Fortinet Gate 60D - Rules for VLAN Ids; Rules for VLAN IP Addresses

To Next Page

To Previous Page

VLANs in NAT/Route mode System Network

FortiGate Version 4.0 Administration Guide

152 01-400-89802-20090424

http://docs.fortinet.com/ • Feedback

When constructing VLAN trunks, you add VLAN subinterfaces that have VLAN IDs that

match the VLAN IDs of packets in the VLAN trunk to the FortiGate internal interface. If the

IDs don’t match, traffic will not be delivered. The FortiGate unit directs packets with VLAN

IDs to subinterfaces with matching VLAN IDs. For example packets from the sending

system VLAN ID#101 are delivered to the recipient system’s VLAN ID#101.

You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit

can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from

incoming packets and add different VLAN tags to outgoing packets.

Rules for VLAN IDs

In NAT/Route mode, two VLAN subinterfaces added to the same physical interface cannot

have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the

same VLAN IDs to different physical interfaces. There is no internal connection or link

between two VLAN subinterfaces with same VLAN ID. Their relationship is the same as

the relationship between any two FortiGate network interfaces.

Rules for VLAN IP addresses

IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all

interfaces must be on different subnets. This rule applies to both physical interfaces and to

VLAN subinterfaces.

Figure 64 shows a simplified NAT/Route mode VLAN configuration. In this configuration,

the FortiGate internal interface connects to a VLAN switch using an 802.1Q trunk and is

configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external

interface connects to the Internet. The external interface is not configured with VLAN

subinterfaces.

When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies VLAN

tags and forwards the packets to local ports and across the trunk to the FortiGate unit. The

FortiGate unit is configured with policies that allow traffic to flow between VLANs and from

the VLANs to the external network.

Note: If you are unable to change your existing configurations to prevent IP overlap, enter

the CLI command

config system global and set allow-interface-

subnet-overlap enable

to allow IP address overlap. If you enter this command,

multiple VLAN interfaces can have an IP address that is part of a subnet used by another

interface. This command is recommended for advanced users only.