Post on 03-Jun-2020
Virtual Networking
Module Objectives
• By the end of this module participants will be able to:
• Understand the use of virtual LANs
• Create VLAN subinterfaces on the FortiGate unit
• Understand the use of virtual domains
• Create virtual domains
• Create administrators specific to virtual domains
• Create inter-VDOM links
Virtual Local Area Networks (VLAN)
Click here to read more about virtual LANs
VLANs
Physical interfaces
Virtual Local Area Networks (VLAN)
Click here to read more about virtual LANs
VLANs
Physical interfaces
• VLANs increase the number of network
interfaces beyond the physical
connections on the FortiGate unit
• VLANs can be used to logically
distribute devices on a LAN into smaller
broadcast domains
• Uses VLAN tags
VLAN tags
Destination
MAC
Source
MAC Type Data CRC 32
Ethernet frame
6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes
Destination
MAC
Source
MAC Type Data CRC 32
Ethernet frame using VLAN tags
Type
8100
Tag
Control
Info
2 bytes 2 bytes
• User Priority Field
• Canonical Format Indicator
• VLAN Identifier
Click here to read more about VLAN tags
VLAN tags
Destination
MAC
Source
MAC Type Data CRC 32
Ethernet frame
6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes
Destination
MAC
Source
MAC Type Data CRC 32
Ethernet frame using VLAN tags
Type
8100
Tag
Control
Info
2 bytes 2 bytes
• User Priority Field
• Canonical Format Indicator
• VLAN Identifier
• A four-byte extension to the Ethernet frame is used to define VLANs
• Applied by switches and routers to every
packet sent and received by the devices
• Workstations and desktop computers are not an active part of the VLAN process
• VLAN tagging and removal is done after the
packet has left the computer
Click here to read more about VLAN tags
VLAN Scenario
Headquarters
Branch office
Retail office
Accounting computer
Accounting computer
Accounting computer
VLAN Scenario
Headquarters
Branch office
Retail office
Accounting computer
Accounting computer
Accounting computer
• In this scenario, computers located in
different buildings need to communicate
with each other frequently with high
security
• VLANs allow data to be sent between
specific computers in different locations
as if they were on the same physical
subnet
VLANs on a FortiGate Unit
Destination
MAC
Source
MAC Type Data CRC 32
Type
8100
Tag
Control
Info
VLAN A
VLAN B
VLANs on a FortiGate Unit
Destination
MAC
Source
MAC Type Data CRC 32
Type
8100
Tag
Control
Info
VLAN A
VLAN B
• The FortiGate unit acts as a layer-3
device when in default NAT/Route
mode
• Can add, read, remove or modify VLAN tags
• Device can change the VLAN tag if
appropriate and send the data frame out
on a different VLAN
VLANs on a FortiGate Unit
VLAN 100
Branch office
VLAN 200
Headquarters
VLAN 300
Tag: VLAN 100
Tag: VLAN 100
Tag: VLAN 300 Tag: VLAN 300
Router A Router B
Subnet 1 Subnet 2
Virtual Domains
Click here to read more about FortiGate virtual domains
Domain A Domain B Domain C
One physical FortiGate device Multiple virtual FortiGate devices
Virtual Domains
Acme Co. ABC Inc. XYZ Ltd.
• Own network interfaces
• Own routing requirements
• Own firewall policies
• Own protection rules
• Packets confined to this VDOM
Virtual Domains
Acme Co. ABC Inc. XYZ Ltd.
• Own network interfaces
• Own routing requirements
• Own firewall policies
• Own protection rules
• Packets confined to this VDOM
• Logically, virtual domains behave like
separate FortiGate units
• By default, a FortiGate unit can support
a maximum of 10 virtual domains
• Certain models allow the purchase of
additional VDOM licenses to increase number
VDOM Settings
Domain A
Global
settings
Settings affect all configured domains:
• Hostname
• DNS settings
• System time
• Firmware versions
• …
VDOM Settings
Domain A
Global
settings
VDOM
settings
Settings affect specific VDOM only:
• Operating mode
• Router settings
• Firewall settings
• UTM settings
• …
Enabling Virtual Domains
Enabling Virtual Domains
• When VDOMs enabled:
• Global and per-VDOM configurations are
separated
• Only the admin account can view or configure
global options
• Only the admin account can access all
VDOM configurations
• Regular administrators can only configure the
VDOM to which they are assigned
Switching Between Virtual Domains
Switching Between Virtual Domains
• Admin can switch between VDOMs
configured on the FortiGate unit in
addition to accessing the Global
Configuration
• Regular administrators are confined to
their own VDOMs
VDOM Resource Limits
Accounting
Global resource limits
VDOM resource limits
VDOM Resource Limits
Accounting
VDOM resource limits
• Global resources limits affect resources
available to the FortiGate device
• VDOM resource limits affect resources
available for each VDOM
• Resource limits vary by device model
Per-VDOM Configurations
Accounting
Full
Config
VDOM
Config
Per-VDOM Configurations
Accounting
Full
Config
VDOM
Config
• Administrators can back up and restore
the entire device configuration or
VDOM-specific configurations
• VDOM configurations are stored as
separate configuration files
• VDOM configurations can be synched
between HA devices
Virtual Domains Administrators
Domain A Domain B Domain C
Virtual Domains Administrators
Domain A Domain B Domain C
super_admin profile
Virtual Domains Administrators
Domain A Domain B Domain C
super_admin profile
• Virtual domains can be managed using
either one common administrator or
multiple separate administrators for
each VDOM
• Administrators assigned the
super_admin profile can manage all
VDOMs on the FortiGate device
• Can also create other administrator accounts
and assign them to VDOMs
Inter-VDOM Links
Domain A Domain B Domain C
Click here to read more about inter-VDOM links
Inter-VDOM Links
Domain A Domain B Domain C
Click here to read more about inter-VDOM links
• Inter-VDOM links allow VDOMs to
communicate internally without using
additional physical interfaces
• Communication no longer has to leave on a
physical interface and re-enter the FortiGate
device on another physical interface
• Firewall policies need to be in place for
traffic to be allowed to pass through any
interface
• Whether it be physical or virtual
Inter-VDOM Links