Description
This article describes the difference between VLAN ID and VRF ID while configuring a VLAN.
Scope
FortiGate.
Solution
Virtual routing and forwarding ID (VRF ID) is used to isolate the traffic of a particular interface by creating a specific routing table.
Virtual local area networks ID helps in segmenting a LAN into multiple broadcast domains (helps in achieving more granular level control of traffic).
While configuring VLAN on FortiGate, there is an option to set VRF ID as well as VLAN ID.
By default, the value for both is 0. Setting the value of VRF ID =0 means that all the routes belong to the same routing table. The value for VLAN ID = 0 means that there is no VLAN tagging.
For example:
When the traffic reaches the firewall with a VLAN tag 10, the firewall will be able to process it further if the VLAN ID is configured as 10.
The segmentation of the network is achieved.
When the VRF ID is also set as 10, then the traffic would be not routed further as it does not belong to the same routing table. Although, when the output is taken for 'get router info routing table details <Ip address>', the route would be added.
This would also raise a scenario where the route is updated, yet the firewall is unable to forward the traffic ahead.
From the above image, it can observed that the route created for the subnet 192.168.100.0/24 would belong to a different routing table.
