Fortinet black logo

New Features

QoS Assignment and Rate Limiting for Quarantined VLANs

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:455783
Download PDF

QoS Assignment and Rate Limiting for Quarantined VLANs

When devices are quarantined, they are isolated from the rest of the network. However, they can still impact the network if not controlled beyond isolation. A quarantined host, which offers heavy traffic, could congest the network and create a DOS-style reduction in service to authorized hosts.

Within the quarantined VLAN, two restrictions are available within the network:

  • Traffic policing (also known as rate limiting)
  • QoS (Quality of Service) assignment (also known as priority assignment)

Each quarantined host's traffic can be subject to rate limiting and priority adjustment. This reduces the impact that any quarantined host can have on authorized traffic on the network.

You can only configure this feature by using the CLI.

config switch-controller traffic-policy 
    (traffic-policy) # get
        == [ quarantine ]       -----> newly added pre-defined traffic-policy for quarantine (not only for quarantine, can be applied to other switch vlan interface based on configuration)
        name: quarantine   
        == [ sniffer ]
        name: sniffer   
    (traffic-policy) # edit quarantine 
        (quarantine) # show
            config switch-controller traffic-policy 
                edit "quarantine"
                    set description "Rate control for quarantined traffic"
                    set guaranteed-bandwidth 163840
                    set guaranteed-burst 8192
                    set maximum-burst 163840
                    set cos-queue 0
                next
            end
        next
    end
end

config system interface
    edit "qtn.aggr1"
        set vdom "root"
        set ip 10.254.254.254 255.255.255.0
        set description "Quarantine VLAN"
        set security-mode captive-portal
        set replacemsg-override-group "auth-intf-qtn.aggr1"
        set device-identification enable
        set snmp-index 30
        set switch-controller-access-vlan enable
        set switch-controller-traffic-policy "quarantine"       -----> By default, switch-controller-traffic-policy is empty. Users need to apply the necessary traffic-policy, not only limited to "quarantine"
        set color 6
        set interface "aggr1"
        set vlanid 4093
    next
end

QoS Assignment and Rate Limiting for Quarantined VLANs

When devices are quarantined, they are isolated from the rest of the network. However, they can still impact the network if not controlled beyond isolation. A quarantined host, which offers heavy traffic, could congest the network and create a DOS-style reduction in service to authorized hosts.

Within the quarantined VLAN, two restrictions are available within the network:

  • Traffic policing (also known as rate limiting)
  • QoS (Quality of Service) assignment (also known as priority assignment)

Each quarantined host's traffic can be subject to rate limiting and priority adjustment. This reduces the impact that any quarantined host can have on authorized traffic on the network.

You can only configure this feature by using the CLI.

config switch-controller traffic-policy 
    (traffic-policy) # get
        == [ quarantine ]       -----> newly added pre-defined traffic-policy for quarantine (not only for quarantine, can be applied to other switch vlan interface based on configuration)
        name: quarantine   
        == [ sniffer ]
        name: sniffer   
    (traffic-policy) # edit quarantine 
        (quarantine) # show
            config switch-controller traffic-policy 
                edit "quarantine"
                    set description "Rate control for quarantined traffic"
                    set guaranteed-bandwidth 163840
                    set guaranteed-burst 8192
                    set maximum-burst 163840
                    set cos-queue 0
                next
            end
        next
    end
end

config system interface
    edit "qtn.aggr1"
        set vdom "root"
        set ip 10.254.254.254 255.255.255.0
        set description "Quarantine VLAN"
        set security-mode captive-portal
        set replacemsg-override-group "auth-intf-qtn.aggr1"
        set device-identification enable
        set snmp-index 30
        set switch-controller-access-vlan enable
        set switch-controller-traffic-policy "quarantine"       -----> By default, switch-controller-traffic-policy is empty. Users need to apply the necessary traffic-policy, not only limited to "quarantine"
        set color 6
        set interface "aggr1"
        set vlanid 4093
    next
end