Fortinet black logo

Administration Guide

ACL

Copy Link
Copy Doc ID f65c09ce-240d-11ed-9eba-fa163e15d75b:738913
Download PDF

ACL

You can use access control lists (ACLs) to configure policies for three different stages in the pipeline:

  • Ingress stage for incoming traffic
  • Prelookup stage for processing traffic
  • Egress stage for outgoing traffic

This section covers the following topics:

NOTES
  • Before FortiSwitchOS 6.0.0, you used the config switch acl policy command to configure ACL policies only for the ingress stage. In FortiSwitchOS 6.0.0 and later, the config switch acl command has changed to specify which stage is being configured.
  • Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs.
  • Starting in FortiSwitchOS 7.2.0, you can count ingress and egress packets by color:
    • Ingress packets are marked green if the traffic rate is within the guaranteed information rate. Ingress packets are marked yellow if they exceed the committed burst size but do not exceed the excess burst size. All other ingress packets are marked red.

    • Egress packets are marked green if the traffic rate is within the guaranteed information rate. All other egress packets are marked yellow.

    The colors are displayed in the Switch > Monitor > ACL Counters page and in the output of the get switch acl counters {all | egress | ingress} commands. To use this feature, you must configure the ACL policer first.

  • The FS-1024D and FS-524D-FPOE models do not support all action options on the ingress policy.
  • For the FS-448E, FS-448E-FPOE, and FS-448E-POE models, 504 counters are supported only for the prelookup stage.
  • ACL configuration is not supported in FortiLink mode.
  • There are some limitations for ACL configuration on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, FS-148E-POE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models:
    • The layer-4 port range is limited and might not be available in FortiSwitchOS 6.4.0.
    • Use the get switch acl usage command to find out how many counters are available on your switch model.
    • If a classifier was created with only layer-2 fields, layer-3 fields cannot be added later. If a classifier was created with only layer-3 fields, layer-2 fields cannot be added later.
    • You cannot use both drop and redirect actions in the same ACL policy.
    • Only the ingress policy can be configured. There are seven options (dst-ip-prefix, dst-mac, ether-type, service, src-ip-prefix, src-mac, and vlan-id) for configuring the classifier and five options (cos-queue, count, drop, outer-vlan-tag, and redirect) for configuring the action.
  • The set redirect command works differently for the following switch models:
    • For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, the egress VLAN membership is not necessary.
    • For the FS-148F, FS-148F-POE, FS-148F-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE models, the egress VLAN membership is necessary.

ACL

You can use access control lists (ACLs) to configure policies for three different stages in the pipeline:

  • Ingress stage for incoming traffic
  • Prelookup stage for processing traffic
  • Egress stage for outgoing traffic

This section covers the following topics:

NOTES
  • Before FortiSwitchOS 6.0.0, you used the config switch acl policy command to configure ACL policies only for the ingress stage. In FortiSwitchOS 6.0.0 and later, the config switch acl command has changed to specify which stage is being configured.
  • Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs.
  • Starting in FortiSwitchOS 7.2.0, you can count ingress and egress packets by color:
    • Ingress packets are marked green if the traffic rate is within the guaranteed information rate. Ingress packets are marked yellow if they exceed the committed burst size but do not exceed the excess burst size. All other ingress packets are marked red.

    • Egress packets are marked green if the traffic rate is within the guaranteed information rate. All other egress packets are marked yellow.

    The colors are displayed in the Switch > Monitor > ACL Counters page and in the output of the get switch acl counters {all | egress | ingress} commands. To use this feature, you must configure the ACL policer first.

  • The FS-1024D and FS-524D-FPOE models do not support all action options on the ingress policy.
  • For the FS-448E, FS-448E-FPOE, and FS-448E-POE models, 504 counters are supported only for the prelookup stage.
  • ACL configuration is not supported in FortiLink mode.
  • There are some limitations for ACL configuration on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, FS-148E-POE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models:
    • The layer-4 port range is limited and might not be available in FortiSwitchOS 6.4.0.
    • Use the get switch acl usage command to find out how many counters are available on your switch model.
    • If a classifier was created with only layer-2 fields, layer-3 fields cannot be added later. If a classifier was created with only layer-3 fields, layer-2 fields cannot be added later.
    • You cannot use both drop and redirect actions in the same ACL policy.
    • Only the ingress policy can be configured. There are seven options (dst-ip-prefix, dst-mac, ether-type, service, src-ip-prefix, src-mac, and vlan-id) for configuring the classifier and five options (cos-queue, count, drop, outer-vlan-tag, and redirect) for configuring the action.
  • The set redirect command works differently for the following switch models:
    • For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, the egress VLAN membership is not necessary.
    • For the FS-148F, FS-148F-POE, FS-148F-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE models, the egress VLAN membership is necessary.