bbb VDOM even though there is no FortiLink interface in the bbb VDOM.

    FG5H0E3917900081 (managed-switch) # show

    config switch-controller managed-switch

    edit "S548DF4K15000276"

    set poe-detection-type 1

    set type virtual

    set owner-vdom "root"

    config ports

    edit "port10"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    edit "port11"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    end

    next

    end

     

  4. Check your configuration on the root VDOM:

     

    FG5H0E3917900081 (port10) # show

    config ports

    edit "port10"

    set poe-capable 1

    set export-to "bbb"

    next

    end

     

    FG5H0E3917900081 (port11) # show

    config ports

    edit "port11"

    set poe-capable 1

    set export-to-pool "bbb-pool"

    set export-to "bbb"

    next

    end

     

  5. Check your configuration on the tenant VDOM:

     

    FG5H0E3917900081 (ports) # show

    config ports

    edit "port10"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    edit "port11"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    end

     

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag

edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP:

execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents:

execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features:

  • LLDP
  • STP
  • BPDU guard
  • Root guard
  • DHCP snooping
  • IGMP snooping
  • MCLAG
  • Quarantines

NOTE: After you export a switch port to a pool, if you need to export the switch port to a different pool, you need to exit/abort and then re-enter into the FortiSwitch CLI port configuration.

FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports

In this scenario, there is no administrative separation, and all FortiSwitch ports and VLANs are created and assigned by the administrator of the VDOM where the FortiSwitch unit is controlled, usually root.

  1. From the root VDOM, create the FortiSwitch VLANs and assign them to their respective VDOMs.
  2. From the CLI, assign the VLANs to the FortiSwitch ports. The assigned VLANs are displayed in the GUI (WiFi & Switch Controller > FortiSwitch Ports) in the root VDOM.

NOTE: FortiSwitch units are not visible in non-root VDOMs.

Multitenancy and VDOMs

This section covers the following topics:

FortiSwitch ports dedicated to VDOMs

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

Starting in FortiOS 6.2.0, the following features are supported on FortiSwitch ports shared between VDOMs:

  • POE pre-standard detection (on a per-port basis if the FortiSwitch model supports this feature)
  • Learning limit for dynamic MAC addresses on ports, trunks, and VLANs (if the FortiSwitch unit supports this feature)
  • QoS egress CoS queue policy (if the FortiSwitch unit supports this feature)
  • Port security policy
The following example shows how to share FortiSwitch ports between VDOMs:
  1. In the tenant VDOM named bbb, create a VLAN interface using the following CLI commands (not supported in the GUI):

     

    FG5H0E3917900081 (bbb) #

    config system interface

    edit "bbb-vlan99"

    set vdom "bbb"

    set allowaccess ping

    set device-identification enable

    set role lan

    set snmp-index 58

    set switch-controller-dhcp-snooping enable

    set interface "flink-lag" // this is the FortiLink interface in the root VDOM

    set vlanid 99

    next

    end

     

    config switch-controller global

    set default-virtual-switch-vlan "bbb-vlan99"

    end

     

  2. Go back to the root VDOM. Pick a switch port to share between VDOMs, port10 in this case.

     

    FG5H0E3917900081 (vdom) # edit root

    current vf=root:0

    FG5H0E3917900081 (root) # config switch-controller managed-switch

    FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

    FG5H0E3917900081 (S548DF4K15000276) # config ports

    FG5H0E3917900081 (ports) # edit port10

    FG5H0E3917900081 (port10) # set export-to bbb

     

    If you want to use the virtual-pool feature instead:

     

    FG5H0E3917900081 (root) # config switch-controller virtual-port-pool

    edit "bbb-pool"

    set description "bbb-vlan-pool"

    end

     

    FG5H0E3917900081 (root) # config switch-controller managed-switch

    FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

    FG5H0E3917900081 (S548DF4K15000276) # config port

    FG5H0E3917900081 (ports) # edit port11

    FG5H0E3917900081 (port11) # set export-to-pool bbb-pool

     

  3. Go back to the bbb VDOM to claim port11 because it is in the virtual pool but not directly exported to the VDOM yet. (The administrator might want to pre-assign some ports in the tenant VDOM and let the tenant VDOM administrator claim them before they are used.)

     

    FG5H0E3917900081 (bbb) # execute switch-controller virtual-port-pool request S548DF4K15000276 port11

    FG5H0E3917900081 (bbb) # config switch-controller managed-switch // The switch port is now in the bbb VDOM even though there is no FortiLink interface in the bbb VDOM.

    FG5H0E3917900081 (managed-switch) # show

    config switch-controller managed-switch

    edit "S548DF4K15000276"

    set poe-detection-type 1

    set type virtual

    set owner-vdom "root"

    config ports

    edit "port10"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    edit "port11"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    end

    next

    end

     

  4. Check your configuration on the root VDOM:

     

    FG5H0E3917900081 (port10) # show

    config ports

    edit "port10"

    set poe-capable 1

    set export-to "bbb"

    next

    end

     

    FG5H0E3917900081 (port11) # show

    config ports

    edit "port11"

    set poe-capable 1

    set export-to-pool "bbb-pool"

    set export-to "bbb"

    next

    end

     

  5. Check your configuration on the tenant VDOM:

     

    FG5H0E3917900081 (ports) # show

    config ports

    edit "port10"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    edit "port11"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    end

     

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag

edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP:

execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents:

execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features:

  • LLDP
  • STP
  • BPDU guard
  • Root guard
  • DHCP snooping
  • IGMP snooping
  • MCLAG
  • Quarantines

NOTE: After you export a switch port to a pool, if you need to export the switch port to a different pool, you need to exit/abort and then re-enter into the FortiSwitch CLI port configuration.

FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports

In this scenario, there is no administrative separation, and all FortiSwitch ports and VLANs are created and assigned by the administrator of the VDOM where the FortiSwitch unit is controlled, usually root.

  1. From the root VDOM, create the FortiSwitch VLANs and assign them to their respective VDOMs.
  2. From the CLI, assign the VLANs to the FortiSwitch ports. The assigned VLANs are displayed in the GUI (WiFi & Switch Controller > FortiSwitch Ports) in the root VDOM.

NOTE: FortiSwitch units are not visible in non-root VDOMs.