Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiLink Guide

    Home FortiSwitch 7.2.0 FortiLink Guide
    7.2.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.6
    7.2.4
    7.2.1
    7.2.0

    Multitenancy and VDOMs

    Multitenancy and VDOMs

    This section covers the following topics:

    FortiSwitch ports dedicated to VDOMs

    Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

    FortiSwitch ports can now be shared between VDOMs.

    Starting in FortiOS 6.2.0, the following features are supported on FortiSwitch ports shared between VDOMs:

    • POE pre-standard detection (on a per-port basis if the FortiSwitch model supports this feature)
    • Learning limit for dynamic MAC addresses on ports, trunks, and VLANs (if the FortiSwitch unit supports this feature)
    • QoS egress CoS queue policy (if the FortiSwitch unit supports this feature)
    • Port security policy
    The following example shows how to share FortiSwitch ports between VDOMs:
    1. In the tenant VDOM named bbb, create a VLAN interface using the following CLI commands (not supported in the GUI):

      FG5H0E3917900081 (bbb) #

      config system interface

      edit "bbb-vlan99"

      set vdom "bbb"

      set allowaccess ping

      set device-identification enable

      set role lan

      set snmp-index 58

      set switch-controller-dhcp-snooping enable

      set interface "flink-lag" // this is the FortiLink interface in the root VDOM

      set vlanid 99

      next

      end

      config switch-controller global

      set default-virtual-switch-vlan "bbb-vlan99"

      end

    2. Go back to the root VDOM. Pick a switch port to share between VDOMs, port10 in this case.

      FG5H0E3917900081 (vdom) # edit root

      current vf=root:0

      FG5H0E3917900081 (root) # config switch-controller managed-switch

      FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

      FG5H0E3917900081 (S548DF4K15000276) # config ports

      FG5H0E3917900081 (ports) # edit port10

      FG5H0E3917900081 (port10) # set export-to bbb

      If you want to use the virtual-pool feature instead:

      FG5H0E3917900081 (root) # config switch-controller virtual-port-pool

      edit "bbb-pool"

      set description "bbb-vlan-pool"

      end

      FG5H0E3917900081 (root) # config switch-controller managed-switch

      FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

      FG5H0E3917900081 (S548DF4K15000276) # config port

      FG5H0E3917900081 (ports) # edit port11

      FG5H0E3917900081 (port11) # set export-to-pool bbb-pool

    3. Go back to the bbb VDOM to claim port11 because it is in the virtual pool but not directly exported to the VDOM yet. (The administrator might want to pre-assign some ports in the tenant VDOM and let the tenant VDOM administrator claim them before they are used.)

      FG5H0E3917900081 (bbb) # execute switch-controller virtual-port-pool request S548DF4K15000276 port11

      FG5H0E3917900081 (bbb) # config switch-controller managed-switch // The switch port is now in the bbb VDOM even though there is no FortiLink interface in the bbb VDOM.

      FG5H0E3917900081 (managed-switch) # show

      config switch-controller managed-switch

      edit "S548DF4K15000276"

      set poe-detection-type 1

      set type virtual

      set owner-vdom "root"

      config ports

      edit "port10"

      set poe-capable 1

      set vlan "bbb-vlan99"

      next

      edit "port11"

      set poe-capable 1

      set vlan "bbb-vlan99"

      next

      end

      next

      end

    4. Check your configuration on the root VDOM:

      FG5H0E3917900081 (port10) # show

      config ports

      edit "port10"

      set poe-capable 1

      set export-to "bbb"

      next

      end

      FG5H0E3917900081 (port11) # show

      config ports

      edit "port11"

      set poe-capable 1

      set export-to-pool "bbb-pool"

      set export-to "bbb"

      next

      end

    5. Check your configuration on the tenant VDOM:

      FG5H0E3917900081 (ports) # show

      config ports

      edit "port10"

      set poe-capable 1

      set vlan "bbb-vlan99"

      next

      edit "port11"

      set poe-capable 1

      set vlan "bbb-vlan99"

      next

      end

    You can create your own export tags using the following CLI commands:

    config switch-controller switch-interface-tag

    edit <tag_name>

    end

    Use the following CLI command to list the contents of a specific VPP:

    execute switch-controller virtual-port-pool show-by-pool <VPP_name>

    Use the following CLI command to list all VPPs and their contents:

    execute switch-controller virtual-port-pool show

    NOTE: Shared ports do not support the following features:

    • LLDP
    • STP
    • BPDU guard
    • Root guard
    • DHCP snooping
    • IGMP snooping
    • MCLAG
    • Quarantines

    NOTE: After you export a switch port to a pool, if you need to export the switch port to a different pool, you need to exit/abort and then re-enter into the FortiSwitch CLI port configuration.

    FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports

    In this scenario, there is no administrative separation, and all FortiSwitch ports and VLANs are created and assigned by the administrator of the VDOM where the FortiSwitch unit is controlled, usually root.

    1. From the root VDOM, create the FortiSwitch VLANs and assign them to their respective VDOMs.
    2. From the CLI, assign the VLANs to the FortiSwitch ports. The assigned VLANs are displayed in the GUI (WiFi & Switch Controller > FortiSwitch Ports) in the root VDOM.

