FortiGate Version 3.0 MR4 Administration Guide
98 01-30004-0203-20070102
VLANs in NAT/Route mode System Network
Figure 37 shows a simplified NAT/Route mode VLAN configuration. In this
example, the FortiGate internal interface connects to a VLAN switch using an
802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and
VLAN 200). The external interface connects to the Internet. The external interface
is not configured with VLAN subinterfaces.
When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit is configured with policies that allow traffic to
flow between the VLANs and from the VLANs to the external network.
Figure 48: FortiGate unit in NAT/Route mode
Adding VLAN subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the
IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and
4096. Each VLAN subinterface must also be configured with its own IP address
and netmask.
You add VLAN subinterfaces to the physical interface that receives VLAN-tagged
packets.
To add a VLAN subinterface in NAT/Route mode
1 Go to System > Network > Interface.
2 Select Create New to add a VLAN subinterface.
3 Enter a Name to identify the VLAN subinterface.
VLAN Switch
Internet
VLAN 100 Network
10.1.1.0
VLAN 200 Network
10.1.2.0
Untagged packets
VLAN 100 VLAN 200
Fa 0/9
Fa 0/3
Fa 0/24
802.1Q
trunk
FortiGate unit
External 172.16.21.2
Internal 192.168.110.126
Note: A VLAN must not have the same name as a virtual domain or zone.
To Next Page
Loading...
Need help?
General