Access control lists
You can use access control lists (ACLs) to configure policies for three different stages in the pipeline:
- Ingress stage for incoming traffic
- Prelookup stage for processing traffic
- Egress stage for outgoing traffic
This chapter covers the following topics:
NOTES
- Before FortiSwitchOS 6.0.0, you used the
config switch acl policycommand to configure ACL policies only for the ingress stage. In FortiSwitchOS 6.0.0 and later, theconfig switch aclcommand has changed to specify which stage is being configured. Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs. - The FS-1024D and FS-524D-FPOE models do not support all action options on the ingress policy.
- There are some limitations for ACL configuration on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
- The layer-4 port range is limited and might not be available in FortiSwitchOS 6.4.0.
- For the FS-108E, FS-108E-FPOE, FS-108E-POE, FS-124E, FS-124E-FPOE, and FS-124E-POE models, 256 counters are supported for the ingress stage.
- For the FS-448E, FS-448E-FPOE, and FS-448E-POE models, 504 counters are supported only for the prelookup stage.
- If a classifier was created with only layer-2 fields, layer-3 fields cannot be added later. If a classifier was created with only layer-3 fields, layer-2 fields cannot be added later.
- You cannot use both drop and redirect actions in the same ACL policy.
- ACL configuration is not supported in FortiLink mode.
- Only the ingress policy can be configured.
- The
set redirectcommand works differently for the following switch models:- For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, the egress VLAN membership is not necessary.
- For the FS-148F, FS-148F-POE, FS-148F-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE models, the egress VLAN membership is necessary.
ACL policy attributes
Key attributes of a policy include:
- Interface. The interface(s) on which traffic arrives at the switch. The interface can be a port, a trunk, or all interfaces. The policy applies to ingress traffic only (not egress traffic).
- Classifier. The classifier identifies the packets that the policy will act on. Each packet can be classified based on one or more criteria. Criteria include source and destination MAC address, VLAN id, source and destination IP address, or service (layer 4 protocol id and port number).
- Marking involves setting bits in the packet header to indicate the priority of this packet.
-
Actions. If a packet matches the classifier criteria for a given ACL, the following types of action may be applied to the packet:
- allow or block the packet, redirect the packet, mirror the packet
- police the traffic
- mirror the packet to another port, interface, or trunk
- mirror the traffic
- CoS queue assignment
- outer VLAN tag assignment
- egress mask to filter packets
- specify a schedule when the ACL policy will be applied
- make the ACL policy active or inactive
The switch uses specialized TCAM memory to perform ACL matching.
NOTE: Each model of the FortiSwitch unit provides different ACL-related capabilities. When you configure the ACL policy, the system will reject the request if the hardware cannot support it.
Configuring an ACL policy
You can configure ACL policies for each stage: ingress, egress, and prelookup.
NOTE: The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added ) matter. Hardware resources are allocated as best fit at the time of creation, which can cause some fragmentation and segmentation of hardware resources because not all classifiers are available at all times. Because the availability of classifiers is order dependent, some allocations succeed or fail at different times. Rebooting the switch or running the execute acl key-compaction <acl-stage><group-id> command can help reduce the classifier resource fragmentation.
Creating an ACL ingress policy
Using the GUI:
- Go to Switch > ACL > Ingress.
- Select Add Ingress Policy.
- Required. In the ID field, enter a unique number to identify this policy.
- By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
- Required. Select which interfaces the policy applies to or select the All Interface checkbox.
- Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
- In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
- Configure the classifier.
- Enter the VLAN identifier to be matched.
- Enter the 802.1Q cost of service (CoS) value to match.
- Enter the DSCP value to match.
- Enter the Ethernet type to be matched.
- Select the service type to be matched.
- Enter the source MAC address to be matched.
- Enter the destination MAC address to be matched.
- Enter the source IP address and subnet mask to be matched.
- Enter the destination IP address and subnet mask to be matched.
- Configure the action.
