| Description |
This article describes how to use the proxy-arp configuration in tandem with intra-VLAN traffic blocking on a VLAN with a subnet greater than /24.
|
| Scope | FortiOS, FortiLink. |
| Solution |
Network connectivity:
To block intra-VLAN traffic by aggregating traffic using the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy, and proxy ARP is enabled.
To block intra-VLAN traffic using the FortiGate CLI : config system interface edit vlan.100 set ip 192.168.0.1 255.255.254.0 set switch-controller-access-vlan enable <- Default : disabled. end Use 'enable' to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use 'disable' to allow normal traffic on the specified VLAN.
With intra-VLAN traffic blocking enabled, to allow traffic between hosts, proxy ARP needs to be configured along with the firewall policy. Proxy-ARP can only be configured on the CLI as seen below:
config system proxy-arp edit 1 end config firewall policy edit 1 set name "Allow intra-VLAN traffic" set srcintf "vlan.100" set dstintf "vlan.100" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end Once 'Block intra-VLAN traffic' is enabled on a given VLAN, the maximum IP range the FortiOS-based Proxy ARP feature can proxy is 256, i.e., /24 per table entry.
config system interface set switch-controller-access-vlan enable set ip 192.168.0.1 255.255.254.0 <- Larger subnet than /24 .... next end config system proxy-arp edit 1 edit 2 end |
