Configuring an ACL policy
You can configure ACL policies for each stage: ingress, egress, and prelookup.
NOTE: The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added ) matter. Hardware resources are allocated as best fit at the time of creation, which can cause some fragmentation and segmentation of hardware resources because not all classifiers are available at all times. Because the availability of classifiers is order dependent, some allocations succeed or fail at different times. Rebooting the switch or running the execute acl key-compaction <acl-stage><group-id>
command can help reduce the classifier resource fragmentation.
This section covers the following topics:
- Creating an ACL ingress policy
- Creating an ACL egress policy
- Creating an ACL prelookup policy
- Creating or customizing a service
- Creating a policer
- Viewing counters
- Clearing counters
- Clearing unused classifiers
Creating an ACL ingress policy
Using the GUI:
- Go to Switch > ACL > Ingress.
- Select Add Ingress Policy.
- Required. In the ID field, enter a unique number to identify this policy.
- By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
- Required. Select which interfaces the policy applies to or select the All Interface checkbox.
- Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
- In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
- Configure the classifier.
- Enter the VLAN identifier to be matched.
- Enter the 802.1Q cost of service (CoS) value to match.
- Enter the DSCP value to match.
- Enter the Ethernet type to be matched.
- Select the service type to be matched.
- Enter the source MAC address to be matched.
- Enter the destination MAC address to be matched.
- Enter the source IP address and subnet mask to be matched.
- Enter the destination IP address and subnet mask to be matched.
- Configure the action.
- Select the Count checkbox if you want to track the number of matching packets.
- Select the Drop checkbox if you want to drop matching packets.
- Select the Redirect Broadcast CPU checkbox if you want to redirect broadcast traffic to all ports including the CPU.
- Select the Redirect Broadcast No CPU checkbox if you want to redirect broadcast traffic to all ports excluding the CPU.
- In the CPU COS Queue field, enter the CPU CoS queue number. This CoS queue is only used if the packets reach the CPU.
- In the COS Queue field, enter the CoS queue number.
- In the Remark COS field, enter the CoS marking value.
- In the Outer VLAN Tag field, enter the outer VLAN tag.
- In the Remark DSCP field, enter the DSCP marking value.
- Select Egress Mask to configure which physical ports are included in the egress mask or select Redirect Physical Port to redirect packets to the selected physical ports.
- Select the physical ports to include in the egress mask or to redirect packets to.
- Select which policer to use from the Policer drop-down list. To create a policer, see Creating a policer.
- Select which redirect interface to use from the Redirect Interface drop-down list.
- Select the name of the mirror to use collect packets to analyze.
- Select OK to save the ingress policy.
Using the CLI:
config switch acl ingress
edit <policy_ID>
set description <string>
set group <group_ID>
set ingress-interface <port_name>
set ingress-interface-all {enable | disable}
set schedule <schedule_name>
set status {active | inactive}
config classifier
set src-mac <MAC_address>
set dst-mac <MAC_address>
set ether-type <integer>
set src-ip-prefix <IP_address> <mask>
set dst-ip-prefix <IP_address> <mask>
set service <service_ID>
set vlan-id <VLAN_ID>
set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
end
config action
set cos-queue <0 - 7>
set count {enable | disable}
set cpu-cos-queue <integer>
set drop {enable | disable}
set egress-mask {<physical_port_name> | internal}
set mirror <mirror_session>
set outer-vlan-tag <integer>
set policer <policer>
set redirect <interface_name>
set redirect-bcast-cpu {enable | disable}
set redirect-bcast-no-cpu {enable | disable}
set redirect-physical-port <list of physical ports to redirect>
set remark-cos <0-7>
set remark-dscp <0-63>
end
end
Creating an ACL egress policy
Using the GUI:
- Go to Switch > ACL > Egress.
- Select Add Egress Policy.
- Required. In the ID field, enter a unique number to identify this policy.
- By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
- Select which interface the policy applies to.
- Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
- In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
- Configure the classifier.
- Enter the VLAN identifier to be matched.
- Enter the 802.1Q cost of service (CoS) value to match.
- Enter the DSCP value to match.
- Enter the Ethernet type to be matched.
- Select the service type to be matched.
- Enter the source MAC address to be matched.
- Enter the destination MAC address to be matched.
- Enter the source IP address and subnet mask to be matched.
- Enter the destination IP address and subnet mask to be matched.
- Configure the action.
- Select the Count checkbox if you want to track the number of matching packets.
- Select the Drop checkbox if you want to drop matching packets.
- In the Outer VLAN Tag field, enter the outer VLAN tag.
- In the Remark DSCP field, enter the DSCP marking value.
- Select which policer to use from the Policer drop-down list. To create a policer, see Creating a policer.
- Select which redirect interface to use from the Redirect Interface drop-down list.
- Select the name of the mirror to use collect packets to analyze.
- Select OK to save the egress policy.
Using the CLI:
config switch acl egress
edit <policy_ID>
set description <string>
set interface <port_name>
set schedule <schedule_name>
set status {active | inactive}
config classifier
set src-mac <MAC_address>
set dst-mac <MAC_address>
set ether-type <integer>
set src-ip-prefix <IP_address> <mask>
set dst-ip-prefix <IP_address> <mask>
set service <service_ID>
set vlan-id <VLAN_ID>
set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
end
config action
set count {enable | disable}
set drop {enable | disable}
set mirror <mirror_session>
set outer-vlan-tag <integer>
set policer <policer>
set redirect <interface_name>
set remark-dscp <0-63>
end
end
Creating an ACL prelookup policy
Using the GUI:
- Go to Switch > ACL > Prelookup.
