System Network
VLANs in NAT/Route mode
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
151
Figure 75: Basic VLAN topology
FortiGate units and VLANs
In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3
routers or firewalls add VLAN tags to packets. Packets passing between devices in the
same VLAN are normally handled by layer-2 switches but can be handled by layer-3
devices. Packets passing between devices in different VLANs must be handled by a
layer-3 device such as router, firewall, or layer-3 switch.
Using VLANs, a single FortiGate unit can provide security services and control
connections between multiple security domains. Traffic from each security domain is given
a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply security
policies to secure network and IPSec VPN traffic between security domains. The
FortiGate unit can also apply policies, protection profiles, and other firewall features for
network and VPN traffic that is allowed to pass between security domains.
VLANs in NAT/Route mode
Operating in NAT/Route mode, the FortiGate unit functions as a layer-3 device to control
the flow of packets between VLANs. The FortiGate unit can also remove VLAN tags from
incoming VLAN packets and forward untagged packets to other networks, such as the
Internet.
FortiGate units in NAT/Route mode can use VLANs for constructing VLAN trunks between
an IEEE 802.1Q-compliant switch (or router) and the FortiGate units. Normally the
FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the
external interface connects to an upstream Internet router. The FortiGate unit can then
apply different policies for traffic on each VLAN that connects to the internal interface.
VLAN 1 network
Untagged packets
VL AN 1
VL AN 2
VL AN 1
VL AN 2
Internet
Router
VLAN switch
VLAN 2 Network
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...