FortiGate Version 3.0 MR4 Administration Guide
100 01-30004-0203-20070102
VLANs in Transparent mode System Network
If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you
can configure a FortiGate unit operating in Transparent mode to provide security
for network traffic passing between different VLANs. To support VLAN traffic in
Transparent mode, you add virtual domains to the FortiGate unit configuration. A
virtual domain consists of two or more VLAN subinterfaces or zones. In a virtual
domain, a zone can contain one or more VLAN subinterfaces.
When the FortiGate unit receives a VLAN tagged packet at an interface, the
packet is directed to the VLAN subinterface with matching VLAN ID. The VLAN
subinterface removes the VLAN tag and assigns a destination interface to the
packet based on its destination MAC address. The firewall policies for this source
and destination VLAN subinterface pair are applied to the packet. If the packet is
accepted by the firewall, the FortiGate unit forwards the packet to the destination
VLAN subinterface. The destination VLAN ID is added to the packet by the
FortiGate unit and the packet is sent to the VLAN trunk.
Figure 49: FortiGate unit with two virtual domains in Transparent mode
Figure 50 shows a FortiGate unit operating in Transparent mode and configured
with three VLAN subinterfaces. In this configuration the FortiGate unit could be
added to this network to provide virus scanning, web content filtering, and other
services to each VLAN.
Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode.
This includes VLANs. If no other interfaces are configured for a VDOM, you can configure
up to 255 VLANs in that VDOM.
VLAN1
VLAN1
VLAN2
VLAN2
VLAN3
VLAN3
root virtual domain
New virtual domain
Internal
External
VLAN1
VLAN3
VLAN2
VLAN Switch
or router
VLAN Switch
or router
VLAN
trunk
VLAN1
VLAN2
VLAN3
VLAN
trunk
FortiGate unit
VLAN1
VLAN3
VLAN2
Internet
To Next Page
Loading...
