Forward-domain solution
If you're using transparent mode, the solution is to use the forward-domain
CLI command. This command tags VLAN traffic as belonging to a particular collision group, and only VLANs tagged as part of that collision group receive that traffic. It's like an additional set of VLANs. By default, all interfaces and VLANs are part of forward-domain collision group 0. The many benefits of this solution include reduced administration, the need for fewer physical interfaces, and the availability of more flexible network solutions.
In the following example, forward-domain collision group 340 includes VLAN 340 traffic on port1 and untagged traffic on port 2. Forward-domain collision group 341 includes VLAN 341 traffic on port 1 and untagged traffic on port 3. All other interfaces are part of forward‑domain collision group 0, by default. This configuration separates VLANs 340 and 341 from each other on port 1.
Use the following CLI commands:
config system interface
edit port2
set forward_domain 340
next
edit port3
set forward_domain 341
next
edit port1-340
set forward_domain 340
set interface port1
set vlanid 340
next
edit port1-341
set forward_domain 341
set interface port1
set vlanid 341
next
end
You may experience connection issues with layer-2 traffic, such as ping, if your network configuration has:
- Packets going through the FortiGate in transparent mode more than once
- More than one forwarding domain (such as incoming on one forwarding domain and outgoing on another)
- IPS and AV enabled
Now IPS and AV is applied the first time packets go through the FortiGate, but not on subsequent passes. Applying IPS and AV only to this first pass fixes the network layer-2 related connection issues.