Fortinet white logo
Fortinet white logo

FortiLink Guide

Blocking intra-VLAN traffic

Blocking intra-VLAN traffic

Tooltip

If you are blocking intra-VLAN traffic on a FortiGate device for a packet with ingress and egress on the same interface, you must disable the set allow-traffic-redirect command before blocking intra-VLAN traffic. For example:

config system global

set allow-traffic-redirect disable

end

You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

Using the FortiGate GUI
  1. Go to Network > Interfaces.
  2. Select the interface and then select Edit.
  3. In the Edit Interface form, enable Block intra-VLAN traffic under Network.

Using the FortiGate CLI

config system interface

edit <VLAN name>

set switch-controller-access-vlan {enable | disable}

next

end

NOTE:

  • IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.
  • Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch or software switch.

  • When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP with the config system proxy-arp CLI command and configure a firewall policy. For example:

    config system proxy-arp

    edit 1

    set interface "V100"

    set ip 1.1.1.1

    set end-ip 1.1.1.200

    next

    end

    config firewall policy

    edit 4

    set name "Allow intra-VLAN traffic"

    set srcintf "V100"

    set dstintf "V100"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    next

    end

Blocking intra-VLAN traffic

Blocking intra-VLAN traffic

Tooltip

If you are blocking intra-VLAN traffic on a FortiGate device for a packet with ingress and egress on the same interface, you must disable the set allow-traffic-redirect command before blocking intra-VLAN traffic. For example:

config system global

set allow-traffic-redirect disable

end

You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

Using the FortiGate GUI
  1. Go to Network > Interfaces.
  2. Select the interface and then select Edit.
  3. In the Edit Interface form, enable Block intra-VLAN traffic under Network.

Using the FortiGate CLI

config system interface

edit <VLAN name>

set switch-controller-access-vlan {enable | disable}

next

end

NOTE:

  • IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.
  • Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch or software switch.

  • When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP with the config system proxy-arp CLI command and configure a firewall policy. For example:

    config system proxy-arp

    edit 1

    set interface "V100"

    set ip 1.1.1.1

    set end-ip 1.1.1.200

    next

    end

    config firewall policy

    edit 4

    set name "Allow intra-VLAN traffic"

    set srcintf "V100"

    set dstintf "V100"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    next

    end