Fortinet black logo

FortiLink Guide

Home FortiSwitch 7.4.2 FortiLink Guide
7.4.2
7.4.2
7.4.1
7.4.0
7.2.6
7.2.4
7.2.1
7.2.0

Blocking intra-VLAN traffic

Blocking intra-VLAN traffic

Tooltip

If you are blocking intra-VLAN traffic on a FortiGate device for a packet with ingress and egress on the same interface, you must disable the set allow-traffic-redirect command before blocking intra-VLAN traffic. For example:

config system global

set allow-traffic-redirect disable

end

You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

Starting in FortiOS 7.4.1 with FortiSwitchOS 7.4.1, you can allow or block intra-VLAN traffic on the managed FortiSwitch units when the connection to the FortiGate device is lost.

To block intra-VLAN traffic using the FortiGate GUI:
  1. Go to Network > Interfaces.
  2. Select the interface and then select Edit.
  3. In the Edit Interface form, enable Block intra-VLAN traffic under Network.

To block intra-VLAN traffic using the FortiGate CLI:

config system interface

edit <VLAN name>

set switch-controller-access-vlan {enable | disable}

next

end

NOTE:
  • IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.

  • Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch or software switch.

  • When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP with the config system proxy-arp CLI command and configure a firewall policy. For example:

    config system proxy-arp

    edit 1

    set interface "V100"

    set ip 1.1.1.1

    set end-ip 1.1.1.200

    next

    end

    config firewall policy

    edit 4

    set name "Allow intra-VLAN traffic"

    set srcintf "V100"

    set dstintf "V100"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    next

    end

To allow or block intra-VLAN traffic when the connection to the FortiGate device is lost:

config switch-controller fortilink-settings

edit "<FortiLink_interface>"

set access-vlan-mode { legacy | fail-open | fail-close}

next

end

Option Description

legacy

This is the default, which is backward compatible with 7.4.1 and earlier.

fail-open

When the connection to the FortiGate device is lost, intra-VLAN traffic on the managed FortiSwitch units is allowed.

fail-close

When the connection to the FortiGate device is lost, intra-VLAN traffic on the managed FortiSwitch units is blocked.
Previous
Next

Blocking intra-VLAN traffic

Tooltip

If you are blocking intra-VLAN traffic on a FortiGate device for a packet with ingress and egress on the same interface, you must disable the set allow-traffic-redirect command before blocking intra-VLAN traffic. For example:

config system global

set allow-traffic-redirect disable

end

You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

Starting in FortiOS 7.4.1 with FortiSwitchOS 7.4.1, you can allow or block intra-VLAN traffic on the managed FortiSwitch units when the connection to the FortiGate device is lost.

To block intra-VLAN traffic using the FortiGate GUI:
  1. Go to Network > Interfaces.
  2. Select the interface and then select Edit.
  3. In the Edit Interface form, enable Block intra-VLAN traffic under Network.

To block intra-VLAN traffic using the FortiGate CLI:

config system interface

edit <VLAN name>

set switch-controller-access-vlan {enable | disable}

next

end

NOTE:
  • IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.

  • Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch or software switch.

  • When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP with the config system proxy-arp CLI command and configure a firewall policy. For example:

    config system proxy-arp

    edit 1

    set interface "V100"

    set ip 1.1.1.1

    set end-ip 1.1.1.200

    next

    end

    config firewall policy

    edit 4

    set name "Allow intra-VLAN traffic"

    set srcintf "V100"

    set dstintf "V100"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    next

    end

To allow or block intra-VLAN traffic when the connection to the FortiGate device is lost:

config switch-controller fortilink-settings

edit "<FortiLink_interface>"

set access-vlan-mode { legacy | fail-open | fail-close}

next

end

Option Description

legacy

This is the default, which is backward compatible with 7.4.1 and earlier.

fail-open

When the connection to the FortiGate device is lost, intra-VLAN traffic on the managed FortiSwitch units is allowed.

fail-close

When the connection to the FortiGate device is lost, intra-VLAN traffic on the managed FortiSwitch units is blocked.
Previous
Next