VMware Cloud Community
RogerHiestand
Contributor
Contributor
‎07-23-2015 07:09 AM
Jump to solution

Virtual Fortinet with VLAN Tagging

Hi all,

actualy I do some tests with the Fortinet virtual firewall appliance. These appliance have 10 virtual NIC.

The Fortinet vm appliance can handle some different VLAN on one "physical" port.

How can I set more VLAN on one VM-Port, is this possible?

Goal:

- One virtual Firewall with multiple VLAN

- different VM-Clients an VM-Server with different VLAN.

I hope someone have some experience with the vm-Fortinet an VMWare

Roger

0 Kudos
1 Solution

Accepted Solutions
marksie1988
Enthusiast
Enthusiast
‎07-23-2015 07:42 AM
Jump to solution

Hi Roger,

This is indeed very simple to achieve. We have many implementations similar to this:

1. Create a PortGroup on your vSwitch or dvSwitch Called "Fortinet Trunk" or something similar

2. Edit the PortGroup and change the VLAN to be "VLAN Trunking", in the "VLAN Trunk Range" field enter all of the VLANS you will require

3. On your Fortinet device Assign one of the interfaces to the "Fortinet Trunk"

4. On the Fortinet setup sub-interfaces for each vlan

5. Create a new Port Group for each VLAN, edit the PortGroup to include the VLAN ID (your VMs will sit on this)

That should be all you require to get this up and running, any questions or issues please let me know. I can assist further if required.

Regards

Steve

If you found this or any other answer useful please consider the use of the Helpful or Correct buttons to award points. Steven Marks VCP5-DCV http://www.spottedhyena.co.uk

View solution in original post

0 Kudos
3 Replies
MKguy
Virtuoso
Virtuoso
‎07-23-2015 07:41 AM
Jump to solution

What you want to do is "Virtual Guest Tagging" in VMware terms:

The GuestOS itself is responsible for handling all 802.1q VLAN tagging operations on a particular (or mulitple/mixed) vNIC, as if it was a physical machine with multiple VLANs configured on one physical NIC.

If you're using a standard vSwitch, then you have to set the respective portgroup's VLAN to 4095. This will enable forwarding of VLANs on this portgroup.

If you're using a distributed vSwitch, then you can specify a list and ranges of VLAN IDs you want forwarded on the portgroup or individual dvS Port.

In both cases the VM will receive ethernet frames with the intact 802.1q VLAN header and is responsible for handling the untagging inbound, as well as tagging outbound frames.

Refer to these articles for more details:

Sample configuration of virtual machine VLAN Tagging (VGT Mode) in ESX

Configuring Virtual Guest VLAN tagging (VGT) mode on a vNetwork Distributed Switch

VLAN configuration on virtual switches, physical switches, and virtual machines

-- http://alpacapowered.wordpress.com
0 Kudos
marksie1988
Enthusiast
Enthusiast
‎07-23-2015 07:42 AM
Jump to solution

Hi Roger,

This is indeed very simple to achieve. We have many implementations similar to this:

1. Create a PortGroup on your vSwitch or dvSwitch Called "Fortinet Trunk" or something similar

2. Edit the PortGroup and change the VLAN to be "VLAN Trunking", in the "VLAN Trunk Range" field enter all of the VLANS you will require

3. On your Fortinet device Assign one of the interfaces to the "Fortinet Trunk"

4. On the Fortinet setup sub-interfaces for each vlan

5. Create a new Port Group for each VLAN, edit the PortGroup to include the VLAN ID (your VMs will sit on this)

That should be all you require to get this up and running, any questions or issues please let me know. I can assist further if required.

Regards

Steve

If you found this or any other answer useful please consider the use of the Helpful or Correct buttons to award points. Steven Marks VCP5-DCV http://www.spottedhyena.co.uk
0 Kudos
RogerHiestand
Contributor
Contributor
‎07-23-2015 08:41 AM
Jump to solution

Hi Steve,

Point 2 was my fault.

Thank you very much

Roger

0 Kudos