- Select the Count checkbox if you want to track the number of matching packets.
- Select the Drop checkbox if you want to drop matching packets.
- Select the Redirect Broadcast CPU checkbox if you want to redirect broadcast traffic to all ports including the CPU.
- Select the Redirect Broadcast No CPU checkbox if you want to redirect broadcast traffic to all ports excluding the CPU.
- In the CPU COS Queue field, enter the CPU CoS queue number. This CoS queue is only used if the packets reach the CPU.
- In the COS Queue field, enter the CoS queue number.
- In the Remark COS field, enter the CoS marking value.
- In the Outer VLAN Tag field, enter the outer VLAN tag.
- In the Remark DSCP field, enter the DSCP marking value.
- Select Egress Mask to configure which physical ports are included in the egress mask or select Redirect Physical Port to redirect packets to the selected physical ports.
- Select the physical ports to include in the egress mask or to redirect packets to.
- Select which policer to use from the Policer drop-down list. To create a policer, see Creating a policer.
- Select which redirect interface to use from the Redirect Interface drop-down list.
- Select the name of the mirror to use collect packets to analyze.
- Select OK to save the ingress policy.
Using the CLI:
config switch acl ingress
edit <policy_ID>
set description <string>
set group <group_ID>
set ingress-interface <port_name>
set ingress-interface-all {enable | disable}
set schedule <schedule_name>
set status {active | inactive}
config classifier
set src-mac <MAC_address>
set dst-mac <MAC_address>
set ether-type <integer>
set src-ip-prefix <IP_address> <mask>
set dst-ip-prefix <IP_address> <mask>
set service <service_ID>
set vlan-id <VLAN_ID>
set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
end
config action
set cos-queue <0 - 7>
set count {enable | disable}
set cpu-cos-queue <integer>
set drop {enable | disable}
set egress-mask {<physical_port_name> | internal}
set mirror <mirror_session>
set outer-vlan-tag <integer>
set policer <policer>
set redirect <interface_name>
set redirect-bcast-cpu {enable | disable}
set redirect-bcast-no-cpu {enable | disable}
set redirect-physical-port <list of physical ports to redirect>
set remark-cos <0-7>
set remark-dscp <0-63>
end
end
Creating an ACL egress policy
Using the GUI:
- Go to Switch > ACL > Egress.
- Select Add Egress Policy.
- Required. In the ID field, enter a unique number to identify this policy.
- By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
- Select which interface the policy applies to.
- Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
- In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
- Configure the classifier.
- Enter the VLAN identifier to be matched.
- Enter the 802.1Q cost of service (CoS) value to match.
- Enter the DSCP value to match.
- Enter the Ethernet type to be matched.
- Select the service type to be matched.
- Enter the source MAC address to be matched.
- Enter the destination MAC address to be matched.
- Enter the source IP address and subnet mask to be matched.
- Enter the destination IP address and subnet mask to be matched.
- Configure the action.
- Select the Count checkbox if you want to track the number of matching packets.
- Select the Drop checkbox if you want to drop matching packets.
- In the Outer VLAN Tag field, enter the outer VLAN tag.
- In the Remark DSCP field, enter the DSCP marking value.
- Select which policer to use from the Policer drop-down list. To create a policer, see Creating a policer.
- Select which redirect interface to use from the Redirect Interface drop-down list.
- Select the name of the mirror to use collect packets to analyze.
- Select OK to save the egress policy.
Using the CLI:
config switch acl egress
edit <policy_ID>
set description <string>
set interface <port_name>
set schedule <schedule_name>
set status {active | inactive}
config classifier
set src-mac <MAC_address>
set dst-mac <MAC_address>
set ether-type <integer>
set src-ip-prefix <IP_address> <mask>
set dst-ip-prefix <IP_address> <mask>
set service <service_ID>
set vlan-id <VLAN_ID>
set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
end
config action
set count {enable | disable}
set drop {enable | disable}
set mirror <mirror_session>
set outer-vlan-tag <integer>
set policer <policer>
set redirect <interface_name>
set remark-dscp <0-63>
end
end
Creating an ACL prelookup policy
Using the GUI:
- Go to Switch > ACL > Prelookup.
