Host isolation?

Forum|Forum|6 years ago
June 7, 2019
2 replies
9006 views

Can you block intra subnet traffic with a fortiswitch, similar to how you can block intra subnet/ssid traffic with a fortiap? I'm setting up a network for iot devices, I dont want them to talk to each other and would rather not have to setup a /30 for each device. Thanks in advance

tanr

New Member

I think you want private vlans, which Fortinet calls access vlans. See https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-managing-fortiswitch/GlobalCLIconfig.htm for details.

The medium and higher level FortiSwitches support this, but I don't think the 1xxD or 1xxE switches do.

userzer0Author

Explorer

Thanks for the info! I think the switch I'm using is a 108-fpoe, so it sounds like that isn't an option. Bit of a tangent, but if I may ask... are the terms native and allowed vlan similar to untagged and tagged vlans? I haven't been able to find a description of either.

tanr

New Member

Native vlan is the vlan that an untagged frame gets assigned by default.

Allowed is (usually) other vlan IDs that are allowed on that port.

If you're working with FortiGate managed switches using 3.6.x firmware you can't force tagged or untagged frames on a port from the GUI or even the FortiGate's CLI. You can ssh to the switch, though, and set it for a specific port, by setting discard-mode to all-tagged or all-untagged.

If you're running a FortiGate on 6.0.x and a managed FortiSwitch on 6.0.x you can set the same thing, just from the config switch-controller managed-switch section.

BTW, I'd recommend you don't use and don't delete vlan1. IIRC, it may be used by the FortiSwitch.

ebilcari

Staff

If the switch is managed by FGT in Fortilink mode you can use it the same way like for FortiAPs, it's called Block intra-VLAN traffic and is applied at VLAN configuration level

intra vlan.PNG

Emirjon

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded