Filter
Top Products
System network Adding VLAN subinterfaces
FortiGate-100A Administration Guide 01-28007-0068-20041203 67
If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can
configure a FortiGate unit operating in Transparent mode to provide security for
network traffic passing between different VLANs. To support VLAN traffic in
Transparent mode, you add virtual domains to the FortiGate unit configuration. A
virtual domain consists of two or more VLAN subinterfaces or zones. In a virtual
domain, a zone can contain one or more VLAN subinterfaces.
When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is
directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface
removes the VLAN tag and assigns a destination interface to the packet based on its
destination MAC address. The firewall policies for this source and destination VLAN
subinterface pair are applied to the packet. If the packet is accepted by the firewall,
the FortiGate unit forwards the packet to the destination VLAN subinterface. The
destination VLAN ID is added to the packet by the FortiGate unit and the packet is
sent to the VLAN trunk.
Figure 16: FortiGate unit with two virtual domains in Transparent mode
Figure 17 shows a FortiGate unit operating in Transparent mode and configured with
three VLAN subinterfaces. In this configuration the FortiGate unit could be added to
this network to provide virus scanning, web content filtering, and other services to
each VLAN.
VLAN1
VLAN1
VLAN2
VLAN2
VLAN3
VLAN3
root virtual domain
New virtual domain
Internal
External
VLAN1
VLAN3
VLAN2
VLAN Switch
or router
VLAN Switch or router
VLAN trunk
VLAN1
VLAN2
VLAN3
VLAN trunk
FortiGate unit
VLAN1
VLAN3
VLAN2
Internet