The Media Access Control (MAC) Virtual Local Area Network (VLAN) feature in Linux allows you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.
FortiGate implements an enhanced MAC VLAN consisting of a MAC VLAN with bridge functionality. Because each MAC VLAN has a unique MAC address, virtual IP addresses (VIPs) and IP pools are supported, and you can disable Source Network Address Translation (SNAT) in policies.
MAC VLAN cannot be used in a transparent mode virtual domain (VDOM). In a transparent mode VDOM, a packet leaves an interface with the MAC address of the original source instead of the interface’s MAC address. FortiGate implements an enhanced version of MAC VLAN where it adds a MAC table in the MAC VLAN which learns the MAC addresses when traffic passes through.
If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a packet is sent to this interface, a VLAN tag is inserted in the packet and the packet is sent to the driver of the underlying interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to this enhanced MAC VLAN interface.
When using a VLAN ID, the ID and the underlying interface must be a unique pair, even if the belong to different VDOMs. This is because the underlying, physical interface uses the VLAN ID as the identifier to dispatch traffic among the VLAN and enhanced MAC VLAN interfaces.
If you use an interface in an enhanced MAC VLAN, do not use it for other purposes such as a management interface, HA heartbeat interface, or in Transparent VDOMs.
If a physical interface is used by an EMAC VLAN interface, you cannot use it in a Virtual Wire Pair.
In high availability (HA) configurations, enhanced MAC VLAN is treated as a physical interface. It’s assigned a unique physical interface ID and the MAC table is synchronized with the slaves in the same HA cluster.
In this example, a FortiGate is connected, through port 1 to a router that’s connected to the Internet. Three VDOMs share the same interface (port 1) which connects to the same router that’s connected to the Internet. Three enhanced MAC VLAN interfaces are configured on port 1 for the three VDOMs. The enhanced MAC VLAN interfaces are in the same IP subnet segment and each have unique MAC addresses.
The underlying interface (port 1) can be a physical interface, an aggregate interface, or a VLAN interface on a physical or aggregate interface.
config system interface edit port1.emacvlan1 set vdom VDOM1 set type emac-vlan set interface port1 next edit port 1.emacvlan2 set vdom VDOM2 set type emac-vlan set interface port1 next edit port1.emacvlan3 set vdom VDOM3 set type emac-vlan set interface port1 next end
In this example, multiple VDOMs can connect to each other using enhanced MAC VLAN on network processing unit (NPU) virtual link (Vlink) interfaces.
FortiGate VDOM links (NPU-Vlink) are designed to be peer-to-peer connections and VLAN interfaces on NPU Vlink ports use the same MAC address. Connecting more than two VDOMs using NPU Vlinks and VLAN interfaces is not recommended.
config system interface edit npu0_vlink0.emacvlan1 set vdom VDOM1 set type emac-vlan set interface npu0_vlink0 next edit npu0_vlink0.emacvlan2 set vdom VDOM3 set type emac-vlan set interface npu0_vlink0 next edit npu0_vlink1.emacvlan1 set vdom VDOM2 set type emac-vlan set interface npu0_vlink1 next end
Example 3: Enhanced MAC VLAN configuration for unique MAC addresses for each VLAN interface on the same physical port
Some networks require a unique MAC address for each VLAN interface when the VLAN interfaces share the same physical port. In this case, the enhanced MAC VLAN interface is used the same way as normal VLAN interfaces.
To configure this, use the
set vlanid command for the VLAN tag. The VLAN ID and interface must be a unique pair, even if they belong to different VDOMs.
config system interface edit <interface-name> set type emac-vlan set vlanid <VLAN-ID> set interface <physical-interface> next end