- Select Add Prelookup Policy.
- Required. In the ID field, enter a unique number to identify this policy.
- By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
- Select which interface the policy applies to.
- Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
- In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
- Configure the classifier.
- Enter the VLAN identifier to be matched.
- Enter the 802.1Q cost of service (CoS) value to match.
- Enter the DSCP value to match.
- Enter the Ethernet type to be matched.
- Select the service type to be matched.
- Enter the source MAC address to be matched.
- Enter the destination MAC address to be matched.
- Enter the source IP address and subnet mask to be matched.
- Enter the destination IP address and subnet mask to be matched.
- Configure the action.
- Select the Count checkbox if you want to track the number of matching packets.
- Select the Dropcheckbox if you want to drop matching packets.
- In the Outer VLAN Tag field, enter the outer VLAN tag.
- In the COS Queue field, enter the CoS queue number.
- In the Remark COS field, enter the CoS marking value.
- Select OK to save the prelookup policy.
Using the CLI:
config switch acl prelookup
edit <policy_ID>
set description <string>
set interface <port_name>
set schedule <schedule_name>
set status {active | inactive}
config classifier
set src-mac <MAC_address>
set dst-mac <MAC_address>
set ether-type <integer>
set src-ip-prefix <IP_address> <mask>
set dst-ip-prefix <IP_address> <mask>
set service <service_ID>
set vlan-id <VLAN_ID>
set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
end
config action
set cos-queue <0-7>
set count {enable | disable}
set drop {enable | disable}
set outer-vlan-tag <integer>
set remark-cos <0-7>
end
end
Creating or customizing a service
Optionally, you can create or customize a service. When you create an ACL policy (ingress, egress, or prelookup), you select the service to use with the set service <service_ID> command under config classifier.
The FortiSwitch unit provides a set of pre-configured services that you can use. Use the following command to list the services:
show switch acl service custom
To create or customize a service:
config switch acl service custom
edit <service name>
set comment <string>
set color <0-32>
set protocol {ICMP | IP | TCP/UDP/SCTP}
set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:
<srcportlow_int>-<srcporthigh_int>]
set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]
end
Creating a policer
Optionally, you can create a policer if you are defining ACLs to police different types of traffic. When you create an ACL policy (ingress or egress), you select the policer to use with the set policer <policer> command under config action.
Using the GUI:
- Go to Switch > ACL > Policer.
- Select Add Policer.
- Required. In the ID field, enter a unique number to identify this policer.
- In the Type drop-down list, select whether the policer is for egress or ingress policies.
- In the Guaranteed Bandwidth field, enter the amount of bandwidth guaranteed (in Kbits/second) to be available for traffic controlled by the policy.
- In the Guaranteed Burst field, enter the guaranteed burst size in bytes.
- In the Maximum Burst field, enter the maximum burst size in bytes
- In the Description field, enter a description of the policer.
- Select OK to save the policer.
Using the CLI:
config switch acl policer
edit <1-2048>
set description <string>
set guaranteed-bandwidth <bandwidth_value>
set guaranteed-burst <in_bytes>
set maximum-burst <in_bytes>
set type {egress | ingress}
end
Each policy is assigned a unique policy ID that is automatically assigned. To view it, use the get switch acl {egress | ingress | prelookup} command.
Viewing counters
NOTE: On the 4xxE platforms, the ACL byte counters for the prelookup stage are not available (they will always show as 0 on the CLI). The packet counters are available.
You can use the GUI and CLI to view the counters associated with the ingress, egress, and prelookup policies.
Using the GUI:
Go to Switch > Monitor > ACL Counters.
