Blocking intra-VLAN traffic
If you are blocking intra-VLAN traffic on a FortiGate device for a packet with ingress and egress on the same interface, you must disable the config system global set allow-traffic-redirect disable end |
You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.
Use enable
to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable
to allow normal traffic on the specified VLAN.
Using the FortiGate GUI
- Go to Network > Interfaces.
- Select the interface and then select Edit.
- In the Edit Interface form, enable Block intra-VLAN traffic under Network.
Using the FortiGate CLI
config system interface
edit <VLAN name>
set switch-controller-access-vlan {enable | disable}
next
end
NOTE:
- IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.
-
Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch or software switch.
- When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP with the
config system proxy-arp
CLI command and configure a firewall policy. For example:config system proxy-arp
edit 1
set interface "V100"
set ip 1.1.1.1
set end-ip 1.1.1.200
next
end
config firewall policy
edit 4
set name "Allow intra-VLAN traffic"
set srcintf "V100"
set dstintf "V100"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end