Fortinet black logo

FortiLink Guide

Home FortiSwitch 7.4.2 FortiLink Guide
7.4.2
7.4.2
7.4.1
7.4.0
7.2.6
7.2.4
7.2.1
7.2.0

Configuring an ACL

Configuring an ACL

Starting in FortiOS 7.4.0 with FortiSwitchOS 7.4.0, you can use an access control list (ACL) to configure a policy for the ingress stage of the pipeline for incoming traffic. After creating an ACL group for the ingress policy, you apply the ACL group to a managed switch port.

Note

A user-configurable ACL might conflict with or be overridden by an ACL implemented by other managed FortiSwitch features. If a user-configurable ACL and an internal ACL do not conflict, the resulting behavior depends on the FortiSwitch model. Fortinet recommends validating user-configurable ACLs to make certain that they operate correctly with other enabled features.
To use an ACL:

  1. Create an ACL ingress policy.

  2. Create an ACL group and add the ingress policy to it.

  3. Apply the ACL group to a managed switch port.

  4. View the counters.

Create an ACL ingress policy

The ACL ingress policy includes the following key attributes:

  • Interface—The port on which traffic arrives at the switch. The policy applies to ingress traffic only (not egress traffic).

  • Classifier—The classifier identifies the packets that the policy will act on. Each packet can be classified based on one or more criteria. The supported criteria are source and destination MAC address, VLAN identifier, and source and destination IP address.

  • Actions—If a packet matches the classifier criteria for a given ACL, the following types of action can be applied to the packet:

    • Allow or block the packet
    • Count the number of ingress packets

The switch uses specialized TCAM memory to perform ACL matching.

Note

The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added) matter. Hardware resources are allocated as best fit at the time of creation, which can cause some fragmentation and segmentation of hardware resources because not all classifiers are available at all times. Because the availability of classifiers is order dependent, some allocations succeed or fail at different times.
To create an ACL ingress policy in the CLI:

config switch-controller acl ingress

edit <policy_identifier>

config action

set count {enable | disable}

set drop {enable | disable}

end

config classifier

set dst-ip-prefix <IPv4_address> <netmask>

set dst-mac <destination_MAC_address>

set src-ip-prefix <IPv4_address> <netmask>

set src-mac <source_MAC_address>

set vlan <1-4094>

end

next

end

Create an ACL group

An ACL group contains one or more ACLs.

Note

The ACL ingress policies are assigned to ACL group 3 in the managed FortiSwitch unit. If the managed FortiSwitch unit does not support ACL group 3, the user-configurable ACL is not supported.
To create an ACL group in the CLI:

config switch-controller acl group

edit "<ACL_group_name>"

set ingress <policy_identifier1> <policy_identifier2> ...

next

end

For example:

config switch-controller acl group

edit "ACLgroup1"

set ingress 2 3 4

next

end

Apply the ACL group to a managed switch port

You can apply one or more ACL groups to a managed switch port.

To apply an ACL group to a managed switch port in the CLI:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <managed_switch_port_name>

set acl-group "<ACL_group_name1> <ACL_group_name2> ..."

next

end

next

end

For example:

config switch-controller managed-switch

edit FS1D243Z14000016

config ports

edit port10

set acl-group "ACLgroup1 ACLgroup2 ACLgroup3"

next

end

next

end

View the counters

Note

On the FS-4xxE, FS-1xxE, and FS-1xxF platforms, the ACL byte counters are not available (they will always show as 0 on the CLI). The packet counters are available.

You can use the CLI to view the counters associated with the ingress policies.

To view the counters in the CLI:

diagnose switch-controller switch-info acl-counters <FortiSwitch_serial_number>

For example:

diagnose switch-controller switch-info acl-counters FS1D243Z14000016

Configuration example

In the following example, the ingress ACL policy prevents a PC connected to S248EPTF18001384 (which is managed by a FortiGate device) from accessing 8.8.8.8 255.255.255.255.

config switch-controller acl ingress

edit 1

config action

set drop enable

end

config classifier

set dst-ip-prefix 8.8.8.8 255.255.255.255

set src-mac 00:0c:29:d4:4f:3c

end

next

end

config switch-controller acl group

edit "group1"

set ingress 1

next

end

config switch-controller managed-switch

edit "S248EPTF18001384"

config ports

edit "port6"

set acl-group "group1"

next

end

next

end

Previous
Next

Configuring an ACL

Starting in FortiOS 7.4.0 with FortiSwitchOS 7.4.0, you can use an access control list (ACL) to configure a policy for the ingress stage of the pipeline for incoming traffic. After creating an ACL group for the ingress policy, you apply the ACL group to a managed switch port.

