Post on 29-Dec-2015
Virtual Networking
Module Objectives
• By the end of this module participants will be able to:• Understand the use of virtual LANs
• Create VLAN subinterfaces on the FortiGate unit
• Understand the use of virtual domains
• Create virtual domains
• Create administrators specific to virtual domains
• Create inter-VDOM links
Virtual Local Area Networks (VLAN)
Click here to read more about virtual LANs
VLANs
Physical interfaces
Virtual Local Area Networks (VLAN)
Click here to read more about virtual LANs
VLANs
Physical interfaces
• VLANs increase the number of network interfaces beyond the physical connections on the FortiGate unit• VLANs can be used to logically distribute devices on a LAN into smaller broadcast domains • Uses VLAN tags
VLAN tags
Destination MAC
Source MAC
Type Data CRC 32
Ethernet frame
6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes
Destination MAC
Source MAC
Type Data CRC 32
Ethernet frame using VLAN tags
Type8100
TagControl
Info
2 bytes 2 bytes
• User Priority Field• Canonical Format Indicator• VLAN Identifier
Click here to read more about VLAN tags
VLAN tags
Destination MAC
Source MAC
Type Data CRC 32
Ethernet frame
6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes
Destination MAC
Source MAC
Type Data CRC 32
Ethernet frame using VLAN tags
Type8100
TagControl
Info
2 bytes 2 bytes
• User Priority Field• Canonical Format Indicator• VLAN Identifier
• A four-byte extension to the Ethernet frame is used to define VLANs• Applied by switches and routers to every
packet sent and received by the devices
•Workstations and desktop computers are not an active part of the VLAN process• VLAN tagging and removal is done after
the packet has left the computer
Click here to read more about VLAN tags
VLAN Scenario
HeadquartersBranch office
Retail office
Accounting computer
Accounting computer
Accounting computer
VLAN Scenario
HeadquartersBranch office
Retail office
Accounting computer
Accounting computer
Accounting computer
• In this scenario, computers located in different buildings need to communicate with each other frequently with high security• VLANs allow data to be sent between specific computers in different locations as if they were on the same physical subnet
VLANs on a FortiGate Unit
Destination MAC
Source MAC
Type Data CRC 32Type8100
TagControl
Info
VLAN A
VLAN B
VLANs on a FortiGate Unit
Destination MAC
Source MAC
Type Data CRC 32Type8100
TagControl
Info
VLAN A
VLAN B
• The FortiGate unit acts as a layer-3 device when in default NAT/Route mode• Can add, read, remove or modify VLAN
tags
•Device can change the VLAN tag if appropriate and send the data frame out on a different VLAN
VLANs on a FortiGate Unit
VLAN 100
Branch office
VLAN 200
Headquarters
VLAN 300
Tag: VLAN 100
Tag: VLAN 100
Tag: VLAN 300 Tag: VLAN 300
Router A Router B
Subnet 1 Subnet 2
Virtual Domains
Click here to read more about FortiGate virtual domains
Domain A Domain B Domain C
One physical FortiGate device Multiple virtual FortiGate devices
Virtual Domains
Acme Co. ABC Inc. XYZ Ltd.
• Own network interfaces• Own routing requirements• Own firewall policies• Own protection rules
• Packets confined to this VDOM
Virtual Domains
Acme Co. ABC Inc. XYZ Ltd.
