The vlan context defines FortiADC’s network connectivity. Each VLAN definition defines the front panel ports that are configured for the VLAN, the VLAN ID (VID), and the subnets that belong to the VLAN.
VLAN Subnets
A single VLAN can have more than one subnet assigned to it. In most configurations, there is a one-to-one relationship between VLANs and subnets, but some practical problems are sometimes solved by adding an additional subnet to a VLAN. For example, if all the IP addresses on the subnet assigned to a VLAN are exhausted, the easiest way to add more IP addresses without reconfiguring the network is to add an additional subnet to the VLAN.
VLAN IP Addresses
A VLAN IP address is defined on all subnets in a VLAN and is FortiADC’s IP address on that subnet. Subnet IP addresses must be specified in CIDR format (e.g. 172.16.0.200/21). A VLAN can contain multiple subnets with a mix of IPv4 and IPv6 addresses on different subnets in the same VLAN.
VLAN Services
A VLAN can have several services running on it: the GUI can be available on the VLAN IP address via HTTP and/or HTTPS; and, SSH login on the VLAN IP can be enabled as well. It is not required that any of these services be enabled on any VLAN.
If services are enabled on the VLAN, they must also be enabled in the global context in order to be functional on the VLAN. See the services command in Global Commands.
Routing Between VLANs
By default, packets are not routed between VLANs. In other words, if a packet for a destination address that is configured on vlan2 arrives at a port that is configured for vlan1 only, the packet is dropped. Routing from vlan1 to vlan2 is configured by adding vlan2 to the list of permitted VLANs for vlan1.
For example, let’s say port 1 is configured for vlan1 and subnet 10.10.10.0/24; port 2 is configured for vlan2 and subnet 172.16.0.0/24. If servers are connected to both ports, and these servers need to communicate with one another through FortiADC, you would execute the following commands to enable routing between vlan1 and vlan2:
|
eqcli > vlan vlan1 permit vlan2 eqcli > vlan vlan2 permit vlan1 |
Using the permit command in the vlan context, as above, enables packet forwarding between all the subnets defined in the current VLAN context, and the VLAN specified as an argument to permit.
Routing Between Specific VLAN Subnets
In most cases, there is a one-to-one relationship between VLANs and subnets -- i.e., a VLAN in most configurations is associated with one subnet. There are, however, situations in which an administrator will associate more than one subnet with a VLAN. If multiple subnets are defined within a VLAN, you can optionally specify a subnet as an additional argument to the permit command, as in this example:
|
eqcli > vlan vlan1 permit vlan2:sn03 |
The above command enables ports configured for vlan1 to route packets with a destination address on subnet sn03 defined in vlan2. Packets addressed to other subnets configured on vlan2 will be dropped.
Similarly, you’ll need to specify the reverse route: let’s say you only want to route packets to vlan1 from ports configured for vlan2 if they originated on subnet sn03. To accomplish this, you’ll need to specifically add that VLAN/subnet combination to the permitted VLAN list for vlan2:
|
eqcli > vlan vlan2 subnet sn03 permit vlan1 |
Source IP Address for Outbound Packets
When FortiADC originates connections to other hosts (for example, when FortiADC sends out probes, queries an NTP or DNS server, etc.), the source IP address for outbound packets will be the source network that was specified in the route configured for the subnet.
Subnet Routes and Global Default Route
Each subnet has a complete routing table. There is no explicit global default route setting that applies to all subnets. To configure a global default route, you must define the same default route on all subnets.