VLANs
Virtual Local Area Networks (VLANs) multiply the capabilities of a FortiGate, and can also provide added network security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security. The IEEE 802.1Q standard defines VLANs. All layer‑2 and layer-3 devices along a route must be 802.1Q-compliant to support VLANs along that route.
A Local Area Network (LAN) is a group of connected computers and devices that are arranged into network broadcast domains. A LAN broadcast domain includes all the computers that receive a packet broadcast from any computer in that broadcast domain. A switch automatically forwards the packets to all of its ports. In contrast, routers don't automatically forward network broadcast packets. This means routers separate broadcast domains. If a network has only switches and no routers, that network is considered one broadcast domain, no matter how large or small it is. Smaller broadcast domains are more efficient because fewer devices receive unnecessary packets. They are more secure as well because a hacker reading traffic on the network will have access to only a small portion of the network instead of the entire network’s traffic.
VLANs reduce the size of the broadcast domains by only forwarding packets to interfaces that are part of that VLAN or part of a VLAN trunk link. Trunk links form switch-to-switch or switch-to-router connections, and forward traffic for all VLANs. This enables a VLAN to include devices that are part of the same broadcast domain, but physically distant from each other.
VLAN ID tags consist of a 4-byte frame extension that switches and routers apply to every packet sent and received in the VLAN. Workstations and desktop computers, which are commonly originators or destinations of network traffic, aren't an active part of the VLAN process. All of the VLAN tagging and tag removal is done after the packet has left the computer.
A FortiGate that doesn't have VDOMs enabled can have a maximum of 255 interfaces in transparent operating mode. The same is true for any single VDOM. In NAT mode, the number can range from 255 to 8192 interfaces per VDOM, depending on the FortiGate model. These numbers include VLANs, other virtual interfaces, and physical interfaces. To have more than 255 interfaces configured in transparent operating mode, you need to configure multiple VDOMs that enable you to divide the total number of interfaces over all the VDOMs.
One example of an application of VLANs is a company’s accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet.
This guide uses the term “packet” to refer to both layer-2 frames and layer-3 packets.
On a layer-2 switch, you can have only one VLAN subinterface per physical interface, unless that interface is configured as a trunk link. Trunk links can transport traffic for multiple VLANs to other parts of the network.
You can add multiple VLANs to the same physical interface on a FortiGate. However, VLAN subinterfaces added to the same physical interface can't have the same VLAN ID or have IP addresses on the same subnet. You can add VLAN subinterfaces with the same VLAN ID to different physical interfaces.
Creating VLAN subinterfaces with the same VLAN ID doesn't create an internal connection between them. For example, a VLAN ID of 300 on port1 and VLAN ID of 300 on port2 are allowed, but they aren't connected. Their relationship is the same as between any two FortiGate network interfaces.
FortiGate interfaces can't have overlapping IP addresses, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to virtual interfaces, such as VLAN subinterfaces. Each VLAN subinterface must be configured with its own IP address and netmask. This rule helps prevent a broadcast storm or other similar network problems.
The following example shows how to add a VLAN, called vlan_accounting, on the FortiGate internal interface with an IP address of 10.13.101.101.
To add a VLAN - GUI:
- Go to Network > Interfaces.
- Select Create New and click on Interface.
- Enter a name for the VLAN to
vlan_accounting
. - In the Interface field, select the internal interface.
- Enter the VLAN ID.
- Select the Addressing mode of Manual.
- Enter the IP address for the port of 10.13.101.101/24.
- Set the Administrative Access to HTTPS and SSH.
- Select OK.
The Type is set to VLAN, by default.
The VLAN ID is a number between 1 and 4094 that allow groups of IP addresses with the same VLAN ID to be associated together.
To add a VLAN – CLI
config system interface
edit VLAN_1
set interface internal
set type vlan
set vlanid 100
set ip 10.13.101.101/24
set allowaccess https ssh
next
end