VLAN 间路由. vlan 10 vlan 20 vlan 30 VLAN 间路由 vlan 10 vlan 20 vlan 30.
Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate...
Transcript of Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate...
![Page 1: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/1.jpg)
Virtual Networking
![Page 2: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/2.jpg)
Module Objectives
• By the end of this module participants will be able to:
• Understand the use of virtual LANs
• Create VLAN subinterfaces on the FortiGate unit
• Understand the use of virtual domains
• Create virtual domains
• Create administrators specific to virtual domains
• Create inter-VDOM links
![Page 3: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/3.jpg)
Virtual Local Area Networks (VLAN)
Click here to read more about virtual LANs
VLANs
Physical interfaces
![Page 4: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/4.jpg)
Virtual Local Area Networks (VLAN)
Click here to read more about virtual LANs
VLANs
Physical interfaces
• VLANs increase the number of network
interfaces beyond the physical
connections on the FortiGate unit
• VLANs can be used to logically
distribute devices on a LAN into smaller
broadcast domains
• Uses VLAN tags
![Page 5: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/5.jpg)
VLAN tags
Destination
MAC
Source
MAC Type Data CRC 32
Ethernet frame
6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes
Destination
MAC
Source
MAC Type Data CRC 32
Ethernet frame using VLAN tags
Type
8100
Tag
Control
Info
2 bytes 2 bytes
• User Priority Field
• Canonical Format Indicator
• VLAN Identifier
Click here to read more about VLAN tags
![Page 6: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/6.jpg)
VLAN tags
Destination
MAC
Source
MAC Type Data CRC 32
Ethernet frame
6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes
Destination
MAC
Source
MAC Type Data CRC 32
Ethernet frame using VLAN tags
Type
8100
Tag
Control
Info
2 bytes 2 bytes
• User Priority Field
• Canonical Format Indicator
• VLAN Identifier
• A four-byte extension to the Ethernet frame is used to define VLANs
• Applied by switches and routers to every
packet sent and received by the devices
• Workstations and desktop computers are not an active part of the VLAN process
• VLAN tagging and removal is done after the
packet has left the computer
Click here to read more about VLAN tags
![Page 7: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/7.jpg)
VLAN Scenario
Headquarters
Branch office
Retail office
Accounting computer
Accounting computer
Accounting computer
![Page 8: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/8.jpg)
VLAN Scenario
Headquarters
Branch office
Retail office
Accounting computer
Accounting computer
Accounting computer
• In this scenario, computers located in
different buildings need to communicate
with each other frequently with high
security
• VLANs allow data to be sent between
specific computers in different locations
as if they were on the same physical
subnet
![Page 9: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/9.jpg)
VLANs on a FortiGate Unit
Destination
MAC
Source
MAC Type Data CRC 32
Type
8100
Tag
Control
Info
VLAN A
VLAN B
![Page 10: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/10.jpg)
VLANs on a FortiGate Unit
Destination
MAC
Source
MAC Type Data CRC 32
Type
8100
Tag
Control
Info
VLAN A
VLAN B
• The FortiGate unit acts as a layer-3
device when in default NAT/Route
mode
• Can add, read, remove or modify VLAN tags
• Device can change the VLAN tag if
appropriate and send the data frame out
on a different VLAN
![Page 11: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/11.jpg)
VLANs on a FortiGate Unit
VLAN 100
Branch office
VLAN 200
Headquarters
VLAN 300
Tag: VLAN 100
Tag: VLAN 100
Tag: VLAN 300 Tag: VLAN 300
Router A Router B
Subnet 1 Subnet 2
![Page 12: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/12.jpg)
Virtual Domains
Click here to read more about FortiGate virtual domains
Domain A Domain B Domain C
One physical FortiGate device Multiple virtual FortiGate devices
![Page 13: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/13.jpg)
Virtual Domains
Acme Co. ABC Inc. XYZ Ltd.