• Own network interfaces• Own routing requirements• Own firewall policies• Own protection rules
• Packets confined to this VDOM
• Logically, virtual domains behave like separate FortiGate units• By default, a FortiGate unit can support a maximum of 10 virtual domains• Certain models allow the purchase of
additional VDOM licenses to increase number
VDOM Settings
Domain A
Globalsettings
Settings affect all configured domains:• Hostname• DNS settings• System time• Firmware versions• …
VDOM Settings
Domain A
Globalsettings
VDOMsettings
Settings affect specific VDOM only:• Operating mode• Router settings• Firewall settings• UTM settings• …
Enabling Virtual Domains
Enabling Virtual Domains
•When VDOMs enabled:• Global and per-VDOM configurations are
separated
• Only the admin account can view or configure global options
• Only the admin account can access all VDOM configurations
• Regular administrators can only configure the VDOM to which they are assigned
Switching Between Virtual Domains
Switching Between Virtual Domains
• Admin can switch between VDOMs configured on the FortiGate unit in addition to accessing the Global Configuration• Regular administrators are confined to their own VDOMs
VDOM Resource Limits
Accounting
Global resource limits
VDOM resource limits
VDOM Resource Limits
Accounting
VDOM resource limits
•Global resources limits affect resources available to the FortiGate device• VDOM resource limits affect resources available for each VDOM• Resource limits vary by device model
Per-VDOM Configurations
Accounting
FullConfig
VDOMConfig
Per-VDOM Configurations
Accounting
FullConfig
VDOMConfig
• Administrators can back up and restore the entire device configuration or VDOM-specific configurations• VDOM configurations are stored as separate configuration files• VDOM configurations can be synched between HA devices
Virtual Domains Administrators
Domain A Domain B Domain C
Virtual Domains Administrators
Domain A Domain B Domain C
super_admin profile
Virtual Domains Administrators
Domain A Domain B Domain C
super_admin profile
• Virtual domains can be managed using either one common administrator or multiple separate administrators for each VDOM• Administrators assigned the super_admin profile can manage all VDOMs on the FortiGate device• Can also create other administrator
accounts and assign them to VDOMs
Inter-VDOM Links
Domain A Domain B Domain C
Click here to read more about inter-VDOM links
Inter-VDOM Links
Domain A Domain B Domain C
Click here to read more about inter-VDOM links
• Inter-VDOM links allow VDOMs to communicate internally without using additional physical interfaces• Communication no longer has to leave on a
physical interface and re-enter the FortiGate device on another physical interface
• Firewall policies need to be in place for traffic to be allowed to pass through any interface • Whether it be physical or virtual
Inter-VDOM Links
Management VDOM
•Management traffic leaves through management VDOM• DNS
• Logging to FortiAnalyzer or syslog
• FortiGuard
• Alerts emails
• NTP
• SNMP traps
• Quarantine
•Management VDOM must have access to Internet•Default management VDOM is root
Independent VDOM Configuration
Internet
VDOM 1 VDOM 2 VDOM 3
Network 1 Network 2 Network 3
Internet
Independent VDOM Configuration
Internet
VDOM 1 VDOM 2 VDOM 3
Network 1 Network 2 Network 3
• An Independent VDOM configuration uses multiple VDOMs that are completely separate from each other•No communication between VDOMs• Each VDOM can administer the VDOM-dependent settings of their own VDOM only
Internet
Management VDOM Configuration
Network 1 Network 2 Network 3
Management VDOM
Internet
VDOM 1 VDOM 2 VDOM 3
Management VDOM Configuration
Network 1 Network 2 Network 3
Management VDOM
Internet
VDOM 1 VDOM 2 VDOM 3
• The root VDOM is the management VDOM and the other VDOMs are connected to it with inter-VDOM links•Only the management VDOM is connected to the Internet• All external traffic is routed through the
management VDOM
Meshed VDOM Configuration
Network 1 Network 2
Management VDOM
Internet
VDOM 1 VDOM 2
Meshed VDOM Configuration
Network 1 Network 2
Management VDOM
Internet
VDOM 1 VDOM 2
• The Meshed VDOM configuration has VDOMs inter-connected with other VDOMs• These configurations can become complex very quickly
Classroom Lab Topology
Lab - Initial Setup• Initial configuration• Accessing Web ConfigClick here for step-by-step instructions on completing this lab
Lab - Virtual Domains• Creating a new VDOM• Creating an administrative account• Creating inter-VDOM links• Creating firewall policies• Accessing the services VDOMClick here for step-by-step instructions on completing this lab
Click here for instructions on accessing the virtual lab environment
Labs
Student Resources
Click here to view the list of resources used in this module