Hot!Host isolation?

Author
userzer0
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/01/25 09:46:47
  • Status: offline
2019/06/07 16:32:12 (permalink)
0

Host isolation?

Can you block intra subnet traffic with a fortiswitch, similar to how you can block intra subnet/ssid traffic with a fortiap?

I'm setting up a network for iot devices, I dont want them to talk to each other and would rather not have to setup a /30 for each device.

Thanks in advance
#1

3 Replies Related Threads

    tanr
    Platinum Member
    • Total Posts : 681
    • Scores: 31
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Host isolation? 2019/06/07 16:50:28 (permalink)
    0
    I think you want private vlans, which Fortinet calls access vlans.  See https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-managing-fortiswitch/GlobalCLIconfig.htm for details.
     
    The medium and higher level FortiSwitches support this, but I don't think the 1xxD or 1xxE switches do.
    #2
    userzer0
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/01/25 09:46:47
    • Status: offline
    Re: Host isolation? 2019/06/07 19:04:59 (permalink)
    0
    Thanks for the info!

    I think the switch I'm using is a 108-fpoe, so it sounds like that isn't an option.


    Bit of a tangent, but if I may ask... are the terms native and allowed vlan similar to untagged and tagged vlans? I haven't been able to find a description of either.
    #3
    tanr
    Platinum Member
    • Total Posts : 681
    • Scores: 31
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Host isolation? 2019/06/07 21:00:17 (permalink)
    0
    Native vlan is the vlan that an untagged frame gets assigned by default.
    Allowed is (usually) other vlan IDs that are allowed on that port.
     
    If you're working with FortiGate managed switches using 3.6.x firmware you can't force tagged or untagged frames on a port from the GUI or even the FortiGate's CLI.  You can ssh to the switch, though, and set it for a specific port, by setting discard-mode to all-tagged or all-untagged.
     
    If you're running a FortiGate on 6.0.x and a managed FortiSwitch on 6.0.x you can set the same thing, just from the config switch-controller managed-switch section.
     
    BTW, I'd recommend you don't use and don't delete vlan1.  IIRC, it may be used by the FortiSwitch.
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5