Technical Tip: Configuring Access VLANs with switch-controller mode

Description

This article describes how to implement Access VLANs in FortiOS to Prevent Intra-VLAN Traffic.

Scope

FortiSwitch.

Solution

In standard networking, devices residing within the same Virtual Local Area Network (VLAN) can communicate directly with one another at Layer 2 without involving a gateway. While this default behavior is convenient, it poses significant security risks in modern enterprise networks. If a single host is compromised, lateral movement and malware propagation can easily occur across the entire subnet.

To mitigate these internal threats, Access VLANs can be used, it provides the following advantages:

1. Devices can communicate only with FortiGate.

2. Can be used for isolating devices before authentication or detection is completed.

3. FortiGate CLI setting (enabled on the quarantine and onboarding VLANs by default):

config system interface
    edit vlan
           set switch-controller-access-vlan enable | disable
    next
end