Hello,
I have a Fortigate unit where I have multiple VLANs (infrastructure, staff, guest, voice, servers...) and policies set up between them.
All user devices (either wired or wireless) go to the Staff VLAN, and they get a DHCP assigned address. What I want to do is to give them an IP and a limited subnet address so that they won't see other devices on the same VLAN/DHCP pool. I've seen this in public WiFis (such as hotels).
I tried looking in forums and Google, but I don't even know how this is called. Does anyone here know how to do this?
Thanks and happy holidays!
Luis
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
This type of filtering you are asking it will be done on Layer2 level, so users are in the same Broadcast domain/subnet and they don't need a Layer3 device (FGT) to communicate to each other, switch make this possible by default configuration.
If you have a FortiSW managed by FortiGate yes you can apply it access/private VLAN and it will change the default behavior of the Switch.
In your setup FGT + 3rd party switch you have to make changes on the switch only because as explained early the communication is done without including the Gateway.
Depending on your deployment,
If it includes FortiSW, the feature is called "switch-controller access VLANs": https://docs.fortinet.com/document/fortiswitch/6.4.2/devices-managed-by-fortios/985221/fortiswitch-f....
or you can find it as Private VLAN: https://docs.fortinet.com/document/fortiswitch/7.2.3/administration-guide/104079/private-vlans
For SSID there is the option: Block intra-SSID traffic
Thanks for your reply. So "Private VLAN" is how they are called.
I have a Fortigate 60F with a Cisco SG350 switch. I am reading that private VLANs are a switch feature more than a router feature, so is this something I should be looking for in the switch?
Thanks,
Luis
This type of filtering you are asking it will be done on Layer2 level, so users are in the same Broadcast domain/subnet and they don't need a Layer3 device (FGT) to communicate to each other, switch make this possible by default configuration.
If you have a FortiSW managed by FortiGate yes you can apply it access/private VLAN and it will change the default behavior of the Switch.
In your setup FGT + 3rd party switch you have to make changes on the switch only because as explained early the communication is done without including the Gateway.
Perfect, thank you very much. This definitely helps.
Thanks and happy new year!
Luis
You're welcome, Happy new year to you too!
Hello Luis,
You may consider to use private VLANs. Please find the details by following the link below:
https://docs.fortinet.com/document/fortiswitch/7.2.3/administration-guide/104079/private-vlans
Hi Luis,
I understand that you want to configure /32 subnets on Ethernet via DHCP.
I have tested the configuration on my Fortigate Lab and it is currently not supported.
Here are the screenshots attached with the error I get at GUI and CLI.
Screenshot from FortiGate CLI:
It's not exactly a /32 or /31 subnet. Well, it is but it should be different for each device. The Private VLAN comment above is what I was looking for. I just need to find out how to do it on my switch.
Thanks,
Luis
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.