FortiGate Infrastructure

Layer 2 Switching

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Lesson Overview

Virtual Local Area Networks

Transparent Mode

Virtual Wire Pairing

Software Switch

Best Practices
© Fortinet Inc. All Rights Reserved. 2
Virtual Local Area Networks

Objectives
• Configure VLANs to logically divide a Layer 2 network into
multiple broadcast domains
• Describe VLANs and VLAN tagging

3
VLANs

Physical
interfaces

VLANs

• Logically subdivide your physical Layer 2 network into smaller segments

• Each segment forms a separate broadcast domain
• VLAN tags added to frames to identify their network segments

© Fortinet Inc. All Rights Reserved. 4

VLAN Tags in Frames
• VLAN tags add a 4-byte extension to an Ethernet frame
• Layer 2 devices can add or remove tags
• Layer 3 devices can rewrite tags before routing
• FortiGate is a Layer 3 device in NAT mode

Tag
Destination Source Type
Control Type Data CRC 32
MAC MAC 8100
Info
2 bytes 2 bytes

• User Priority Field

• Drop Eligible Indicator
• VLAN Identifier

© Fortinet Inc. All Rights Reserved. 5

How FortiGate Uses VLAN Tags

Tag
Destination Source Type
Control Type Data CRC 32
MAC MAC 8100
Info

VLAN A
VLAN B
VLAN B

VLAN A

© Fortinet Inc. All Rights Reserved. 6

VLAN Tags During Relay on a Network
Tag: VLAN 100
Tag: VLAN 100 Tag: VLAN 300 Tag: VLAN 300

Switch A Switch B

VLAN 100 VLAN 200

VLAN 300

Branch office Headquarters

© Fortinet Inc. All Rights Reserved. 7

Creating VLANs
• Frames sent or received by the physical interface segment are never tagged; they
belong to the native VLAN

Network > Interfaces

© Fortinet Inc. All Rights Reserved. 8

Knowledge Check
1. Which mode must the FortiGate VDOM be operating in, to route traffic between
VLANs?
A. Transparent mode
B. NAT mode

© Fortinet Inc. All Rights Reserved. 9

Lesson Progress

Virtual Local Area Networks

Transparent Mode

Virtual Wire Pairing

Software Switch

Best Practices

© Fortinet Inc. All Rights Reserved. 10

Transparent Mode

Objectives
• Configure FortiGate interfaces to operate as a Layer 2 switch
• Configure a virtual domain to operate in transparent mode

11
Operation Mode
• Operation mode defines how FortiGate handles traffic
• NAT mode:
• Routes according to OSI Layer 3 (IP address), as a router
• FortiGate interfaces have IP addresses associated with them
• Transparent mode:
• Forwards according to OSI Layer 2 (MAC address), as a transparent bridge
• FortiGate interfaces usually have no IP addresses
• Requires no IP address changes in the network

© Fortinet Inc. All Rights Reserved. 12

NAT Operation Mode

Clients
Ports have IP 10.0.1.0/24 subnet
addresses

internal
wan1 10.0.1.1/24
192.168.1.1/24

Default gateway dmz

192.168.1.254/24 10.0.2.1/24
Server
10.0.2.2/24
IP-based routing

© Fortinet Inc. All Rights Reserved. 13

Transparent Operation Mode

Only HA heartbeat ports Clients

have IP addresses 10.0.2.0/24 subnet

Switching, not routing internal

wan1

Default gateway dmz

10.0.2.1/24
Server
10.0.2.2/24
FortiGate has a management
IP address

© Fortinet Inc. All Rights Reserved. 14

Forward Domains
• By default, all interfaces on a VDOM belong to the same broadcast domain; even
interfaces with different VLAN IDs
• Broadcast domains that contain multiple interfaces can be very large and add unnecessary broadcast
traffic to some LAN segments
• Use this command to subdivide a VDOM into multiple broadcast domains:
config system interface
edit <interface_name>
set forward-domain <domain_ID>
end
• Interfaces with the same domain ID belong to the same broadcast domain

© Fortinet Inc. All Rights Reserved. 15

FortiGate With One Forward Domain

VLAN 101
VLAN101_dmz

VLAN 101
VLAN101_internal
VLAN 103
VLAN103_internal

dmz
internal

FortiGate in
Broadcast traffic is
transparent mode
forwarded through all with all VLANs on
VLANs same forward domain

© Fortinet Inc. All Rights Reserved. 16

FortiGate With Multiple Forward Domains

config system interface config system interface

edit VLAN101_dmz forward domain 101
edit VLAN101_internal
set forward-domain 101 set forward-domain 101
end end
VLAN 101
VLAN101_dmz

VLAN 101
VLAN101_internal
VLAN 103
VLAN103_internal

dmz
internal

FortiGate in
transparent mode
Broadcast traffic confined
to the forward domain
with all VLANs on
different forward
domains

© Fortinet Inc. All Rights Reserved. 17

Transparent Mode MAC Table
# diagnose netlink brctl name host <vdom name>.b

show bridge control interface inspect.b host.

fdb: size=2048, used=5, num=5, depth=1
Bridge inspect.b host table
port no device devname mac addr ttl attributes
2 22 vlink1 1e:44:d1:3a:00:15 0 Hit(0)
1 3 port1 00:0c:29:b7:1d:ed 144 Hit(144)
1 3 port1 00:0c:29:2e:e0:4e 0 Local Static
1 3 port1 00:0c:29:8c:36:cc 0 Hit(0)
2 22 vlink1 7e:73:da:d2:00:16 0 Local Static

© Fortinet Inc. All Rights Reserved. 18

Knowledge Check
1. Which statement about FortiGate operating in transparent mode is true?
A. It has a management IP address.
B. Each interface has its own IP address.

