Fortinet black logo

Handbook

Forwarding domains in transparent mode

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:844342
Download PDF

Forwarding domains in transparent mode

A forwarding domain is used to create separate broadcast domains and confine traffic across two or more ports. It also allows learning the same MAC in different VLANs (IVL).

A forwarding domain and its associated ID number are unique across one VDOM, or a FortiGate with VDOMs disabled. Each new VDOM will create a new bridge instance in the FortiGate.

note icon

Even though the forwarding domain ID is not in relation with the actual VLAN numbers, it is recommended, for maintenance and troubleshooting purposes, to configure one forwarding domain per VLAN and use the same forwarding domain ID as the VLANs ID.

Once forwarding domains are configured, it is possible to configure firewall policies only between ports or VLAN belonging to the same forwarding domain.

Example configuration

This example has three forwarding domains and VLANs configured. In this example, there are two VDOMs in transparent Mode: root and MGMT. Forwarding domain 0 is the default on the FortiGate or VDOM in transparent Mode.

  • Root VDOM has:
  • 3 forwarding domains, 0, 340, and 341.
  • VLAN 340 configured on port1; packets will be tagged with ID 340
  • VLAN 341 configured on port1; packets will be tagged with ID 341
  • All other ports are untagged
  • MGMT VDOM has got only the default forwarding domain 0

The expected behavior is the following:

  • Packets untagged ingressing port1, port3 and port4 belong to the same broadcast domain in the root VDOM
  • Packets tagged with VLAN 340 ingressing port1 and Packets untagged ingressing port2 belong to the same broadcast domain in the root VDOM
  • Packets tagged with VLAN 341 ingressing port1 and Packets untagged ingressing port5 belong to the same broadcast domain in the root VDOM
  • Packets untagged ingressing port6 belong to a different broadcast domain in the MGMT VDOM
CLI syntax for forwarding domain 340

config system interface

edit "VLAN340"

set forward-domain 340

set interface "port1"

set vlanid 340

next

edit "port3"

set forward-domain 340

next

end

Forwarding domains in transparent mode

A forwarding domain is used to create separate broadcast domains and confine traffic across two or more ports. It also allows learning the same MAC in different VLANs (IVL).

A forwarding domain and its associated ID number are unique across one VDOM, or a FortiGate with VDOMs disabled. Each new VDOM will create a new bridge instance in the FortiGate.

note icon

Even though the forwarding domain ID is not in relation with the actual VLAN numbers, it is recommended, for maintenance and troubleshooting purposes, to configure one forwarding domain per VLAN and use the same forwarding domain ID as the VLANs ID.

Once forwarding domains are configured, it is possible to configure firewall policies only between ports or VLAN belonging to the same forwarding domain.

Example configuration

This example has three forwarding domains and VLANs configured. In this example, there are two VDOMs in transparent Mode: root and MGMT. Forwarding domain 0 is the default on the FortiGate or VDOM in transparent Mode.

  • Root VDOM has:
  • 3 forwarding domains, 0, 340, and 341.
  • VLAN 340 configured on port1; packets will be tagged with ID 340
  • VLAN 341 configured on port1; packets will be tagged with ID 341
  • All other ports are untagged
  • MGMT VDOM has got only the default forwarding domain 0

The expected behavior is the following:

  • Packets untagged ingressing port1, port3 and port4 belong to the same broadcast domain in the root VDOM
  • Packets tagged with VLAN 340 ingressing port1 and Packets untagged ingressing port2 belong to the same broadcast domain in the root VDOM
  • Packets tagged with VLAN 341 ingressing port1 and Packets untagged ingressing port5 belong to the same broadcast domain in the root VDOM
  • Packets untagged ingressing port6 belong to a different broadcast domain in the MGMT VDOM
CLI syntax for forwarding domain 340

config system interface

edit "VLAN340"

set forward-domain 340

set interface "port1"

set vlanid 340

next

edit "port3"

set forward-domain 340

next

end