Fortinet FortiGate-800 VLANs in NAT/Route mode, Rules for Vlan IDs, Rules for Vlan IP addresses

In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.

Operating in NAT/Route mode, the FortiGate unit functions as a layer 3 device to control the flow of packets between VLANs. See “VLANs in NAT/Route mode” on page 146 for more information.

Operating in Transparent mode, the FortiGate unit functions as a layer 2 device to control the flow of packets between segments in the same VLAN. See “Virtual domains in Transparent mode” on page 147.

VLANs in NAT/Route mode

In NAT/Route mode, FortiGate units support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router untagged. The FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface.

In this configuration, you add VLAN subinterfaces to the FortiGate internal interface that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The FortiGate unit directs packets with VLAN IDs, to subinterfaces with matching VLAN IDs.

You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from incoming packets and add different VLAN tags to outgoing packets.

Rules for VLAN IDs

Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. There is no internal connection or link between two VLAN subinterfaces with same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces.

Rules for VLAN IP addresses

IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to VLAN subinterfaces.

Note: You can enter the CLI command set system ip-overlap enable to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only.