Rules For Vlan Ids; Rules For Vlan Ip Addresses - Fortinet FortiWiFi FortiWiFi-60 Administration Manual
Antivirus firewalls
Hide thumbs
Also See for FortiWiFi FortiWiFi-60:
- Installation and configuration manual (76 pages) ,
- Quick start manual (2 pages) ,
- Administration manual (458 pages)
Table of Contents
Advertisement
System network
Rules for VLAN IDs
Rules for VLAN IP addresses
FortiWiFi-60 Administration Guide
In NAT/Route mode, the FortiWiFi units support VLANs for constructing VLAN trunks
between an IEEE 802.1Q-compliant switch (or router) and the FortiWiFi unit. Normally
the FortiWiFi unit internal interface connects to a VLAN trunk on an internal switch,
and the external interface connects to an upstream Internet router untagged. The
FortiWiFi unit can then apply different policies for traffic on each VLAN that connects
to the internal interface.
In this configuration, you add VLAN subinterfaces to the FortiWiFi internal interface
that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The
FortiWiFi unit directs packets with VLAN IDs, to subinterfaces with matching VLAN
IDs.
You can also define VLAN subinterfaces on all FortiWiFi interfaces. The FortiWiFi unit
can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags
from incoming packets and add a different VLAN tags to outgoing packets.
In NAT/Route mode, two VLAN subinterfaces added to the same physical interface
cannot have the same VLAN ID. However, you can add two or more VLAN
subinterfaces with the same VLAN IDs to different physical interfaces. There is no
internal connection or link between two VLAN subinterfaces with same VLAN ID. Their
relationship is the same as the relationship between any two FortiWiFi network
interfaces.
IP addresses of all FortiWiFi interfaces cannot overlap. That is, the IP addresses of all
interfaces must be on different subnets. This rule applies to both physical interfaces
and to VLAN subinterfaces.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter the
CLI command config system global and set ip-overlap enable to allow IP address
overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is
part of a subnet used by another interface. This command is recommended for advanced users
only.
Figure 17
shows a simplified NAT/Route mode VLAN configuration. In this example,
FortiWiFi internal interface connects to a VLAN switch using an 802.1Q trunk and is
configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external
interface connects to the Internet. The external interface is not configured with VLAN
subinterfaces.
When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN tags and forwards the packets to local ports and across the trunk to the
FortiWiFi unit. The FortiWiFi unit is configured with policies that allow traffic to flow
between the VLANs and from the VLANs to the external network.
01-28006-0014-20041105
VLANs in NAT/Route mode
65
Advertisement
Table of Contents
