VLANs and VDOMs

Question 1

VLAN Overview

Answer 1

Logical Subdivision
Identical VLAN ID and network
Inter-VLAN routing
Different broadcast domains
VLAN Tags

Question 2

dot1q trunk link

Answer 2

when more than two VLANs share the same interface

Question 3

VLAN Tagging: Ingress and Egress Removal

Answer 3

Layer 2 devices add/remove tags
Layer 3 devices modify tags
Tagging based on a routing decision

Question 4

Standard Ethernet Frame

Answer 4

Uses type number 0x0800, indicating an IPv4 payload. These frames lack VLAN segmentation and are considered typical packets for the IPv4 protocol

Question 5

802.1Q Ethernet Frame

Answer 5

This standard enables VLAN tagging, using an EtherType of 0x8100. Allows for a single VLAN tag per frame, supporting up to 4,094 VLANs.

Question 6

802.1ad Ethernet Frame

Answer 6

This standard is designed for VLAN stacking with additional features tailored for service providers. It uses an EtherType of 0x88A8 for the provider VLAN tag(S-tag) and 0x8100 for the customer VLAN tag (C-Tag). Supports up to 16 million VLAN combinations, with 4094 possible S-VLANs and 4094 possible C-VLANs. This protocol is typically used by service providers to segregate customer traffic and manage services efficiently.

Question 7

802.1Q-in-802.1Q (QinQ)

Answer 7

This method enables stacking two VLAN tags (an outer and an inner tag) in an Ethernet frame, often referred to as double tagging. Both the outer and inner tags typically use an EtherType of 0x8100. QinQ can support up to 16 million VLAN combinations. 4094 possible outer VLANs and 4094 possible inner VLANs. It is commonly used in service provider networks and large enterprise networks for enhanced VLAN scalability and segregation.

Question 8

VXLAN

Answer 8

Virtual Extensible LAN - A network virtualization protocol that, unlike traditional VLAN standards like 802.1Q, 802.1ad, and 802.1Q-802.1Q, which use VLAN tags inserted directly into the Ethernet Frame, encapsulates original data within a UDP packet for tunneling over an IP network.

Employs UDP encapsulation with a default port number of 4789.
Outer and Inner headers
16 million VLANs
Data centers
Cloud environments

Question 9

You can use the Same VLAN ID on different interfaces, resulting in completely different broadcast domains. (T or F)

Answer 9

True

Question 10

Types of interfaces that can have VLANs

Answer 10

Aggregate Interfaces
FortiLink Interfaces
Hardware Switches
Virtual VLAN Switches
Software Switches
Wireless SSID Interfaces

Question 11

LACP

Answer 11

Link Aggregation Control Protocol. AKA Standard 802.3ad, which is used for bundling multiple networks connections to increase bandwidth and provide redundancy.

LACP interfaces = Aggregate Interfaces

Question 12

MCLAG

Answer 12

Multichassis Link Aggregation - Used for multiple FortiSwitch devices to act as one unit for the purpose of redundancy

Question 13

Hardware Switch Use Case

Answer 13

Allows multiple ports to share the same network segment.

uses system virtual-switch command -> config port to add ports and set up IP address and access services.

Devices connected to these ports can communicate because they share the same broadcast domain and because hardware switches support intraswitch traffic

Supports Spanning Tree Protocol (STP)
Processing is offloaded to hardware

Question 14

Software Switch Use Case

Answer 14

Offers same benefits as hardware switch, including intra-switch-policy implicit. However, can also disable to require policy rules using intra-switch-policy explicit.

CLI uses the system switch-interface command to add interfaces as members (set up IP address and enable access services), but not as ports like hardware switch.

Does Not Support Spanning Tree Protocol (STP)
Processing in software by CPU

Question 15

VDOM Overview

Answer 15

Virtualized Security
Activation creates Global and Root VDOMs. Cannot be deleted
Most FGT models support up to 10 VDOMs. Can obtain a license to support more.

Question 16

Command to enable VDOMs

Answer 16

config system global
set vdom-mode multi-vdom
end

Question 17

Command to see how many VDOMs are supported

Answer 17

get system status

get sys status | grep “Max number of virtual domains”

Question 18

Disabling a VDOM

Answer 18

Must remove all references used by other VDOMs. Includes deleting policies, removing firewall objects associated with interfaces, and reassigning interfaces that are linked to nonroot VDOMs back to the root VDOM, among other tasks

Question 19

VDOM Global Key Points

Answer 19

Changes made here affect the entire FGT. Recommends only top-level admins modify these.

Unavailable Modules:
Policy & Objects
VPN
User & Authentication

VDOM Global > System > Global Resources

Question 20

Purpose of Global Objects

Answer 20

To ensure consistent Unified Threat Management (UTM) profiles across various VDOMs

Question 21

Admin VDOM

Answer 21

Dedicated to the management of FGT, handling NO user traffic

config system settings
set vdom-type admin
end

Only handles internet traffic allowing FGT to access FortiGuard Updates, which affects all VDOMs

Only has the following modules:
Dashboard
Network
System
Security Fabric
Log & Report

Question 22

Traffic VDOM

Answer 22

Two Modes:

NAT Operation Mode - Most common type of VDOM, dedicated to passing user traffic and analyzing it as a firewall

Transparent Operation Mode - Allows for Security Scanning of traffic without the need for routing or NAT, used only on layer 2 of the OSI model, and offers the benefits of a firewall

Configure with GUI - System > VDOM > Create new

To choose NAT or Transparent, need CLI commands:
config system settings
set vdom-type traffic
set opmode transparent
set manageip
172.16.16.1/255.255.255.0
end

Question 23

LAN Extension VDOM

Answer 23

Dedicated to expanding you LAN using VPN IPsec and VXLAN to connect to a FortiExtender. Only enabled using the CLI.

config system settings
set vdom-type lan-extension
end

Established between a connector (FGT) and controller (FortiExtender) to facilitate network expansion. Only has Network and VPN modules.

Question 24

Traffic VDOM in NAT Mode Use Case

Answer 24

functions like regular firewall
Can also assign this VDOM to manage firewalls. Can be used to download FortiGuard updates and validate the firewall’s license if you select is as the Management VDOM. By default, the root vdom serves as the management VDOM, but you can change it as needed. This is indicated by a red dot on the VDOM’s cloud icon.

Question 25

Inter-VDOM link

Answer 25

Enables a VDOM to access the internet via another VDOM. Facilitates both internet access and connectivity for networks across different VDOMs

AKA VDOM Links

To create one: Global VDOM > Network > Interfaces > Create New > VDOM Link

FGT automatically assigns unique names by appending 0 and 1 to your interface names.

Must configure both static or dynamic routing and traffic management policies for these virtual interfaces

Question 26

Traffic VDOM in Transparent Use case

Answer 26

Operates invisibly at the IP layer

Enable UTM profile implementation for enhances security and traffic analysis without extra layer 3 devices. Place it in between network devices to boost security via FortiGate without changing layer 3 settings like gateways.

All interfaces share the same broadcast domain. If config has more than two VLAN IDs, you should use the forward-domain command to subdivide a VDOM into multiple broadcast domains using the VLAN ID as the domain ID for easy recognition.

Must assign a management IP address. If you don’t, will get an error about failed node check object for ‘manageip.’