Description

This article describes the difference between VLAN ID and VRF ID while configuring a VLAN.

Scope

FortiGate.

Solution

Virtual routing and forwarding ID (VRF ID) is used to isolate the traffic of a particular interface by creating a specific routing table.

This is comparable to creating a separate virtual Router inside FortiOS. By default, interfaces in VRF ID=0 will only communicate with interfaces in VRF ID=0, while interfaces that belong to VRF ID=10 can only communicate with interfaces belonging to the same interface.
A Virtual Local Area Network ID helps in segmenting a LAN into multiple broadcast domains (which assists with achieving a more granular level control of traffic).

While configuring VLAN on FortiGate, there is an option to set VRF ID as well as VLAN ID.

By default, the value for both is 0. Setting the value of VRF ID =0 means that all the routes belong to the same routing table. The value for VLAN ID = 0 means that there is no VLAN tagging.

For example:

When the traffic reaches the firewall with a VLAN tag 10, the firewall will be able to process it further if the VLAN ID is configured as 10.

The segmentation of the network is achieved.

When the VRF ID is also set as 10, then the traffic would be not routed further if there is no route for the destination IP address in VRF ID=10, as it would not belong to the same routing table. Looking at the example below, if traffic is sourced from 192.168.100.1/24, and destined to 8.8.8.8, traffic will be dropped, because there is no default route, or specific route for 8.8.8.8 in VRF ID=10.

Related article: 

Technical Tip: Virtual routing and forwarding ID configuration