Block Intra-VLAN traffic

rere78690 · ‎03-26-2021

Hi,

I need to prevent users from seeing each other in the same vlan. ( Block Intra-VLAN traffic )

I have read the doc on 6.4.2 but when i try to apply the command : here the message.

Enabling and disabling switch-controller access VLANs through the FortiGate unit

Access VLANs are VLANs that aggregate client traffic solely to the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate.

NOTE: IPv6 is not supported between clients within a switch-controller access VLAN.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

config system interfaceedit <VLAN name>set switch-controller-access-vlan {enable | disable}nextend

Thanks in advance for your help.

lobstercreed · ‎03-26-2021

I just experimented with this a tad (I'm not using FortiSwitch currently), and it appears you have to have the interface set to fortilink before those options appear in the CLI. I'm not sure if you had set an interface for VLAN_3029 yet, but if it's not set to the FortiLink it appears that this does not work. I assume this is expected behavior. You can just as easily set it in the GUI as long as you're under the FortiSwitch VLANs option in the Switch Controller