| Description | This article describes why intra-VLAN blocking may not work as expected for virtual machine (VM) users on the same server, even when configured on a FortiSwitch. |
| Scope | All FortiSwitch v7.2 v7.4. |
| Solution |
In this setup, multiple VM users are hosted on the same physical server, which is connected to a FortiSwitch. Despite enabling intra-VLAN blocking on the FortiSwitch, the VM users are still able to communicate with each other, such as by successfully pinging across the same VLAN.
Command to configure the Intra-VLAN blocking on FortiGate CLI:
config system interface edit <VLAN name> set switch-controller-access-vlan {enable | disable} next end
When performing a sniffer capture on the FortiSwitch port, no ICMP packets (or any inter-VM traffic) are observed. This indicates that the traffic between the VMs is not reaching the FortiSwitch.
The issue arises because the network traffic between the VMs is being routed internally within the server itself. The communication is handled by the server's internal virtual switch or hypervisor, and the traffic never reaches the FortiSwitch or FortiGate, which means the intra-VLAN blocking rules on the FortiSwitch cannot be applied. |