    NOTE: FortiSwitch units are not visible in non-root VDOMs.

    Previous
    Next

    Multitenancy and VDOMs

    Multitenancy and VDOMs

    This section covers the following topics:

    FortiSwitch ports dedicated to VDOMs

    Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

    FortiSwitch ports can now be shared between VDOMs.

    Starting in FortiOS 6.2.0, the following features are supported on FortiSwitch ports shared between VDOMs:

    • POE pre-standard detection (on a per-port basis if the FortiSwitch model supports this feature)
    • Learning limit for dynamic MAC addresses on ports, trunks, and VLANs (if the FortiSwitch unit supports this feature)
    • QoS egress CoS queue policy (if the FortiSwitch unit supports this feature)
    • Port security policy
    The following example shows how to share FortiSwitch ports between VDOMs:
    1. In the tenant VDOM named bbb, create a VLAN interface using the following CLI commands (not supported in the GUI):

      FG5H0E3917900081 (bbb) #

      config system interface

      edit "bbb-vlan99"

      set vdom "bbb"

      set allowaccess ping

      set device-identification enable

      set role lan

      set snmp-index 58

      set switch-controller-dhcp-snooping enable

      set interface "flink-lag" // this is the FortiLink interface in the root VDOM

      set vlanid 99

      next

      end

      config switch-controller global

      set default-virtual-switch-vlan "bbb-vlan99"

      end

    2. Go back to the root VDOM. Pick a switch port to share between VDOMs, port10 in this case.

      FG5H0E3917900081 (vdom) # edit root

      current vf=root:0

      FG5H0E3917900081 (root) # config switch-controller managed-switch

      FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

      FG5H0E3917900081 (S548DF4K15000276) # config ports

      FG5H0E3917900081 (ports) # edit port10

      FG5H0E3917900081 (port10) # set export-to bbb

      If you want to use the virtual-pool feature instead:

      FG5H0E3917900081 (root) # config switch-controller virtual-port-pool

      edit "bbb-pool"

      set description "bbb-vlan-pool"

      end

      FG5H0E3917900081 (root) # config switch-controller managed-switch

      FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

      FG5H0E3917900081 (S548DF4K15000276) # config port

      FG5H0E3917900081 (ports) # edit port11

      FG5H0E3917900081 (port11) # set export-to-pool bbb-pool

    3. Go back to the bbb VDOM to claim port11 because it is in the virtual pool but not directly exported to the VDOM yet. (The administrator might want to pre-assign some ports in the tenant VDOM and let the tenant VDOM administrator claim them before they are used.)

      FG5H0E3917900081 (bbb) # execute switch-controller virtual-port-pool request S548DF4K15000276 port11

      FG5H0E3917900081 (bbb) # config switch-controller managed-switch // The switch port is now in the bbb VDOM even though there is no FortiLink interface in the bbb VDOM.

      FG5H0E3917900081 (managed-switch) # show

      config switch-controller managed-switch

      edit "S548DF4K15000276"

      set poe-detection-type 1

      set type virtual

      set owner-vdom "root"

      config ports

      edit "port10"

      set poe-capable 1

      set vlan "bbb-vlan99"

      next

      edit "port11"

      set poe-capable 1

      set vlan "bbb-vlan99"

      next

      end

      next

      end

    4. Check your configuration on the root VDOM:

      FG5H0E3917900081 (port10) # show

      config ports

      edit "port10"

      set poe-capable 1

      set export-to "bbb"

      next

      end

      FG5H0E3917900081 (port11) # show

      config ports

      edit "port11"

      set poe-capable 1

      set export-to-pool "bbb-pool"

      set export-to "bbb"

      next

      end

    5. Check your configuration on the tenant VDOM:

      FG5H0E3917900081 (ports) # show

      config ports

      edit "port10"

      set poe-capable 1

      set vlan "bbb-vlan99"

      next

      edit "port11"

      set poe-capable 1

      set vlan "bbb-vlan99"

      next

      end

    You can create your own export tags using the following CLI commands:

    config switch-controller switch-interface-tag

    edit <tag_name>

    end

    Use the following CLI command to list the contents of a specific VPP:

    execute switch-controller virtual-port-pool show-by-pool <VPP_name>

    Use the following CLI command to list all VPPs and their contents:

    execute switch-controller virtual-port-pool show

    NOTE: Shared ports do not support the following features:

    • LLDP
    • STP
    • BPDU guard
    • Root guard
    • DHCP snooping
    • IGMP snooping
    • MCLAG
    • Quarantines

    NOTE: After you export a switch port to a pool, if you need to export the switch port to a different pool, you need to exit/abort and then re-enter into the FortiSwitch CLI port configuration.

    FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports

    In this scenario, there is no administrative separation, and all FortiSwitch ports and VLANs are created and assigned by the administrator of the VDOM where the FortiSwitch unit is controlled, usually root.

    1. From the root VDOM, create the FortiSwitch VLANs and assign them to their respective VDOMs.
    2. From the CLI, assign the VLANs to the FortiSwitch ports. The assigned VLANs are displayed in the GUI (WiFi & Switch Controller > FortiSwitch Ports) in the root VDOM.

    NOTE: FortiSwitch units are not visible in non-root VDOMs.

    Previous
    Next