Fortinet black logo

Administration Guide

ACL policy attributes

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:738916
Download PDF

ACL policy attributes

Key attributes of a policy include:

  • Interface. The interface(s) on which traffic arrives at the switch. The interface can be a port, a trunk, or all interfaces. The policy applies to ingress traffic only (not egress traffic).
  • Classifier. The classifier identifies the packets that the policy will act on. Each packet can be classified based on one or more criteria. Criteria include source and destination MAC address, VLAN id, source and destination IP address, or service (layer 4 protocol id and port number).
  • Marking involves setting bits in the packet header to indicate the priority of this packet.
  • Actions. If a packet matches the classifier criteria for a given ACL, the following types of action may be applied to the packet:
    • allow or block the packet, redirect the packet, mirror the packet
    • police the traffic
    • mirror the packet to another port, interface, or trunk
    • mirror the traffic
    • CoS queue assignment
    • outer VLAN tag assignment
    • egress mask to filter packets
    • specify a schedule when the ACL policy will be applied
    • make the ACL policy active or inactive

The switch uses specialized TCAM memory to perform ACL matching.

NOTE: Each model of the FortiSwitch unit provides different ACL-related capabilities. When you configure the ACL policy, the system will reject the request if the hardware cannot support it.

ACL policy attributes

Key attributes of a policy include:

  • Interface. The interface(s) on which traffic arrives at the switch. The interface can be a port, a trunk, or all interfaces. The policy applies to ingress traffic only (not egress traffic).
  • Classifier. The classifier identifies the packets that the policy will act on. Each packet can be classified based on one or more criteria. Criteria include source and destination MAC address, VLAN id, source and destination IP address, or service (layer 4 protocol id and port number).
  • Marking involves setting bits in the packet header to indicate the priority of this packet.
  • Actions. If a packet matches the classifier criteria for a given ACL, the following types of action may be applied to the packet:
    • allow or block the packet, redirect the packet, mirror the packet
    • police the traffic
    • mirror the packet to another port, interface, or trunk
    • mirror the traffic
    • CoS queue assignment
    • outer VLAN tag assignment
    • egress mask to filter packets
    • specify a schedule when the ACL policy will be applied
    • make the ACL policy active or inactive

The switch uses specialized TCAM memory to perform ACL matching.

NOTE: Each model of the FortiSwitch unit provides different ACL-related capabilities. When you configure the ACL policy, the system will reject the request if the hardware cannot support it.