Fortinet Fortigate-5000 series Administration Manual page 100

VLANs in Transparent mode
100
If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you
can configure a FortiGate unit operating in Transparent mode to provide security
for network traffic passing between different VLANs. To support VLAN traffic in
Transparent mode, you add virtual domains to the FortiGate unit configuration. A
virtual domain consists of two or more VLAN subinterfaces or zones. In a virtual
domain, a zone can contain one or more VLAN subinterfaces.
When the FortiGate unit receives a VLAN tagged packet at an interface, the
packet is directed to the VLAN subinterface with matching VLAN ID. The VLAN
subinterface removes the VLAN tag and assigns a destination interface to the
packet based on its destination MAC address. The firewall policies for this source
and destination VLAN subinterface pair are applied to the packet. If the packet is
accepted by the firewall, the FortiGate unit forwards the packet to the destination
VLAN subinterface. The destination VLAN ID is added to the packet by the
FortiGate unit and the packet is sent to the VLAN trunk.
Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode.
This includes VLANs. If no other interfaces are configured for a VDOM, you can configure
up to 255 VLANs in that VDOM.
Figure 49: FortiGate unit with two virtual domains in Transparent mode
VLAN1
Internal
VLAN1
VLAN2
VLAN3
VLAN2
VLAN
trunk
VLAN Switch
or router
VLAN3
Figure 50 shows a FortiGate unit operating in Transparent mode and configured
with three VLAN subinterfaces. In this configuration the FortiGate unit could be
added to this network to provide virus scanning, web content filtering, and other
services to each VLAN.
FortiGate unit
root virtual domain External
VLAN1
VLAN1
New virtual domain
VLAN2 VLAN2
VLAN3
VLAN3
FortiGate Version 3.0 MR4 Administration Guide
System Network
VLAN1
VLAN2
VLAN3
Internet
VLAN
VLAN Switch
trunk
or router
01-30004-0203-20070102