Configuration examples

Example 1

In the following example, traffic from VLAN 3 is blocked to a specified destination IP subnet (10.10.0.0/16) but allowed to all other destinations:

config switch acl ingress

edit 1

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 10.10.0.0 255.255.0.0

set vlan-id 3

end

set ingress-interface-all enable

set status active

end

Example 2

In the following example, Server Message Block (SMB) traffic received on port 1 is mirrored to port 3. SMB protocol uses port 445:

config switch acl service custom

edit "SMB"

set tcp-portrange 445

next

end

config switch acl ingress # apply policy to port 1 ingress and send to port 3

edit 1

set description "cnt_n_mirror_smb"

set ingress-interface-all disable

set ingress-interface "port1"

set status active

config action

set count enable

set mirror mirror-1

end

config classifier

set service "SMB"

set src-ip-prefix 20.20.20.100 255.255.255.255

set dst-ip-prefix 100.100.100.0 255.255.255.0

end

next

end

Example 3

The FortiSwitch unit can map different flows (for example, based on source and destination IP addresses) to specific outgoing ports.

In the following example, flows are redirected (based on destination IP) to different outgoing ports, connected to separate FortiDDOS appliances. This allows you to apply different FortiDDOS service profiles to different types of traffic:

config switch acl ingress # apply policy to port 1 ingress and send to port 3

edit 1

config action

set count enable

set redirect "port3“ # use redirect to shift selected traffic to new destination

end

config classifier

set dst-ip-prefix 100.100.100.0 255.255.255.0

end

set description "cnt_n_mirror13"

set ingress-interface "port1"

set status active

next

edit 2

config action # apply policy to port 3 ingress and send to port 1

set count enable

set redirect "port1"

end

config classifier

set src-ip-prefix 100.100.100.0 255.255.255.0

end

set description "cnt_n_mirror31"

set ingress-interface-all disable

set ingress-interface "port3"

set status active

next

end

config switch acl ingress # apply policy to port 1 ingress and send to port 4

edit 3

config action

set count enable

set redirect "port4“ # use redirect to shift selected traffic to new destination

end

config classifier

set dst-ip-prefix 20.20.20.0 255.255.255.0

end

set description "cnt_n_mirror14"

set ingress-interface "port1"

set status active

next

edit 4

config action # apply policy to port 4 ingress and send to port 1

set count enable

set redirect "port1"

end

config classifier

set src-ip-prefix 20.20.20.0 255.255.255.0

end

set description "cnt_n_mirror41"

set ingress-interface "port4"

set status active

next

end

Example 4

In the following example, a recurring schedule is created and then used to control when the ACL policy is active:

config system schedule recurring

edit schedule2

set day monday tuesday wednesday thursday friday saturday sunday

set start 07:00

set end 17:00

end

config switch acl ingress

edit 1

config action

set remark-cos 1

set remark-dscp 23

end

config classifier

set src-mac 00:21:cc:d2:76:72

set dst-mac d6:dd:25:be:2c:43

end

set ingress-interface-all enable

set schedule schedule2

set status active

next

end

Example 5

In the following example, the ACL policy at the ingress stage is used to mirror traffic from VLAN 100:

config switch mirror

edit "m1"

set status active

set dst "port4"

next

end

config switch acl ingress

edit 1

config action

set mirror "m1"

end

config classifier

set vlan-id 100

end

set ingress-interface-all enable

next

end