Fortinet black logo

Handbook

Forward-domain solution

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:223486
Download PDF

Forward-domain solution

If you're using transparent mode, the solution is to use the forward-domain CLI command. This command tags VLAN traffic as belonging to a particular collision group, and only VLANs tagged as part of that collision group receive that traffic. It's like an additional set of VLANs. By default, all interfaces and VLANs are part of forward-domain collision group 0. The many benefits of this solution include reduced administration, the need for fewer physical interfaces, and the availability of more flexible network solutions.

In the following example, forward-domain collision group 340 includes VLAN 340 traffic on port1 and untagged traffic on port 2. Forward-domain collision group 341 includes VLAN 341 traffic on port 1 and untagged traffic on port 3. All other interfaces are part of forward‑domain collision group 0, by default. This configuration separates VLANs 340 and 341 from each other on port 1.

Use the following CLI commands:

config system interface

edit port2

set forward_domain 340

next

edit port3

set forward_domain 341

next

edit port1-340

set forward_domain 340

set interface port1

set vlanid 340

next

edit port1-341

set forward_domain 341

set interface port1

set vlanid 341

next

end

You may experience connection issues with layer-2 traffic, such as ping, if your network configuration has:

  • Packets going through the FortiGate in transparent mode more than once
  • More than one forwarding domain (such as incoming on one forwarding domain and outgoing on another)
  • IPS and AV enabled

Now IPS and AV is applied the first time packets go through the FortiGate, but not on subsequent passes. Applying IPS and AV only to this first pass fixes the network layer-2 related connection issues.

Forward-domain solution

If you're using transparent mode, the solution is to use the forward-domain CLI command. This command tags VLAN traffic as belonging to a particular collision group, and only VLANs tagged as part of that collision group receive that traffic. It's like an additional set of VLANs. By default, all interfaces and VLANs are part of forward-domain collision group 0. The many benefits of this solution include reduced administration, the need for fewer physical interfaces, and the availability of more flexible network solutions.

In the following example, forward-domain collision group 340 includes VLAN 340 traffic on port1 and untagged traffic on port 2. Forward-domain collision group 341 includes VLAN 341 traffic on port 1 and untagged traffic on port 3. All other interfaces are part of forward‑domain collision group 0, by default. This configuration separates VLANs 340 and 341 from each other on port 1.

Use the following CLI commands:

config system interface

edit port2

set forward_domain 340

next

edit port3

set forward_domain 341

next

edit port1-340

set forward_domain 340

set interface port1

set vlanid 340

next

edit port1-341

set forward_domain 341

set interface port1

set vlanid 341

next

end

You may experience connection issues with layer-2 traffic, such as ping, if your network configuration has:

  • Packets going through the FortiGate in transparent mode more than once
  • More than one forwarding domain (such as incoming on one forwarding domain and outgoing on another)
  • IPS and AV enabled

Now IPS and AV is applied the first time packets go through the FortiGate, but not on subsequent passes. Applying IPS and AV only to this first pass fixes the network layer-2 related connection issues.