FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains how to avoid problems with ARP packets passing between VLANs in Transparent mode.
Components
FortiGate units running FortiOS version 4.00 MR3 and 5.0.x
Information
One essential application of virtual domains (VDOMs) is to prevent problems caused when a FortiGate unit is connected to a layer-2 switch that has a global MAC table. FortiGate units normally forward ARP requests to all interfaces, including VLAN subinterfaces. It is then possible for the switch to receive duplicate ARP packets on different VLANs. Some layer-2 switches reset when this happens.
The solution is to use the forward-domain command. The forward-domain command was introduced in FortiOS v3.0 MR1 and it tags VLAN traffic as belonging to a particular forward-domain collision group, and only VLANs tagged as part of that collision group receive that traffic. By default ports and VLANs are part of forward-domain collision group 0. For more information, see the VDOM Admin chapter in the FortiGate CLI Reference and the FortiGate VLANs and VDOMs Guide.
