Fortinet white logo
Fortinet white logo

Cookbook

FortiSwitch multi-tenant support

FortiSwitch multi-tenant support

A virtual switch provides a container for physical ports to be loaned to other VDOMs, allowing local management of the resource.

The following example shows how to export managed FortiSwitch ports to multitenant VDOMs. In this example, the owner VDOM is vdom1, and the tenant VDOM is root.

To export managed FortiSwitch ports to multitenant VDOMs:
  1. Configure the switch VLAN interface, and assign it to the tenant VDOM:
    (vdom1) # config system interface
        edit "fsw_vlan"
            set vdom "root"
            set device-identification enable
            set fortiheartbeat enable
            set role lan
            set snmp-index 32
            set interface "fsw"
            set vlanid 100
        next
    end
  2. In the tenant VDOM, designate the default-virtual-switch-vlan, which is used to set the native VLAN of ports leased from the owner VDOM:
    (root) # config switch-controller global
        set default-virtual-switch-vlan "fsw_vlan"
    end
  3. On vdom1, export the managed switch ports to the root:
    (vdom1) # config switch-controller managed-switch
        edit S248EPTF1800XXXX 
            set fsw-wan1-peer "fsw"
            set fsw-wan1-admin enable
            set version 1
            set dynamic-capability 100531703
            config ports
                edit "port1"
                    set export-to "root"
                next
                ...
            end
        next
    end

    The lease port is now available under the tenant VDOM:

    (root) # config switch-controller managed-switch
    show
        config switch-controller managed-switch
            edit "S248EPTF1800XXXX"
                set type virtual
                set owner-vdom "vdom1"
                config ports
                    edit "port1"
                        set vlan "fsw_vlan"
                    next
                end
            next
        end
  4. Export the managed FortiSwitch port to a virtual port pool for the tenant VDOM to choose from:
    (vdom1) # config switch-controller virtual-port-pool
        edit "tenant-monthly"
        next
    end
    (vdom1) # config switch-controller managed-switch
        edit "S248EPTF1800XXXX"
            set fsw-wan1-peer "fsw"
            set fsw-wan1-admin enable
            set version 1
            set dynamic-capability 100531703
            config ports
                edit "port2"
                    set vlan "vsw.fsw"
                    set allowed-vlans "qtn.fsw"
                    set untagged-vlans "qtn.fsw"
                    set export-to-pool "tenant-monthly"
                    set export-to "vdom1"
                next
                ...
            end
        next
    end
  5. Request the available port in the virtual port pool to use the switch port:
    (root) # execute switch-controller virtual-port-pool request S248EPTF1800XXXX port2
    (root) # config switch-controller managed-switch
        edit "S248EPTF1800XXXX"
            set type virtual
            set owner-vdom "vdom1"
            config ports
                edit "port2"
                    set vlan "fsw_vlan"
                next
            end
        next
    end
  6. Return the port after use:
    (root) # execute switch-controller virtual-port-pool return S248EPTF1800XXXX port2
  7. Configure tags for the switch ports so the tags can be exported to virtual port pools
    (vdom1) # config switch-controller switch-interface-tag
        edit "vip"
        next
        edit "gold"
        next
        edit "silver"
        next
    end
    (vdom1) # config switch-controller managed-switch
        edit "S248EPTF1800XXXX"
            set fsw-wan1-peer "fsw"
            set fsw-wan1-admin enable
            set version 1
            set dynamic-capability 100531703
            config ports
                edit "port2"
                    set export-to-pool "tenant-monthly"
                    set export-tags "silver"
                    set export-to "root"
                next
                edit "port3"
                    set vlan "vsw.fsw"
                    set allowed-vlans "qtn.fsw"
                    set untagged-vlans "qtn.fsw"
                    set export-to-pool "tenant-monthly"
                    set export-tags "vip"
                    set export-to "vdom1"
                next
                edit "port4"
                    set vlan "vsw.fsw"
                    set allowed-vlans "qtn.fsw"
                    set untagged-vlans "qtn.fsw"
                    set export-to-pool "tenant-monthly"
                    set export-tags "vip" "silver"
                    set export-to "vdom1"
                next
            end
        next
    end
  8. Search for ports using tag filters:
    (vdom1) # execute switch-controller virtual-port-pool show-by-tag silver
            Switch      Port                  Properties            Tags
    ----------------------------------------------------------------------------------------
    tenant-monthly(vdom.vdom1)
      S248EPTF1800XXXX port2  (root)          10M/100M/1G/          silver
      S248EPTF1800XXXX port4                  10M/100M/1G/          vip,silver
    (vdom1) # exe switch-controller virtual-port-pool show-by-tag vip
            Switch      Port                  Properties            Tags
    ----------------------------------------------------------------------------------------
    tenant-monthly(vdom.vdom1)
      S248EPTF1800XXXX port3                  10M/100M/1G/          vip
      S248EPTF1800XXXX port4                  10M/100M/1G/          vip,silver

FortiSwitch multi-tenant support

FortiSwitch multi-tenant support

A virtual switch provides a container for physical ports to be loaned to other VDOMs, allowing local management of the resource.

