Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
pprince
Staff
Staff

Created on ‎10-02-2024 12:52 AM Edited on ‎10-02-2024 12:52 AM By Community Manager

Article Id 346383

Technical Tip: A direclty connected client connected on different VLAN can ping each other on Standalone FortiSwitch without a route configured

Description

This article describes the scenario where a directly connected client connected on different VLAN can ping each other on Standalone FortiSwitch and how to block the client from ping each other.

 

Consider the below example :

  1. Two laptops connected on port10 and port20  of a standalone FortiSwitch   
  2. Laptop-1  is connected to port 10  with VLAN 10 192.168.10.1/24 and Laptop-2 is connected to port20 with Vlan20  192.168.20.1/24.
  3. Laptop-1 has IP address 192.168.10.2 and Laptop-2 has IP 192.168.20.2.

 

Laptop-1 from VLAN10 can ping Laptop-2 from VLAN20 without any static route configured.
Scope  FortiSwitch.
Solution

FortiSwitch routing table shows below output :

 

get router info routing-table-all
VRF default:
C>* 10.10.10.0/24 is directly connected, 10, 1d02h57m
C>* 20.20.20.0/24 is directly connected, 20, 1d02h57m
C>* 30.30.30.0/24 is directly connected, internal, 00:01:53

 

The laptop although being on a different VLAN will be able to ping the reason is they are directly connected devices. Directly connected networks are automatically installed in the routing table if the interface to the network is up.
A router will be able to route all packets destined for all hosts in subnets directly connected to its active interfaces.

 

Connected routes always take precedence over static or dynamically discovered routes because they have the administrative distance value of 0 (the lowest possible value).

 

To stop the reachability between the VLANS, configure ACL by going under FortiSwitch GUI  -> SWITCH  ->  ACL -> Ingress -> set ID - 1 -> enable ACTIVE, under Classifier only configure the Source IP prefix and Destination IP prefix and under Action, select DROP and Select OK.

 

acl (1).png

Related document:

Fortiswitch/7.6.0/fortiswitchos-administration-guide
1969
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.