In some network environments, it is necessary to restrict communication between devices within the same VLAN for security or compliance reasons. FortiSwitch introduces a feature that allows administrators to block intra-VLAN traffic easily.

In the example setup:

• Windows 10 w/Edge-1 (Windows 10 client) and PC1 are both connected to VLAN 10 (named user_vlan10).
• VLAN 10 is assigned the IP subnet 192.168.10.0/24.
• The default gateway for VLAN 10 is 192.168.10.1, which is configured on the FortiGate.

Network Topology:

Diagram Details:

• FortiGate connects to a FortiSwitch over Ports 3 and 4.
• FortiSwitch provides Layer 2 connectivity.
• Windows10w/Edge-1 connects via NIC1 using 192.168.10.2
• PC1 connects via the e0 interface and is assigned 192.168.10.3
• FortiGate is connected to the internet over Port 1.

In this topology, blocking intra-VLAN traffic ensures that Windows 10 and PC1 cannot communicate directly at the Layer 2 level, even though they are in the same VLAN and subnet.

Configuration Steps.
Using FortiLink (managed by FortiGate):

Log in to the FortiGate:

• Navigate to WiFi & Switch Controller -> FortiSwitch VLANS.
• Edit or create the VLAN interface.
• Enable the Block intra-VLAN traffic option under the previously created VLAN.
• Apply and save the changes.

This setting creates implicit ACL rules on the switch to deny Layer 2 communication between ports assigned to the same VLAN.

Using the CLI configuration  with the following commands:

config switch vlan
    edit user_vlan10
        set block-intra-vlan-traffic enable
     next
end

Before the setting is enabled. Pinging across the two hosts in the same VLAN:

Blocking intravlan Setting is enabled:

Testing and Behaviour:

• Ping between devices fails.
• Devices retain Internet access and reachability to the FortiGate.
• Broadcast traffic (e.g., ARP, DHCP) may still be permitted.

Limitations and Important Considerations.

• ARP is still allowed: Devices can discover each other’s MAC addresses via ARP broadcasts. This is necessary for basic networking, but it means some visibility remains.
• DHCP is still allowed: Devices must be able to broadcast DHCP Discover packets to obtain IP addresses.

No complete Layer 2 isolation unless combined with DHCP Snooping, Dynamic ARP Inspection (DAI), or Private VLANS.

IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.

Communication routed through FortiGate (inter-VLAN or L3 routed traffic) is still allowed configuring the following

1. Ability on FortiGate to respond to ARP requests via Proxy-ARP function

 2.  Regular Firewall Policies with the same Interface as Source and Destination.

Workarounds for Non-FortiSwitch Networks.

using Cisco, HP, or Dell switches that lack intra-VLAN blocking, and FortiGate is still used as the firewall, consider these alternatives:

• Private VLANS (PVLAN).
• Micro-VLAN (per-device VLANS).
• ACLS on switch.
• 802.1x with Dynamic VLAN.

Each of these features could have a different implementation and slight variation in configuration.

E: G, a quick outline of the steps required on a generic Cisco IOS switch:

1. Set the Switch to VTP Transparent Mode. Private VLANS require VTP transparent mode.

SWX(config)# vtp mode transparent

2. Create VLANS and Define PVLAN Roles:

SWX(config)# vlan 10
SWX(config-vlan)# private-vlan primary

SWX(config)# vlan 20
SWX(config-vlan)# private-vlan community

SWX(config)# vlan 30
SWX(config-vlan)# private-vlan isolated

3. Associate Secondary VLANS to Primary VLAN:

SWX(config)# vlan 10
SWX(config-vlan)# private-vlan association 20,30

4. Configure Host Ports for Community and Isolated VLANS:

Community VLAN (VLAN 20) – Ports Fa0/1 and Fa0/2:

SWX(config)# interface range fa0/1 - 2
SWX(config-if-range)# switchport mode private-vlan host
SWX(config-if-range)# switchport private-vlan host-association 10 20

Isolated VLAN (VLAN 30) – Ports Fa0/3 and Fa0/4:

SWX(config)# interface range fa0/3 - 4
SWX(config-if-range)# switchport mode private-vlan host
SWX(config-if-range)# switchport private-vlan host-association 10 30
5. Configure Promiscuous Port (e.g., to FortiGate)

SWX(config)# interface fa0/24
SWX(config-if)# switchport mode private-vlan promiscuous
SWX(config-if)# switchport private-vlan mapping 10 20,30

Conclusion:

FortiSwitch offers powerful native capabilities to segment traffic within the same VLAN. Something not possible by default on most enterprise access switches. Equivalent behaviour can be achieved without using FortiSwitch and FortiGate integration, but with greater complexity and risk.

For compliance-driven environments, FortiSwitch and FortiGate remain the most scalable, manageable, and secure solutions for intra-VLAN isolation.