transparent mode. module objectives by the end of this module participants will be able to: describe...
TRANSCRIPT
Transparent Mode
Module Objectives
• By the end of this module participants will be able to:• Describe FortiGate unit operating modes
• Describe how VLANs are used on a FortiGate unit operating in Transparent Mode
• Configure a VDOM in Transparent Mode
Operating Modes
• The operating mode of the FortiGate unit defines how traffic is forwarded by the device• The FortiGate unit can operate in one of two modes:• NAT/Route Mode• The FortiGate unit processes and routes traffic using layer-3 IP
headers• The destination IP address is used to forward the packet
• Transparent Mode• The FortiGate unit acts as transparent bridge and routes traffic
using layer-2 forwarding• Ethernet packets are forwarded based on destination MAC addresses
• The device is transparent to network hosts
• Permits inline traffic inspection and firewalling without changing the IP scheme of the network
Operating Modes – NAT/Route
Internet
wan1204.23.1.5
internal192.168.1.99
dmz10.10.10.1
192.168.1.3
10.10.10.2
Routing policies control traffic
between internal networks
NAT mode policies control traffic
between internal and external networks
Click here to read more about FortiGate operating modes
Operating Modes – Transparent
Internet
internal
10.10.10.1
Gateway topublic network
204.23.1.5
wan1
10.10.10.3
Click here to read more about FortiGate operating modes
DestinationMAC
SourceMAC
Type Data CRC32
(6 bytes) (6 bytes) (2 bytes) (46 - 1500 bytes) (4 bytes)
Ethernet Frame
Click here to read more about interpreting Ethernet headers
DestinationMAC
SourceMAC
Type Data CRC32
(6 bytes) (6 bytes) (2 bytes) (46 - 1500 bytes) (4 bytes)
TagControl
Info
(2 bytes)
Type
(2 bytes)
8100 0800
VLAN Tags
VLAN tags
interfaces=[port5]filters=[ ]0.793493 port5 -- 802.1Q vlan#101 P0 haven't been added to sniffer0x0000 0009 0f0b a1c2 0009 0f09 0605 8100 0065 ...............e0x0010 0800 4500…
Interpreting Ethernet Headers
IP DataTypeTag Control Information802.1 Tag TypeSource MAC addressDestination MAC address
interfaces=[port5]filters=[ ]0.793493 port5 -- 802.1Q vlan#101 P0 haven't been added to sniffer0x0000 0009 0f0b a1c2 0009 0f09 0605 8100 0065 ...............e0x0010 0800 4500…
Interpreting Ethernet Headers
VLANs on a FortiGate Unit in Transparent Mode
• FortiGate units can act as a layer-2 switch when in transparent mode• The device can tag and forward VLAN traffic or can
receive and remove the tag
• Provides antivirus, web filtering, spam filtering and IPS services on IEEE 802.1Q VLAN trunk• FortiGate device in transparent mode can be inserted
into the trunk without making any changes to the network
VLANs on a FortiGate Unit in Transparent Mode
VLAN 100
Branch office
VLAN 200
Headquarters
Tag: VLAN 100 Tag: VLAN 100
Switch A Switch B
Subnet 1 Subnet 2
FortiGate unit operating in Transparent
Mode
VLAN 100 VLAN 200
Port 1-4 Port 5-7 Port 6 Port 4-5802.1Qtrunklink
Click here to read more about VLANs on a FortiGate running in Transparent mode
Port Pairing
• Binds two ports together when the FortiGate unit is operating in transparent mode• Can create firewall policies that regulate traffic only
between two specific ports, VLANs or VDOMs.
• Traffic is captured between these ports• No other traffic can enter or leave a port pairing
Port Pairing
FortiGate unit operating in Transparent
Mode
Port1
Internet
Port2
Port3
Wan1
Port Pair → Exclusive Traffic
Transparent Bridge
• Transparent bridging allows a switch to learn about the location of nodes on the network• The presence and operation of the bridge is
transparent to network hosts
• Builds a table for traffic forwarding by analyzing the source addresses of incoming frames from attached networks• Intra-segment traffic is isolated• Reduces traffic seen on individual segments
• Can improve network response time
Click here to read more about transparent bridging
Broadcasting Domain
• A broadcast domain is a network segment in which any networking equipment can transmit data directly to another device without going through a routing device• All devices can be reached by sending a simple frame
to the broadcast address
• All devices share the same subnet, use the same gateway and are in the same VLAN• All devices detect frame transmission, but only the devices to which frame is addressed receive it
Click here to read more about broadcast domains
Broadcasting Domain
FortiGate unit operating in Transparent
Mode
ARP broadcast onVLAN101_wan1
VLAN102_dmz
VLAN104_dmz
Port 1
VLAN101_wan1
VLAN103_dmz
VLAN101_internal
Forwarding Domain
• Forwarding domains allow separate broadcast domains to be maintained per VLAN• Packets are contained and only broadcast between
interfaces in the same VLAN
Click here to read more about forwarding domains
Forwarding Domain
FortiGate unit operating in Transparent
Mode
ARP broadcast onVLAN101_wan1
VLAN102_dmz
VLAN104_dmz
Port 1
VLAN101_wan1
VLAN103_dmz
VLAN101_internal
config sys interfaceedit VLAN101_wan1set forward-domain 101end
config sys interfaceedit VLAN101_internalset forward-domain 101end
VLAN101_internalVLAN101_wan1
Forwarding domain 101
Spanning Tree Protocol
• Spanning Tree Protocol is a link management protocol that provides path redundancy and ensures a loop free topology• Allows a network design to include redundant links in tree-like structure that spans all switches• If one network segment in the tree becomes
unreachable, the algorithm reconfigures the spanning-tree topology
• All switches gather information on other switches through an exchange of Bridge Protocol Data Unit (BPDU) data messages• The FortiGate unit will forward or block (the default
setting) BPDUs
Click here to read more about Spanning Tree Protocol
Link Aggregation
• Link aggregation describes the use of Ethernet network cables and ports in parallel to increase the link speed beyond the limits of single cable or port• Increases the redundancy for higher availability
• Bundles several physical ports to form a single logical channel
• A FortiGate unit operating in transparent mode can be inserted into aggregate link
Click here to read more about link aggregation
Link Aggregation
Gateway router:172.16.1.254
interface GigabitEthernet1/1no ip addressswitchportchannel-group 1 mode active!interface GigabitEthernet2/1no ip addressswitchportchannel-group 1 mode active
GE1/1
GE2/1
Port1
Port2
config sys interfaceedit “link_agg”set vdom “root”set ip 172.16.1.2 255.255.255.0set type aggregateset member “port1” “port2”end
Student Resources
Click here to view the list of resources used in this module