Fortinet FortiGate-800 VLANs in NAT/Route mode

146 Fortinet Inc.

VLANs in NAT/Route mode Network configuration

In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3

routers or firewalls add VLAN tags to packets. Packets passing between devices in

the same VLAN can be handled by layer 2 switches. Packets passing between

devices in different VLANs must be handled by a layer 3 device such as router,

firewall, or layer 3 switch.

Operating in NAT/Route mode, the FortiGate unit functions as a layer 3 device to

control the flow of packets between VLANs. See “VLANs in NAT/Route mode” on

page 146 for more information.

Operating in Transparent mode, the FortiGate unit functions as a layer 2 device to

control the flow of packets between segments in the same VLAN. See “Virtual

domains in Transparent mode” on page 147.

VLANs in NAT/Route mode

In NAT/Route mode, FortiGate units support VLANs for constructing VLAN trunks

between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally

the FortiGate unit internal interface connects to a VLAN trunk on an internal switch,

and the external interface connects to an upstream Internet router untagged. The

FortiGate unit can then apply different policies for traffic on each VLAN that connects

to the internal interface.

In this configuration, you add VLAN subinterfaces to the FortiGate internal interface

that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The

FortiGate unit directs packets with VLAN IDs, to subinterfaces with matching VLAN

IDs.

You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit

can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags

from incoming packets and add different VLAN tags to outgoing packets.

Two VLAN subinterfaces added to the same physical interface cannot have the same

VLAN ID. However, you can add two or more VLAN subinterfaces with the same

VLAN IDs to different physical interfaces. There is no internal connection or link

between two VLAN subinterfaces with same VLAN ID. Their relationship is the same

as the relationship between any two FortiGate network interfaces.

IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all

interfaces must be on different subnets. This rule applies to both physical interfaces

and to VLAN subinterfaces.

Note: You can enter the CLI command set system ip-overlap enable to allow IP

address overlap. If you enter this command, multiple VLAN interfaces can have an IP address

that is part of a subnet used by another interface. This command is recommended for advanced

users only.