2. How can an administrator configure FortiGate to have four interfaces in the same
broadcast domain?
A. Create a firewall policy on each of the four interfaces
B. Configure the operation mode as transparent and use the same forward domain ID

© Fortinet Inc. All Rights Reserved. 19

Lesson Progress

Virtual Local Area Networks

Transparent Mode

Virtual Wire Pairing

Software Switch

Best Practices

© Fortinet Inc. All Rights Reserved. 20

Virtual Wire Pairing

Objectives
• Segment the Layer 2 network into multiple broadcast domains

21
Virtual Wire Pair
• Logically links two physical interfaces
• Usually one internal and one external interface
• Traffic is forwarded between these interfaces
• Incoming traffic to one interface is always forwarded out through the other interface
• No other traffic can enter or leave a virtual wire pair
• Prevents complexities such as broadcast storms, MAC flapping

© Fortinet Inc. All Rights Reserved. 22

Virtual Wire Pairing and Transparent Mode

wan1 port2
Virtual Wire Pair Virtual Wire Pair
port3
port1

All
All traffic
trafficconfined to the
confined to
virtual
the portwirepair
pair

© Fortinet Inc. All Rights Reserved. 23

Virtual Wire Pairing and NAT Mode
• The pair works similarly to transparent mode, inside a NAT VDOM

Clients
10.0.1.0/24 subnet

internal
10.0.1.1/24

wan1
192.168.1.1/24 Virtual
wire pair
192.168.1.254/24
wan2 dmz
Server
192.168.2.1/24
192.168.2.254/24
Cannot assign IP
addresses to the
pair members

© Fortinet Inc. All Rights Reserved. 24

Virtual Wire Pair Configuration
• Wildcard VLAN:
• Enable: policies apply equally to the physical interfaces and VLANs
• Disable: policies apply only to the physical interfaces (packets with VLAN tags are denied)

Network > Interfaces

© Fortinet Inc. All Rights Reserved. 25

Virtual Wire Pair Policies
Policy & Objects > Firewall Virtual Wire Pair Policy

Selected VWPs to
include in the policy

Select the traffic direction

for the policy

© Fortinet Inc. All Rights Reserved. 26

Knowledge Check
1. Which configuration setting must be enabled to allow VLAN-tagged traffic through a
virtual wire pair?
A. Transparent bridging
B. Wildcard VLAN

2. How is traffic handled in a virtual wire pair?

A. Incoming traffic to one interface is always forwarded out through the other interface.
B. Traffic is forwarded based on the destination MAC address.

© Fortinet Inc. All Rights Reserved. 27

Lesson Progress

Virtual Local Area Networks

Transparent Mode

Virtual Wire Pairing

Software Switch

Best Practices

© Fortinet Inc. All Rights Reserved. 28

Software Switch

Objectives
• Configure a software switch

29
Software Switch
• Can group multiple physical and wireless interfaces into a single virtual switch interface
• Supported only in NAT mode
• Acts like a traditional Layer 2 switch
• The interfaces:
• Share the same IP address
• Belong to the same broadcast domain

© Fortinet Inc. All Rights Reserved. 30

Software Switch Configuration
Network > Interfaces

Use this interface

name in the firewall
policies and routes

© Fortinet Inc. All Rights Reserved. 31

Software Switch Example

Same broadcast
192.168.1.1/24 domain
Software switch
10.0.1.1/24
interface
192.168.1.254/24
dmz
10.0.1.254/24
port1
wan1 port2 192.168.1.2/24

Wireless interface

192.168.1.3/24
FortiGate

© Fortinet Inc. All Rights Reserved. 32

Knowledge Check
1. In which operating mode is the software switch function supported?
A. Transparent mode
B. NAT mode

2. Which interface can be a member of a software switch?

A. VLAN interface
B. Wireless interface

© Fortinet Inc. All Rights Reserved. 33

Lesson Progress

Virtual Local Area Networks

Transparent Mode

Virtual Wire Pairing

Software Switch

Best Practices

© Fortinet Inc. All Rights Reserved. 34

Best Practices

Objectives
• Understand best practices for using Layer 2 switching on
FortiGate

35
Best Practices
• Create forwarding domains when VLANs are used and set vlanforward to disable
on all relevant physical interfaces
• The forward-domain ID can be different from the VLAN ID, but it is recommended for
troubleshooting and readability to keep them the same
• When using forwarding domains, a router is required to move traffic between the
forwarding domains
• Only interfaces from the same forwarding domains can have firewall policies between
each other
• Because STP BPDUs are not forwarded by default, use caution when inserting
FortiGate (or any other forwarding device) because this could break the spanning tree
and lead to Layer 2 loops

© Fortinet Inc. All Rights Reserved. 36

Lesson Progress

Virtual Local Area Networks

Transparent Mode

Virtual Wire Pairing

Software Switch

Best Practices

© Fortinet Inc. All Rights Reserved. 37

Review
 Configure VLANs to logically divide a Layer 2 network into multiple
broadcast domains
 Describe VLANs and VLAN tagging
 Configure FortiGate interfaces to operate as a Layer 2 switch
 Configure a VDOM to operate in transparent mode
 Segment the Layer 2 network into multiple broadcast domains
 Configure a software switch
 Understand best practices for using Layer 2 switching on FortiGate

© Fortinet Inc. All Rights Reserved. 38