Customizable CoS marking for locally generated ARP packets
FortiGate supports 802.1p class of service (CoS) markings (cos0-cos7) for locally generated ARP packets, allowing customers to align ARP traffic with network QoS policies and constraints.
To set the CoS in VLAN tag for outgoing ARP packets:
config system interface
edit <interface>
set arp-egress-cos {cos0 | cos1 | cos2 | cos3 | cos4 | cos5 | cos6 | cos7}
next
end
Example
A FortiGate and PC are both configured to be in VLAN66. The FortiGate VLAN interface is configured to send ARP packets with a CoS marking of 7, denoting the Network Control priority level.
To test the CoS markings in locally generated ARP packets:
-
Configure the interface on the FortiGate:
config system interface edit "v6" set vdom "root" set ip 16.1.1.1 255.255.255.0 set allowaccess ping set arp-egress-cos cos7 set snmp-index 40 set ip-managed-by-fortiipam disable set interface "port6" set vlanid 66 next end -
Configure the PC network:
~$ sudo cat /etc/netplan/01-network-manager-all.yaml ... vlans: vlan66: id: 66 link: ens160 addresses: - 16.1.1.66/24 -
Ping the FortiGate from the PC:
fosqa@fosqa-Cos:~$ ping 16.1.1.1 -c 2 PING 16.1.1.1 (16.1.1.1) 56(84) bytes of data. 64 bytes from 16.1.1.1: icmp_seq=1 ttl=255 time=0.193 ms 64 bytes from 16.1.1.1: icmp_seq=2 ttl=255 time=0.117 ms --- 16.1.1.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1038ms rtt min/avg/max/mdev = 0.117/0.155/0.193/0.038 ms
-
Do a packet capture on the PC:
An ARP request sent from the FortiGate sets its priority to
Network Control (7)inside the VLAN header:fosqa@fosqa-Cos:~$ sudo tshark -i ens160 -Y "vlan" -V Running as user "root" and group "root". This could be dangerous. Capturing on 'ens160' ... Frame 2: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface ens160, id 0 Section number: 1 Interface id: 0 (ens160) Interface name: ens160 Encapsulation type: Ethernet (1) Arrival Time: Sep 15, 2025 16:53:41.041847718 PDT UTC Arrival Time: Sep 15, 2025 23:53:41.041847718 UTC Epoch Arrival Time: 1757980421.041847718 [Time shift for this packet: 0.000000000 seconds] [Time delta from previous captured frame: 0.000111729 seconds] [Time delta from previous displayed frame: 0.000111729 seconds] [Time since reference or first frame: 0.000111729 seconds] Frame Number: 2 Frame Length: 64 bytes (512 bits) Capture Length: 64 bytes (512 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:vlan:ethertype:arp] Ethernet II, Src: Fortinet_15:08:99 (94:f3:92:15:08:99), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Destination: Broadcast (ff:ff:ff:ff:ff:ff) Address: Broadcast (ff:ff:ff:ff:ff:ff) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) Source: Fortinet_15:08:99 (94:f3:92:15:08:99) Address: Fortinet_15:08:99 (94:f3:92:15:08:99) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: 802.1Q Virtual LAN (0x8100) 802.1Q Virtual LAN, PRI: 7, DEI: 0, ID: 66 111. .... .... .... = Priority: Network Control (7) ...0 .... .... .... = DEI: Ineligible .... 0000 0100 0010 = ID: 66 Type: ARP (0x0806) Padding: 0000000000000000000000000000 Trailer: 00000000 Address Resolution Protocol (request) Hardware type: Ethernet (1) Protocol type: IPv4 (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (1) Sender MAC address: Fortinet_15:08:99 (94:f3:92:15:08:99) Sender IP address: 16.1.1.1 Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00) Target IP address: 16.1.1.66An ARP reply sent by the FortiGate in response to the PC's ARP also sets its priority to
Network Control (7):Frame 8: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface ens160, id 0 Section number: 1 Interface id: 0 (ens160) Interface name: ens160 Encapsulation type: Ethernet (1) Arrival Time: Sep 15, 2025 16:53:46.239793531 PDT UTC Arrival Time: Sep 15, 2025 23:53:46.239793531 UTC Epoch Arrival Time: 1757980426.239793531 [Time shift for this packet: 0.000000000 seconds] [Time delta from previous captured frame: 0.000082934 seconds] [Time delta from previous displayed frame: 0.000082934 seconds] [Time since reference or first frame: 5.198057542 seconds] Frame Number: 8 Frame Length: 64 bytes (512 bits) Capture Length: 64 bytes (512 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:vlan:ethertype:arp] Ethernet II, Src: Fortinet_15:08:99 (94:f3:92:15:08:99), Dst: VMware_7c:6c:08 (00:0c:29:7c:6c:08) Destination: VMware_7c:6c:08 (00:0c:29:7c:6c:08) Address: VMware_7c:6c:08 (00:0c:29:7c:6c:08) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Fortinet_15:08:99 (94:f3:92:15:08:99) Address: Fortinet_15:08:99 (94:f3:92:15:08:99) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: 802.1Q Virtual LAN (0x8100) 802.1Q Virtual LAN, PRI: 7, DEI: 0, ID: 66 111. .... .... .... = Priority: Network Control (7) ...0 .... .... .... = DEI: Ineligible .... 0000 0100 0010 = ID: 66 Type: ARP (0x0806) Padding: 0000000000000000000000000000 Trailer: 00000000 Address Resolution Protocol (reply) Hardware type: Ethernet (1) Protocol type: IPv4 (0x0800) Hardware size: 6 Protocol size: 4 Opcode: reply (2) Sender MAC address: Fortinet_15:08:99 (94:f3:92:15:08:99) Sender IP address: 16.1.1.1 Target MAC address: VMware_7c:6c:08 (00:0c:29:7c:6c:08) Target IP address: 16.1.1.66