Note

A user-configurable ACL might conflict with or be overridden by an ACL implemented by other managed FortiSwitch features. If a user-configurable ACL and an internal ACL do not conflict, the resulting behavior depends on the FortiSwitch model. Fortinet recommends validating user-configurable ACLs to make certain that they operate correctly with other enabled features.
To use an ACL:

  1. Create an ACL ingress policy.

  2. Create an ACL group and add the ingress policy to it.

  3. Apply the ACL group to a managed switch port.

  4. View the counters.

Create an ACL ingress policy

The ACL ingress policy includes the following key attributes:

  • Interface—The port on which traffic arrives at the switch. The policy applies to ingress traffic only (not egress traffic).

  • Classifier—The classifier identifies the packets that the policy will act on. Each packet can be classified based on one or more criteria. The supported criteria are source and destination MAC address, VLAN identifier, and source and destination IP address.

  • Actions—If a packet matches the classifier criteria for a given ACL, the following types of action can be applied to the packet:

    • Allow or block the packet
    • Count the number of ingress packets

The switch uses specialized TCAM memory to perform ACL matching.

Note

The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added) matter. Hardware resources are allocated as best fit at the time of creation, which can cause some fragmentation and segmentation of hardware resources because not all classifiers are available at all times. Because the availability of classifiers is order dependent, some allocations succeed or fail at different times.
To create an ACL ingress policy in the CLI:

config switch-controller acl ingress

edit <policy_identifier>

config action

set count {enable | disable}

set drop {enable | disable}

end

config classifier

set dst-ip-prefix <IPv4_address> <netmask>

set dst-mac <destination_MAC_address>

set src-ip-prefix <IPv4_address> <netmask>

set src-mac <source_MAC_address>

set vlan <1-4094>

end

next

end

Create an ACL group

An ACL group contains one or more ACLs.

Note

The ACL ingress policies are assigned to ACL group 3 in the managed FortiSwitch unit. If the managed FortiSwitch unit does not support ACL group 3, the user-configurable ACL is not supported.
To create an ACL group in the CLI:

config switch-controller acl group

edit "<ACL_group_name>"

set ingress <policy_identifier1> <policy_identifier2> ...

next

end

For example:

config switch-controller acl group

edit "ACLgroup1"

set ingress 2 3 4

next

end

Apply the ACL group to a managed switch port

You can apply one or more ACL groups to a managed switch port.

To apply an ACL group to a managed switch port in the CLI:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <managed_switch_port_name>

set acl-group "<ACL_group_name1> <ACL_group_name2> ..."

next

end

next

end

For example:

config switch-controller managed-switch

edit FS1D243Z14000016

config ports

edit port10

set acl-group "ACLgroup1 ACLgroup2 ACLgroup3"

next

end

next

end

View the counters

Note

On the FS-4xxE, FS-1xxE, and FS-1xxF platforms, the ACL byte counters are not available (they will always show as 0 on the CLI). The packet counters are available.

You can use the CLI to view the counters associated with the ingress policies.

To view the counters in the CLI:

diagnose switch-controller switch-info acl-counters <FortiSwitch_serial_number>

For example:

diagnose switch-controller switch-info acl-counters FS1D243Z14000016

Configuration example

In the following example, the ingress ACL policy prevents a PC connected to S248EPTF18001384 (which is managed by a FortiGate device) from accessing 8.8.8.8 255.255.255.255.

config switch-controller acl ingress

edit 1

config action

set drop enable

end

config classifier

set dst-ip-prefix 8.8.8.8 255.255.255.255

set src-mac 00:0c:29:d4:4f:3c

end

next

end

config switch-controller acl group

edit "group1"

set ingress 1

next

end

config switch-controller managed-switch

edit "S248EPTF18001384"

config ports

edit "port6"

set acl-group "group1"

next

end

next

end

Previous
Next