Table of Contents
Advertisement
VLANs in NAT/Route mode
Adding VLAN subinterfaces
98
Figure 37
shows a simplified NAT/Route mode VLAN configuration. In this
example, the FortiGate internal interface connects to a VLAN switch using an
802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and
VLAN 200). The external interface connects to the Internet. The external interface
is not configured with VLAN subinterfaces.
When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit is configured with policies that allow traffic to
flow between the VLANs and from the VLANs to the external network.
Figure 48: FortiGate unit in NAT/Route mode
Untagged packets
Internal 192.168.110.126
VLAN 100
VLAN 100 Network
10.1.1.0
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the
IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and
4096. Each VLAN subinterface must also be configured with its own IP address
and netmask.
Note: A VLAN must not have the same name as a virtual domain or zone.
You add VLAN subinterfaces to the physical interface that receives VLAN-tagged
packets.
To add a VLAN subinterface in NAT/Route mode
1
Go to System > Network > Interface.
2
Select Create New to add a VLAN subinterface.
3
Enter a Name to identify the VLAN subinterface.
Internet
External 172.16.21.2
FortiGate unit
802.1Q
trunk
Fa 0/24
Fa 0/9
Fa 0/3
VLAN Switch
VLAN 200
VLAN 200 Network
FortiGate Version 3.0 MR4 Administration Guide
System Network
10.1.2.0
01-30004-0203-20070102
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