Using the CLI:
get switch acl counters {all | egress | ingress | prelookup}
For example:
S524DF4K15000024 # get switch acl counters ingress
ingress:
ID Packets Bytes description
___________________________________________________________
0001 0 0 cnt_n_mirror13
0002 0 0 cnt_n_mirror31
0003 0 0 cnt_n_mirror41
Clearing counters
You can use the GUI or CLI to clear the counters associated with all policies or the counters associated with just ingress, egress, or prelookup policies.
Using the GUI:
- Go to Switch > Monitor > ACL Counters.
- Select Ingress, Egress, Prelookup, or All to clear those counters.
Using the CLI:
execute acl clear-counter {all | egress | ingress | prelookup}
Clearing unused classifiers
Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress, prelookup, or all policies for a particular group:
execute acl key-compaction {all | ingress | egress | prelookup} <group_ID>
NOTE: This command currently only works on the ingress policy.
Configuration examples
Example 1
In the following example, traffic from VLAN 3 is blocked to a specified destination IP subnet (10.10.0.0/16) but allowed to all other destinations:
config switch acl ingress
edit 1
config action
set count enable
set drop enable
end
config classifier
set dst-ip-prefix 10.10.0.0 255.255.0.0
set vlan-id 3
end
set ingress-interface-all enable
set status active
end
Example 2
In the following example, Server Message Block (SMB) traffic received on port 1 is mirrored to port 3. SMB protocol uses port 445:
config switch acl service custom
edit "SMB"
set tcp-portrange 445
next
end
config switch acl ingress # apply policy to port 1 ingress and send to port 3
edit 1
set description "cnt_n_mirror_smb"
set ingress-interface-all disable
set ingress-interface "port1"
set status active
config action
set count enable
set mirror mirror-1
end
config classifier
set service "SMB"
set src-ip-prefix 20.20.20.100 255.255.255.255
set dst-ip-prefix 100.100.100.0 255.255.255.0
end
next
end
Example 3
The FortiSwitch unit can map different flows (for example, based on source and destination IP addresses) to specific outgoing ports.
In the following example, flows are redirected (based on destination IP) to different outgoing ports, connected to separate FortiDDOS appliances. This allows you to apply different FortiDDOS service profiles to different types of traffic:
config switch acl ingress # apply policy to port 1 ingress and send to port 3
edit 1
config action
set count enable
set redirect "port3“ # use redirect to shift selected traffic to new destination
end
config classifier
set dst-ip-prefix 100.100.100.0 255.255.255.0
end
set description "cnt_n_mirror13"
set ingress-interface "port1"
set status active
next
edit 2
config action # apply policy to port 3 ingress and send to port 1
set count enable
set redirect "port1"
end
config classifier
set src-ip-prefix 100.100.100.0 255.255.255.0
end
set description "cnt_n_mirror31"
set ingress-interface-all disable
set ingress-interface "port3"
set status inactive
next
end
config switch acl ingress # apply policy to port 1 ingress and send to port 4
edit 3
config action
set count enable
set redirect "port4“ # use redirect to shift selected traffic to new destination
end
config classifier
set dst-ip-prefix 20.20.20.0 255.255.255.0
end
set description "cnt_n_mirror14"
set ingress-interface "port1"
set status active
next
edit 4
config action # apply policy to port 4 ingress and send to port 1
set count enable
set redirect "port1"
end
config classifier
set src-ip-prefix 20.20.20.0 255.255.255.0
end
set description "cnt_n_mirror41"
set ingress-interface "port4"
set status inactive
next
end
Example 4
In the following example, a recurring schedule is created and then used to control when the ACL policy is active:
config system schedule recurring
edit schedule2
set day monday tuesday wednesday thursday friday saturday sunday
set start 07:00
set end 17:00
end
config switch acl ingress
edit 1
config action
set remark-cos 1
set remark-dscp 23
end
config classifier
set src-mac 00:21:cc:d2:76:72
set dst-mac d6:dd:25:be:2c:43
end
set ingress-interface-all enable
set schedule schedule2
set status active
next
end