beautypg.com

Adding vlan subinterfaces – Fortinet 100A User Manual

Page 65

background image

System network

Adding VLAN subinterfaces

FortiGate-100A Administration Guide

01-28007-0068-20041203

65

Figure 15

shows a simplified NAT/Route mode VLAN configuration. In this example,

FortiGate internal interface connects to a VLAN switch using an 802.1Q trunk and is
configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external
interface connects to the Internet. The external interface is not configured with VLAN
subinterfaces.

When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit is configured with policies that allow traffic to flow
between the VLANs and from the VLANs to the external network.

Figure 15: FortiGate unit in Nat/Route mode

Adding VLAN subinterfaces

The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096.
Each VLAN subinterface must also be configured with its own IP address and
netmask.

You add VLAN subinterfaces to the physical interface that receives VLAN-tagged
packets.

To add a VLAN subinterface in NAT/Route mode

1

Go to System > Network > Interface.

2

Select Create New to add a VLAN subinterface.

3

Enter a Name to identify the VLAN subinterface.

4

Select the physical interface that receives the VLAN packets intended for this VLAN
subinterface.

Note: If you are unable to change your existing configurations to prevent IP overlap, enter the
CLI command config system global and set ip-overlap enable to allow IP address
overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is
part of a subnet used by another interface. This command is recommended for advanced users
only.

802.1Q Trunk

VLAN switch

Internet

FortiGate

POWER

Esc

Enter

External
172.16.21.2

Internal

192.168.110.126

Fa0/3

Fa0/9

Fa0/24

VLAN 100

VLAN 200

VLAN 100 network

10.1.1.0

10.1.1.2

VLAN 200 network

10.1.2.0

10.1.2.2

Note: A VLAN must not have the same name as a virtual domain or zone.