Fortinet 100A User Manual

System network

Adding VLAN subinterfaces

FortiGate-100A Administration Guide

01-28007-0068-20041203

67

If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can
configure a FortiGate unit operating in Transparent mode to provide security for
network traffic passing between different VLANs. To support VLAN traffic in
Transparent mode, you add virtual domains to the FortiGate unit configuration. A
virtual domain consists of two or more VLAN subinterfaces or zones. In a virtual
domain, a zone can contain one or more VLAN subinterfaces.

When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is
directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface
removes the VLAN tag and assigns a destination interface to the packet based on its
destination MAC address. The firewall policies for this source and destination VLAN
subinterface pair are applied to the packet. If the packet is accepted by the firewall,
the FortiGate unit forwards the packet to the destination VLAN subinterface. The
destination VLAN ID is added to the packet by the FortiGate unit and the packet is
sent to the VLAN trunk.

Figure 16: FortiGate unit with two virtual domains in Transparent mode

Figure 17

shows a FortiGate unit operating in Transparent mode and configured with

three VLAN subinterfaces. In this configuration the FortiGate unit could be added to
this network to provide virus scanning, web content filtering, and other services to
each VLAN.

VLAN1

VLAN1

VLAN2

VLAN2

VLAN3

VLAN3

root virtual domain

New virtual domain

Internal

External

VLAN1

VLAN3

VLAN2

VLAN Switch

or router

VLAN Switch or router

VLAN trunk

VLAN1

VLAN2

VLAN3

VLAN trunk

FortiGate unit

VLAN1

VLAN3

VLAN2

Internet