• Own network interfaces
• Own routing requirements
• Own firewall policies
• Own protection rules
• Packets confined to this VDOM
![Page 14: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/14.jpg)
Virtual Domains
Acme Co. ABC Inc. XYZ Ltd.
• Own network interfaces
• Own routing requirements
• Own firewall policies
• Own protection rules
• Packets confined to this VDOM
• Logically, virtual domains behave like
separate FortiGate units
• By default, a FortiGate unit can support
a maximum of 10 virtual domains
• Certain models allow the purchase of
additional VDOM licenses to increase number
![Page 15: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/15.jpg)
VDOM Settings
Domain A
Global
settings
Settings affect all configured domains:
• Hostname
• DNS settings
• System time
• Firmware versions
• …
![Page 16: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/16.jpg)
VDOM Settings
Domain A
Global
settings
VDOM
settings
Settings affect specific VDOM only:
• Operating mode
• Router settings
• Firewall settings
• UTM settings
• …
![Page 17: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/17.jpg)
Enabling Virtual Domains
![Page 18: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/18.jpg)
Enabling Virtual Domains
• When VDOMs enabled:
• Global and per-VDOM configurations are
separated
• Only the admin account can view or configure
global options
• Only the admin account can access all
VDOM configurations
• Regular administrators can only configure the
VDOM to which they are assigned
![Page 19: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/19.jpg)
Switching Between Virtual Domains
![Page 20: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/20.jpg)
Switching Between Virtual Domains
• Admin can switch between VDOMs
configured on the FortiGate unit in
addition to accessing the Global
Configuration
• Regular administrators are confined to
their own VDOMs
![Page 21: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/21.jpg)
VDOM Resource Limits
Accounting
Global resource limits
VDOM resource limits
![Page 22: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/22.jpg)
VDOM Resource Limits
Accounting
VDOM resource limits
• Global resources limits affect resources
available to the FortiGate device
• VDOM resource limits affect resources
available for each VDOM
• Resource limits vary by device model
![Page 23: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/23.jpg)
Per-VDOM Configurations
Accounting
Full
Config
VDOM
Config
![Page 24: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/24.jpg)
Per-VDOM Configurations
Accounting
Full
Config
VDOM
Config
• Administrators can back up and restore
the entire device configuration or
VDOM-specific configurations
• VDOM configurations are stored as
separate configuration files
• VDOM configurations can be synched
between HA devices
![Page 25: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/25.jpg)
Virtual Domains Administrators
Domain A Domain B Domain C
![Page 26: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/26.jpg)
Virtual Domains Administrators
Domain A Domain B Domain C
super_admin profile
![Page 27: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/27.jpg)
Virtual Domains Administrators
Domain A Domain B Domain C
super_admin profile
• Virtual domains can be managed using
either one common administrator or
multiple separate administrators for
each VDOM
• Administrators assigned the
super_admin profile can manage all
VDOMs on the FortiGate device
• Can also create other administrator accounts
and assign them to VDOMs
![Page 28: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/28.jpg)
Inter-VDOM Links
Domain A Domain B Domain C
Click here to read more about inter-VDOM links
![Page 29: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/29.jpg)
Inter-VDOM Links
Domain A Domain B Domain C
Click here to read more about inter-VDOM links
• Inter-VDOM links allow VDOMs to
communicate internally without using
additional physical interfaces
• Communication no longer has to leave on a
physical interface and re-enter the FortiGate
device on another physical interface
• Firewall policies need to be in place for
traffic to be allowed to pass through any
interface
• Whether it be physical or virtual
![Page 30: Virtual Networking · Type Data CRC 32 Type 8100 Tag Control Info VLAN A VLAN B •The FortiGate unit acts as a layer-3 device when in default NAT/Route mode •Can add, read, remove](https://reader035.fdocuments.net/reader035/viewer/2022062602/5edf730ead6a402d666acbbd/html5/thumbnails/30.jpg)
Inter-VDOM Links