Fortinet white logo
Fortinet white logo

Administration Guide

VLAN CoS matching on a traffic shaping policy

VLAN CoS matching on a traffic shaping policy

A FortiGate can use the class of service (CoS) value of VLAN packets as a matching criterion for shaping policies. This enables the FortiGate to prioritize traffic based on the CoS value assigned by the switch or router.

config firewall shaping-policy
    edit <id>
        set traffic-type {forwarding | local-in | local-out}
        set cos-mask <3-bit_binary>
        set cos <3-bit_binary>
    next
end

traffic-type {forwarding | local-in | local-out}

Set the traffic type.

  • forwarding: use forwarding traffic (default)

  • local-in: local-in traffic

  • local-out: local-out traffic

cos-mask <3-bit_binary>

Set the VLAN CoS evaluated bits, 3-bit binary (000 - 111). This setting is only available for forwarding traffic.

cos <3-bit_binary>

Set the VLAN CoS bit pattern, 3-bit binary (000 - 111). This setting is available once cos-mask is configured.

Example

In this example, FortiGate A forwards traffic to FortiGate B with VLAN CoS 3, which matches firewall policy 6. When FortiGate B receives traffic, it applies the traffic shaping policy and will prioritize based on the CoS value.

The VLAN CoS range is 000 to 111 (0 - 7), which includes the following values: 000, 001, 010, 011, 100, 101, 110, and 111. The cos and cos-mask settings can be used to match multiple vlan_cos values with a single shaping policy. The following matching logic is used: (vlan_cos AND cos-mask) == (cos AND cos-mask).

Note

To match all possible vlan_cos values, set the cos-mask to 000.

To configure VLAN CoS marking with traffic shaping:
  1. Configure the firewall policy on FortiGate A with VLAN CoS forwarding:

    config firewall policy
        edit 6
            set srcintf "port1"
            set dstintf "vlan100"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set vlan-cos-fwd 3
        next
    end

    Traffic marked with CoS 3 will be forwarded to FortiGate B.

  2. On FortiGate A, check the session list to verify that CoS 3 is marked:

    # diagnose sys session list 
    session info: proto=1 proto_state=00 duration=1 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=3/255
    state=log may_dirty npu f00 
    statistic(bytes/packets/allow_err): org=168/2/1 reply=168/2/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=19->47/47->19 gwy=20.20.20.2/10.1.100.11
    hook=pre dir=org act=noop 10.1.100.11:28489->192.168.4.33:8(0.0.0.0:0)
    hook=post dir=reply act=noop 192.168.4.33:28489->10.1.100.11:0(0.0.0.0:0)
    src_mac=00:0c:29:57:2a:01  dst_mac=70:4c:a5:7d:d4:95
    misc=0 policy_id=6 pol_uuid_idx=1128 auth_info=0 chk_client_info=0 vd=2
    serial=000717ca tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=0x4000c00 ofld-O ofld-R
    npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=79/78, ipid=78/79, vlan=0x0000/0x0064
    vlifid=78/79, vtag_in=0x0000/0x0064 in_npu=2/2, out_npu=2/2, fwd_en=0/0, qid=0/1
  3. Configure the traffic shaping policy to match VLAN CoS 3:

    config firewall shaping-policy
        edit 1
            set traffic-type forwarding
            set name "vlan-cos-matching"
            set service "ALL"
            set srcintf "vlan100"
            set dstintf "vlan200"
            set class-id 2
            set cos-mask 111
            set cos 011
            set srcaddr "all"
            set dstaddr "all"
        next
    end

    Based on this shaping policy:

    • vlan_cos = 3, which corresponds to 011

      cos-mask = 111

      AND both get 011

    • cos-mask = 111

      cos = 011

      AND both get 011

    • (vlan_cos AND cos-mask) == (cos AND cos-mask), so traffic will pass

    The shaping policy will match vlan_cos3.

  4. Configure the firewall policy on FortiGate B:

    config firewall policy
        edit 3
            set srcintf "vlan100"
            set dstintf "vlan200"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end
  5. On FortiGate B, check the session list to verify that the class ID (2) matches the shaping policy ID (1):

    # diagnose sys session list 
    session info: proto=1 proto_state=00 duration=672 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=2 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=log may_dirty f00 
    statistic(bytes/packets/allow_err): org=56532/673/1 reply=56532/673/1 tuples=2
    tx speed(Bps/kbps): 82/0 rx speed(Bps/kbps): 82/0
    orgin->sink: org pre->post, reply pre->post dev=59->61/61->59 gwy=20.20.200.3/20.20.20.1
    hook=pre dir=org act=noop 10.1.100.11:28735->192.168.4.33:8(0.0.0.0:0)
    hook=post dir=reply act=noop 192.168.4.33:28735->10.1.100.11:0(0.0.0.0:0)
    src_mac=90:6c:ac:fb:bb:97  dst_mac=04:d5:90:36:73:3f
    misc=0 policy_id=3 pol_uuid_idx=1245 auth_info=0 chk_client_info=0 vd=1
    serial=0000160b tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=0x040000
    no_ofld_reason:  non-npu-intf

    Note

    If a particular session matches both the firewall policy and firewall shaping-policy, then anything configured in the firewall shaping-policy overrides whatever was configured in the firewall policy.