The following example shows how to export managed FortiSwitch ports to multitenant VDOMs. In this example, the owner VDOM is vdom1, and the tenant VDOM is root.

To export managed FortiSwitch ports to multitenant VDOMs:
  1. Configure the switch VLAN interface, and assign it to the tenant VDOM:
    (vdom1) # config system interface
        edit "fsw_vlan"
            set vdom "root"
            set device-identification enable
            set fortiheartbeat enable
            set role lan
            set snmp-index 32
            set interface "fsw"
            set vlanid 100
        next
    end
  2. In the tenant VDOM, designate the default-virtual-switch-vlan, which is used to set the native VLAN of ports leased from the owner VDOM:
    (root) # config switch-controller global
        set default-virtual-switch-vlan "fsw_vlan"
    end
  3. On vdom1, export the managed switch ports to the root:
    (vdom1) # config switch-controller managed-switch
        edit S248EPTF1800XXXX 
            set fsw-wan1-peer "fsw"
            set fsw-wan1-admin enable
            set version 1
            set dynamic-capability 100531703
            config ports
                edit "port1"
                    set export-to "root"
                next
                ...
            end
        next
    end

    The lease port is now available under the tenant VDOM:

    (root) # config switch-controller managed-switch
    show
        config switch-controller managed-switch
            edit "S248EPTF1800XXXX"
                set type virtual
                set owner-vdom "vdom1"
                config ports
                    edit "port1"
                        set vlan "fsw_vlan"
                    next
                end
            next
        end
  4. Export the managed FortiSwitch port to a virtual port pool for the tenant VDOM to choose from:
    (vdom1) # config switch-controller virtual-port-pool
        edit "tenant-monthly"
        next
    end
    (vdom1) # config switch-controller managed-switch
        edit "S248EPTF1800XXXX"
            set fsw-wan1-peer "fsw"
            set fsw-wan1-admin enable
            set version 1
            set dynamic-capability 100531703
            config ports
                edit "port2"
                    set vlan "vsw.fsw"
                    set allowed-vlans "qtn.fsw"
                    set untagged-vlans "qtn.fsw"
                    set export-to-pool "tenant-monthly"
                    set export-to "vdom1"
                next
                ...
            end
        next
    end
  5. Request the available port in the virtual port pool to use the switch port:
    (root) # execute switch-controller virtual-port-pool request S248EPTF1800XXXX port2
    (root) # config switch-controller managed-switch
        edit "S248EPTF1800XXXX"
            set type virtual
            set owner-vdom "vdom1"
            config ports
                edit "port2"
                    set vlan "fsw_vlan"
                next
            end
        next
    end
  6. Return the port after use:
    (root) # execute switch-controller virtual-port-pool return S248EPTF1800XXXX port2
  7. Configure tags for the switch ports so the tags can be exported to virtual port pools
    (vdom1) # config switch-controller switch-interface-tag
        edit "vip"
        next
        edit "gold"
        next
        edit "silver"
        next
    end
    (vdom1) # config switch-controller managed-switch
        edit "S248EPTF1800XXXX"
            set fsw-wan1-peer "fsw"
            set fsw-wan1-admin enable
            set version 1
            set dynamic-capability 100531703
            config ports
                edit "port2"
                    set export-to-pool "tenant-monthly"
                    set export-tags "silver"
                    set export-to "root"
                next
                edit "port3"
                    set vlan "vsw.fsw"
                    set allowed-vlans "qtn.fsw"
                    set untagged-vlans "qtn.fsw"
                    set export-to-pool "tenant-monthly"
                    set export-tags "vip"
                    set export-to "vdom1"
                next
                edit "port4"
                    set vlan "vsw.fsw"
                    set allowed-vlans "qtn.fsw"
                    set untagged-vlans "qtn.fsw"
                    set export-to-pool "tenant-monthly"
                    set export-tags "vip" "silver"
                    set export-to "vdom1"
                next
            end
        next
    end
  8. Search for ports using tag filters:
    (vdom1) # execute switch-controller virtual-port-pool show-by-tag silver
            Switch      Port                  Properties            Tags
    ----------------------------------------------------------------------------------------
    tenant-monthly(vdom.vdom1)
      S248EPTF1800XXXX port2  (root)          10M/100M/1G/          silver
      S248EPTF1800XXXX port4                  10M/100M/1G/          vip,silver
    (vdom1) # exe switch-controller virtual-port-pool show-by-tag vip
            Switch      Port                  Properties            Tags
    ----------------------------------------------------------------------------------------
    tenant-monthly(vdom.vdom1)
      S248EPTF1800XXXX port3                  10M/100M/1G/          vip
      S248EPTF1800XXXX port4                  10M/100M/1G/          vip,silver