Fortinet black logo

Devices Managed by FortiOS

Blocking intra-VLAN traffic

Copy Link
Copy Doc ID a5cb2173-7e2e-11ec-a0d0-fa163e15d75b:801169
Download PDF

Blocking intra-VLAN traffic

You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

Using the FortiGate GUI
  1. Go to Network > Interfaces.
  2. Select the interface and then select Edit.
  3. In the Edit Interface form, enable Block intra-VLAN traffic under Network.

Using the FortiGate CLI

config system interface

edit <VLAN name>

set switch-controller-access-vlan {enable | disable}

next

end

NOTE:

  • IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.
  • Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch or software switch.

  • When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP with the config system proxy-arp CLI command and configure a firewall policy. For example:

    config system proxy-arp

    edit 1

    set interface "V100"

    set ip 1.1.1.1

    set end-ip 1.1.1.200

    next

    end

    config firewall policy

    edit 4

    set name "Allow intra-VLAN traffic"

    set srcintf "V100"

    set dstintf "V100"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    next

    end

Blocking intra-VLAN traffic

You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

Using the FortiGate GUI
  1. Go to Network > Interfaces.
  2. Select the interface and then select Edit.
  3. In the Edit Interface form, enable Block intra-VLAN traffic under Network.

Using the FortiGate CLI

config system interface

edit <VLAN name>

set switch-controller-access-vlan {enable | disable}

next

end

NOTE:

  • IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.
  • Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch or software switch.

  • When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP with the config system proxy-arp CLI command and configure a firewall policy. For example:

    config system proxy-arp

    edit 1

    set interface "V100"

    set ip 1.1.1.1

    set end-ip 1.1.1.200

    next

    end

    config firewall policy

    edit 4

    set name "Allow intra-VLAN traffic"

    set srcintf "V100"

    set dstintf "V100"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    next

    end