VLAN CoS matching on a traffic shaping policy

VLAN CoS matching on a traffic shaping policy

A FortiGate can use the class of service (CoS) value of VLAN packets as a matching criterion for shaping policies. This enables the FortiGate to prioritize traffic based on the CoS value assigned by the switch or router.

config firewall shaping-policy
    edit <id>
        set traffic-type {forwarding | local-in | local-out}
        set cos-mask <3-bit_binary>
        set cos <3-bit_binary>
    next
end

traffic-type {forwarding | local-in | local-out}

Set the traffic type.

  • forwarding: use forwarding traffic (default)

  • local-in: local-in traffic

  • local-out: local-out traffic

cos-mask <3-bit_binary>

Set the VLAN CoS evaluated bits, 3-bit binary (000 - 111). This setting is only available for forwarding traffic.

cos <3-bit_binary>

Set the VLAN CoS bit pattern, 3-bit binary (000 - 111). This setting is available once cos-mask is configured.

Example

In this example, FortiGate A forwards traffic to FortiGate B with VLAN CoS 3, which matches firewall policy 6. When FortiGate B receives traffic, it applies the traffic shaping policy and will prioritize based on the CoS value.

The VLAN CoS range is 000 to 111 (0 - 7), which includes the following values: 000, 001, 010, 011, 100, 101, 110, and 111. The cos and cos-mask settings can be used to match multiple vlan_cos values with a single shaping policy. The following matching logic is used: (vlan_cos AND cos-mask) == (cos AND cos-mask).

Note

To match all possible vlan_cos values, set the cos-mask to 000.

To configure VLAN CoS marking with traffic shaping:
  1. Configure the firewall policy on FortiGate A with VLAN CoS forwarding:

    config firewall policy
        edit 6
            set srcintf "port1"
            set dstintf "vlan100"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set vlan-cos-fwd 3
        next
    end

    Traffic marked with CoS 3 will be forwarded to FortiGate B.

  2. On FortiGate A, check the session list to verify that CoS 3 is marked:

    # diagnose sys session list 
    session info: proto=1 proto_state=00 duration=1 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=3/255
    state=log may_dirty npu f00 
    statistic(bytes/packets/allow_err): org=168/2/1 reply=168/2/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=19->47/47->19 gwy=20.20.20.2/10.1.100.11
    hook=pre dir=org act=noop 10.1.100.11:28489->192.168.4.33:8(0.0.0.0:0)
    hook=post dir=reply act=noop 192.168.4.33:28489->10.1.100.11:0(0.0.0.0:0)
    src_mac=00:0c:29:57:2a:01  dst_mac=70:4c:a5:7d:d4:95
    misc=0 policy_id=6 pol_uuid_idx=1128 auth_info=0 chk_client_info=0 vd=2
    serial=000717ca tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=0x4000c00 ofld-O ofld-R
    npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=79/78, ipid=78/79, vlan=0x0000/0x0064
    vlifid=78/79, vtag_in=0x0000/0x0064 in_npu=2/2, out_npu=2/2, fwd_en=0/0, qid=0/1
  3. Configure the traffic shaping policy to match VLAN CoS 3:

    config firewall shaping-policy
        edit 1
            set traffic-type forwarding
            set name "vlan-cos-matching"
            set service "ALL"
            set srcintf "vlan100"
            set dstintf "vlan200"
            set class-id 2
            set cos-mask 111
            set cos 011
            set srcaddr "all"
            set dstaddr "all"
        next
    end

    Based on this shaping policy:

    • vlan_cos = 3, which corresponds to 011

      cos-mask = 111

      AND both get 011

    • cos-mask = 111

      cos = 011

      AND both get 011

    • (vlan_cos AND cos-mask) == (cos AND cos-mask), so traffic will pass

    The shaping policy will match vlan_cos3.

  4. Configure the firewall policy on FortiGate B:

    config firewall policy
        edit 3
            set srcintf "vlan100"
            set dstintf "vlan200"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end
  5. On FortiGate B, check the session list to verify that the class ID (2) matches the shaping policy ID (1):

    # diagnose sys session list 
    session info: proto=1 proto_state=00 duration=672 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=2 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=log may_dirty f00 
    statistic(bytes/packets/allow_err): org=56532/673/1 reply=56532/673/1 tuples=2
    tx speed(Bps/kbps): 82/0 rx speed(Bps/kbps): 82/0
    orgin->sink: org pre->post, reply pre->post dev=59->61/61->59 gwy=20.20.200.3/20.20.20.1
    hook=pre dir=org act=noop 10.1.100.11:28735->192.168.4.33:8(0.0.0.0:0)
    hook=post dir=reply act=noop 192.168.4.33:28735->10.1.100.11:0(0.0.0.0:0)
    src_mac=90:6c:ac:fb:bb:97  dst_mac=04:d5:90:36:73:3f
    misc=0 policy_id=3 pol_uuid_idx=1245 auth_info=0 chk_client_info=0 vd=1
    serial=0000160b tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=0x040000
    no_ofld_reason:  non-npu-intf

    Note

    If a particular session matches both the firewall policy and firewall shaping-policy, then anything configured in the firewall shaping-policy overrides whatever was configured in the firewall policy.