Fortinet 100A Router User Manual


  Open as PDF
of 374
 
System network Adding VLAN subinterfaces
FortiGate-100A Administration Guide 01-28007-0068-20041203 65
Figure 15 shows a simplified NAT/Route mode VLAN configuration. In this example,
FortiGate internal interface connects to a VLAN switch using an 802.1Q trunk and is
configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external
interface connects to the Internet. The external interface is not configured with VLAN
subinterfaces.
When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit is configured with policies that allow traffic to flow
between the VLANs and from the VLANs to the external network.
Figure 15: FortiGate unit in Nat/Route mode
Adding VLAN subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096.
Each VLAN subinterface must also be configured with its own IP address and
netmask.
You add VLAN subinterfaces to the physical interface that receives VLAN-tagged
packets.
To add a VLAN subinterface in NAT/Route mode
1 Go to System > Network > Interface.
2 Select Create New to add a VLAN subinterface.
3 Enter a Name to identify the VLAN subinterface.
4 Select the physical interface that receives the VLAN packets intended for this VLAN
subinterface.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter the
CLI command config system global and set ip-overlap enable to allow IP address
overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is
part of a subnet used by another interface. This command is recommended for advanced users
only.
802.1Q Trunk
VLAN switch
Internet
FortiGate
POWER
Esc Enter
External
172.16.21.2
Internal
192.168.110.126
Fa0/3 Fa0/9 Fa0/24
VLAN 100 VLAN 200
VLAN 100 network
10.1.1.0
10.1.1.2
VLAN 200 network
10.1.2.0
10.1.2.2
Note: A VLAN must not have the same name as a virtual domain or zone.
 previous next