QoS assignment and rate limiting for FortiSwitch quarantined VLANs
When devices are quarantined, they are isolated from the rest of the network. However, they can still impact the network if not controlled beyond isolation. A quarantined host, which offers heavy traffic, could congest the network and create a DOS-style reduction in service to authorized hosts.
Within the quarantined VLAN, two restrictions are available within the network:
-
Traffic policing (also known as rate limiting)
-
QoS (Quality of Service) assignment (also known as priority assignment)
Each quarantined host's traffic can be subject to rate limiting and priority adjustment. This reduces the impact that any quarantined host can have on authorized traffic on the network.
To configure QoS assignment and rate limiting for quarantined VLANs:
-
Configure a traffic policy, or use the default "quarantine" policy:
config switch-controller traffic-policy edit "quarantine" set description "Rate control for quarantined traffic" set guaranteed-bandwidth 163840 set guaranteed-burst 8192 set maximum-burst 163840 set cos-queue 0 next end
-
Configure an interface:
config system interface edit "qtn.aggr1" set vdom "root" set ip 10.254.254.254 255.255.255.0 set description "Quarantine VLAN" set security-mode captive-portal set replacemsg-override-group "auth-intf-qtn.aggr1" set device-identification enable set snmp-index 30 set switch-controller-access-vlan enable set switch-controller-traffic-policy "quarantine" set color 6 set interface "aggr1" set vlanid 4093 next end
By default,
switch-controller-traffic-policy
is empty. You need to apply the necessary traffic policy (not only limited to "quarantine").