Chapter 10 Install and System Administration for FortiOS 5.0 : VLANs : VLANs in NAT mode : Adding VLAN subinterfaces : VDOM
  
VDOM
If VDOMs are enabled, each VLAN subinterface must belong to a VDOM. This rule also applies for physical interfaces.
 
Interface-related CLI commands require a VDOM to be specified, regardless of whether the FortiGate unit has VDOMs enabled.
VLAN subinterfaces on separate VDOMs cannot communicate directly with each other. In this situation, the VLAN traffic must exit the FortiGate unit and re-enter the unit again, passing through firewalls in both directions. This situation is the same for physical interfaces.
A VLAN subinterface can belong to a different VDOM than the physical interface it is part of. This is because the traffic on the VLAN is handled separately from the other traffic on that interface. This is one of the main strengths of VLANs.
The following procedure will add a VLAN subinterface called VLAN_100 to the FortiGate internal interface with a VLAN ID of 100. It will have an IP address and netmask of 172.100.1.1/255.255.255.0, and allow HTTPS, PING, and Telnet administrative access. Note that in the CLI, you must enter “set type vlan” before setting the vlanid, and that the allowaccess protocols are lower case.
To add a VLAN subinterface in NAT mode - web-based manager
1. If Current VDOM appears at the bottom left of the screen, select Global from the list of VDOMs.
2. Go to System > Network > Interface.
3. Select Create New to add a VLAN subinterface.
4. Enter the following:
VLAN Name
VLAN_100
Type
VLAN
Interface
internal
VLAN ID
100
Addressing Mod
Manual
IP/Netmask
172.100.1.1/255.255.255.0
Administrative Access
HTTPS, PING, TELNET
5. Select OK.
To view the new VLAN subinterface, select the expand arrow next to the parent physical interface (the internal interface). This will expand the display to show all VLAN subinterfaces on this physical interface. If there is no expand arrow displayed, there are no subinterfaces configured on that physical interface.
For each VLAN, the list displays the name of the VLAN, and, depending on column settings, its IP address, the Administrative access you selected for it, the VLAN ID number, and which VDOM it belongs to if VDOMs are enabled.
To add a VLAN subinterface in NAT mode - CLI
config system interface
edit VLAN_100
set interface internal
set type vlan
set vlanid 100
set ip 172.100.1.1 255.255.255.0
set allowaccess https ping telnet
end
See Also
Adding VLAN subinterfaces
Physical interface
IP address and netmask
VLAN ID
Configuring security policies
Configuring routing