- Select Add Prelookup Policy.
- Required. In the ID field, enter a unique number to identify this policy.
- By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
- Select which interface the policy applies to.
- Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
- In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
- Configure the classifier.
- Enter the VLAN identifier to be matched.
- Enter the 802.1Q cost of service (CoS) value to match.
- Enter the DSCP value to match.
- Enter the Ethernet type to be matched.
- Select the service type to be matched.
- Enter the source MAC address to be matched.
- Enter the destination MAC address to be matched.
- Enter the source IP address and subnet mask to be matched.
- Enter the destination IP address and subnet mask to be matched.
- Configure the action.
- Select the Count checkbox if you want to track the number of matching packets.
- Select the Dropcheckbox if you want to drop matching packets.
- In the Outer VLAN Tag field, enter the outer VLAN tag.
- In the COS Queue field, enter the CoS queue number.
- In the Remark COS field, enter the CoS marking value.
- Select OK to save the prelookup policy.
Using the CLI:
config switch acl prelookup
edit <policy_ID>
set description <string>
set interface <port_name>
set schedule <schedule_name>
set status {active | inactive}
config classifier
set src-mac <MAC_address>
set dst-mac <MAC_address>
set ether-type <integer>
set src-ip-prefix <IP_address> <mask>
set dst-ip-prefix <IP_address> <mask>
set service <service_ID>
set vlan-id <VLAN_ID>
set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
end
config action
set cos-queue <0-7>
set count {enable | disable}
set drop {enable | disable}
set outer-vlan-tag <integer>
set remark-cos <0-7>
end
end
Creating or customizing a service
Optionally, you can create or customize a service. When you create an ACL policy (ingress, egress, or prelookup), you select the service to use with the set service <service_ID>
command under config classifier
.
The FortiSwitch unit provides a set of pre-configured services that you can use. Use the following command to list the services:
show switch acl service custom
Using the GUI to create a service:
- Go to Switch > ACL > Service.
- Click Add Service.
- Required. In the Name field, enter the name of the service.
- If you want to change the icon color for the service in the Service page, click Change and then click the new color.
- Optional. Enter a description of the service.
- If you do not want the custom service to use TCP, select ICMP, IP, UDP, or SCTP.
- If you selected TCP, UDP, or SCTP, enter the destination ports and source ports.
You can enter a single port or a range of ports in each field. - If you selected ICMP or IP, enter the protocol number.
- If you selected ICMP, enter the ICMP code.
- Click Add.
Using the GUI to customize a service:
- Go to Switch > ACL > Service.
- Click Edit for the service that you want to customize.
- Make any changes.
- Click Update.
Using the CLI to create or customize a service:
config switch acl service custom
edit <service_name>
set comment <string>
set color <0-32>
set protocol {ICMP | IP | TCP/UDP/SCTP}
set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:
<srcportlow_int>-<srcporthigh_int>]
set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]
end
Creating a policer
The ACL policer uses a single-rate three-color marker (RFC 2697) to mark packets as green, yellow, or red, based on the guaranteed bandwidth, guaranteed burst, and maximum burst settings. Traffic below the guaranteed bandwidth is allowed. Traffic above the guaranteed burst or maximum burst is dropped.
Optionally, you can create a policer if you are defining ACLs to police different types of traffic. When you create an ACL ingress or egress policy, you select the policer to use with it.
Using the GUI:
- Go to Switch > ACL > Policer.
- Select Add Policer.
- Required. In the ID field, enter a unique number to identify this policer.
- In the Type drop-down list, select whether the policer is for the egress policy or the ingress policy.
- In the Guaranteed Bandwidth field, enter the amount of bandwidth guaranteed (in Kbits/second) to be available for traffic controlled by the policy.
- In the Guaranteed Burst field, enter the guaranteed burst size in bytes.
- In the Maximum Burst field, enter the maximum burst size in bytes
- In the Description field, enter a description of the policer.
- Select OK to save the policer.
Using the CLI:
config switch acl policer
edit <1-2048>
set description <string>
set guaranteed-bandwidth <bandwidth_value>
set guaranteed-burst <in_bytes>
set maximum-burst <in_bytes>
set type {egress | ingress}
end
Each policy is assigned a unique policy ID that is automatically assigned. To view it, use the get switch acl {egress | ingress | prelookup}
command.
Viewing counters
NOTE: On the 4xxE platforms, the ACL byte counters for the prelookup stage are not available (they will always show as 0 on the CLI). The packet counters are available.
You can use the GUI and CLI to view the counters associated with the ingress, egress, and prelookup policies.
Using the GUI:
Go to Switch > Monitor > ACL Counters.
Using the CLI:
get switch acl counters {all | egress | ingress | prelookup}
For example:
S524DF4K15000024 # get switch acl counters ingress
ingress:
ID Packets Bytes description
___________________________________________________________
0001 0 0 cnt_n_mirror13
0002 0 0 cnt_n_mirror31
0003 0 0 cnt_n_mirror41
Clearing counters
You can use the GUI or CLI to clear the counters associated with all policies or the counters associated with just ingress, egress, or prelookup policies.
Using the GUI:
- Go to Switch > Monitor > ACL Counters.
- Select Ingress, Egress, Prelookup, or All to clear those counters.
Using the CLI:
execute acl clear-counter {all | egress | ingress | prelookup}
Clearing unused classifiers
Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress, prelookup, or all policies for a particular group:
execute acl key-compaction {all | ingress | egress | prelookup} <group_ID>
NOTE: This command currently only works on the ingress policy.