Network configuration VLANs in NAT/Route mode
FortiGate-4000 Installation and Configuration Guide 151
A VLAN segregates devices logically instead of physically. Each VLAN is treated as a
broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but
cannot connect with devices in other VLANs. The communication among devices on a
VLAN is independent of the physical network.
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent
and received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that
contain a VLAN identifier as well as other information.
In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3
routers or firewalls add VLAN tags to packets. Packets passing between devices in
the same VLAN can be handled by layer 2 switches. Packets passing between
devices in different VLANs must be handled by a layer 3 device such as router,
firewall, or layer 3 switch.
Operating in NAT/Route mode, the FortiGate unit functions as a layer 3 device to
control the flow of packets between VLANs. See “VLANs in NAT/Route mode” on
page 151 for more information.
Operating in Transparent mode, the FortiGate unit functions as a layer 2 device to
control the flow of packets between segments in the same VLAN. See “Virtual
domains in Transparent mode” on page 153.
VLANs in NAT/Route mode
In NAT/Route mode, FortiGate units support VLANs for constructing VLAN trunks
between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally
the FortiGate unit internal interface connects to a VLAN trunk on an internal switch,
and the external interface connects to an upstream Internet router untagged. The
FortiGate unit can then apply different policies for traffic on each VLAN that connects
to the internal interface.
In this configuration, you add VLAN subinterfaces to the FortiGate internal interface
that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The
FortiGate unit directs packets with VLAN IDs, to subinterfaces with matching VLAN
IDs.
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit
can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags
from incoming packets and add different VLAN tags to outgoing packets.
Rules for VLAN IDs
Two VLAN subinterfaces added to the same physical interface cannot have the same
VLAN ID. However, you can add two or more VLAN subinterfaces with the same
VLAN IDs to different physical interfaces. There is no internal connection or link
between two VLAN subinterfaces with same VLAN ID. Their relationship is the same
as the relationship between any two FortiGate network interfaces.