System Network VLANs in NAT/Route mode
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 97
Using VLANs, a single FortiGate unit can provide security services and control
connections between multiple security domains. Traffic from each security domain
is given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and
apply security policies to secure network and IPSec VPN traffic between security
domains. The FortiGate unit can also apply authentication, protection profiles, and
other firewall policy features for network and VPN traffic that is allowed to pass
between security domains.
VLANs in NAT/Route mode
Operating in NAT/Route mode, the FortiGate unit functions as a layer-3 device to
control the flow of packets between VLANs. The FortiGate unit can also remove
VLAN tags from incoming VLAN packets and forward untagged packets to other
networks, such as the Internet.
In NAT/Route mode, the FortiGate units support VLANs for constructing VLAN
trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiGate
units. Normally the FortiGate unit internal interface connects to a VLAN trunk on
an internal switch, and the external interface connects to an upstream Internet
router untagged. The FortiGate unit can then apply different policies for traffic on
each VLAN that connects to the internal interface.
In this configuration, you add VLAN subinterfaces to the FortiGate internal
interface that have VLAN IDs that match the VLAN IDs of packets in the VLAN
trunk. The FortiGate unit directs packets with VLAN IDs to subinterfaces with
matching VLAN IDs.
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate
unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN
tags from incoming packets and add a different VLAN tags to outgoing packets.
Rules for VLAN IDs
In NAT/Route mode, two VLAN subinterfaces added to the same physical
interface cannot have the same VLAN ID. However, you can add two or more
VLAN subinterfaces with the same VLAN IDs to different physical interfaces.
There is no internal connection or link between two VLAN subinterfaces with
same VLAN ID. Their relationship is the same as the relationship between any
two FortiGate network interfaces.
Rules for VLAN IP addresses
IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses
of all interfaces must be on different subnets. This rule applies to both physical
interfaces and to VLAN subinterfaces.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter
the CLI command config system global and set allow-interface-subnet-
overlap enable to allow IP address overlap. If you enter this command, multiple VLAN
interfaces can have an IP address that is part of a subnet used by another interface. This
command is recommended for advanced users only.
To Next Page
Loading...
Need help?
General