Fortinet black logo

Cookbook

QoS assignment and rate limiting for quarantined VLANs

Copy Link
Copy Doc ID af0e75e9-211f-11ea-9384-00505692583a:777429
Download PDF

QoS assignment and rate limiting for quarantined VLANs

When devices are quarantined, they are isolated from the rest of the network. However, they can still impact the network if not controlled beyond isolation. A quarantined host, which offers heavy traffic, could congest the network and create a DOS-style reduction in service to authorized hosts.

Within the quarantined VLAN, two restrictions are available within the network:

  • Traffic policing (also known as rate limiting)
  • QoS (Quality of Service) assignment (also known as priority assignment)

Each quarantined host's traffic can be subject to rate limiting and priority adjustment. This reduces the impact that any quarantined host can have on authorized traffic on the network.

To configure QoS assignment and rate limiting for quarantined VLANs:
  1. Configure a traffic policy, or use the default "quarantine" policy:
    config switch-controller traffic-policy 
        edit "quarantine"
            set description "Rate control for quarantined traffic"
            set guaranteed-bandwidth 163840
            set guaranteed-burst 8192
            set maximum-burst 163840
            set cos-queue 0
        next
    end
  2. Configure an interface:
    config system interface
        edit "qtn.aggr1"
            set vdom "root"
            set ip 10.254.254.254 255.255.255.0
            set description "Quarantine VLAN"
            set security-mode captive-portal
            set replacemsg-override-group "auth-intf-qtn.aggr1"
            set device-identification enable
            set snmp-index 30
            set switch-controller-access-vlan enable
            set switch-controller-traffic-policy "quarantine" 
            set color 6
            set interface "aggr1"
            set vlanid 4093
        next
    end

    By default, switch-controller-traffic-policy is empty. You need to apply the necessary traffic policy (not only limited to "quarantine").

QoS assignment and rate limiting for quarantined VLANs

When devices are quarantined, they are isolated from the rest of the network. However, they can still impact the network if not controlled beyond isolation. A quarantined host, which offers heavy traffic, could congest the network and create a DOS-style reduction in service to authorized hosts.

Within the quarantined VLAN, two restrictions are available within the network:

  • Traffic policing (also known as rate limiting)
  • QoS (Quality of Service) assignment (also known as priority assignment)

Each quarantined host's traffic can be subject to rate limiting and priority adjustment. This reduces the impact that any quarantined host can have on authorized traffic on the network.

To configure QoS assignment and rate limiting for quarantined VLANs:
  1. Configure a traffic policy, or use the default "quarantine" policy:
    config switch-controller traffic-policy 
        edit "quarantine"
            set description "Rate control for quarantined traffic"
            set guaranteed-bandwidth 163840
            set guaranteed-burst 8192
            set maximum-burst 163840
            set cos-queue 0
        next
    end
  2. Configure an interface:
    config system interface
        edit "qtn.aggr1"
            set vdom "root"
            set ip 10.254.254.254 255.255.255.0
            set description "Quarantine VLAN"
            set security-mode captive-portal
            set replacemsg-override-group "auth-intf-qtn.aggr1"
            set device-identification enable
            set snmp-index 30
            set switch-controller-access-vlan enable
            set switch-controller-traffic-policy "quarantine" 
            set color 6
            set interface "aggr1"
            set vlanid 4093
        next
    end

    By default, switch-controller-traffic-policy is empty. You need to apply the necessary traffic policy (not only limited to "quarantine").