Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- 802.1p Tagging on VLANs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on ‎07-11-2011 04:49 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
802.1p Tagging on VLANs
Hello,
I need to mark my Ethernet frames with 802.1p priority tag in order to manage trafic priority on the switch connected to my Fortigate 50b.
This field is part of the VLAN 802.1Q standard RFC.
I even can not imagine Fortinet not supporting a standard !!!
Can anyone help me how to do that ?
Thanks
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can manage COS at layer2 on most ethernet switch, but how is your switch setup? On the FGT , I' ve personally never seen it down that way or know of any way to configured this. Most, manipulate qos fields within the l3 header ( i. DSCP )
Typically for COS configuration, It must be enable for trust and on the link between FGT and switch , & it must be a 802.1q trunk and you have to have qos enable on that switch. And it' s typically between l2 devices and not always cross l2 boundaries and require a mapping for L2 to L3.
As stated above, This is way most admins manipulate qos within l3 headers or by adding the appropiate DSCP field on the switchport of the attached L3 device.
Do yo have a network diagram of what you have and a simple flow schematic of the classiciation design (qos) from your end node?
if you find a configuration for this, please tcpdump the traffic to validate the configuration or execute the appropiate qos status commands on your switch.
e.g cisco or most cisco but depends on model and code
show mls qos
show mls qos int gi 0/1 stat
good luck
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Not applicable
Created on ‎07-11-2011 08:10 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer
Actually my topology is really simple :
1 Fortigate
1 Manageable Switch
Both are connected.
The switch is already configured with VLAN and CoS. This mean 802.1Q and 802.1p, or Layer 2 QoS if you prefer.
My Switch handle perfectly well L2 QoS by marking the 802.1Q Ethernet VLAN frames.
As far as I can see, Fortigate can not do that, unless somebody know how to ?
Actually, I' m looking for someone who know how to mark VLAN frames with L2 priority QoS on the Fortigate.
Using L3 QoS doesn' t interest me (Using L3 QoS is a beautifull gift for Pirate DoS attacks).
So if anyboy had a clue about setting L2 QoS on the Fortigate, I would be gratefull.
Many Thanks !!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep in mind the FGT is a layer3 device, so I don' t suspect it would have alot of L2 features pertaining to manipulate or use of the 802.1p portion of the 802.1q frame. The same would be true of other l3 devices that I can think of;
cisco router or a SLB.
As far as pirate DOS attacks, have no fear.
If you want and need to deployed QoS from a DSCP standpoint, I posted in the firewall forum the menas to deploy DSCP within the fwpolicies. That would be simple todo and staight forward.
Good luck
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Not applicable
Created on ‎07-11-2011 10:13 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh yes I fear pirate DoS attack. It is so easy to set DSCP field on compromised machines ! So the beautiful QoS L3 get stuck in seconds and a big enterprise has no more telephone...
It' s quite more difficult to compromise the switch that mark 802.1p field than the machines on the subnet.
Well, I don' t see what could stop a L3 device to achieve the basics of Layer 2.
Since the Fortigate send out Ethernet frames and tag them with VLAN, where the hell is the difficulty to program a small function to set 3 bits within the same VLAN tag ?!
This sounds deliberatly a political decision... shame on Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as fears of DoS and via the pirating of the DSCP field, think about this;
if your port is set to trust COS, what would keep me from crafting a layer2 tagged framed with the correct COS values set ( 0 thru 7 ) and sending a bunch of UDP packets , which is what VOIP voice bearer packets are to begin with, and now with the COS field set upon to be acted by the next device?
You are back to the same issues/concerns that you mention in your example of the compromised host and some one forging DSCP values and the switchport set for trust of these QoS values
imho
You actually have the same issues from a trust relationship with QoS security, regards if you perform ; mls qos trust cos or dscp or even ip precedence .
I guess it depends on how trust worthly you expect one over the other..... I guess.
But bottomline, you still have a trust relationship.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Not applicable
Created on ‎07-12-2011 05:25 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand your considerations.
But, well, as I said before, it is much more easier for a Pirate to take control of a PC than a Switch, a router, or an IP Phone.
Since as I said before I' m using VLAN.
A pirate compromising a PC on a Data VLAN would have no chance to get on the Voice VLAN where Telco equipements are trusted and less exposed to piracy (IE, applications, e-mail, etc...).
Of course, you could have VLAN separated trafics and use DSCP QOS.
But with L3 QoS and DSCP (or IP precedence) you have a weak point at the connection between the Fortigate and the Switch where you would have to re-mark DSCP fields coming from untrusty PC in order to prevente abuse.
On L2 QoS, the packets coming from PC are untrusted. Whatever comes from them is set with lower CoS (802.1p). This is automaticaly and efficiently performed by L2 equipements (switches). Processing remains at level 2.
With L3 QoS you have to build Policies in order to remarks paquet' s DSCP field either for each ingress port, or for the egress port going to the firewall.
More over, L3 QoS require more processing and therfore expencive devices with stronger process units and smarter processing, and finally use more power which is neither good for the planet nor for the accounting of the enterprise.
The IT team as well spare time and ressources for implemeting easier CoS L2 instead of more difficult L3 QoS.
One rule in engineering : KISS (Keep it stupidly simple).
Labels
-
FortiGate
10,530 -
FortiClient
2,140 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
675 -
5.4
638 -
FortiSwitch
581 -
FortiAP
558 -
FortiClient EMS
552 -
6.0
416 -
IPsec
414 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
169 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
127 -
FortiCloud Products
116 -
FortiSIEM
112 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
74 -
SAML
71 -
DNS
71 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
SSID
25 -
Static route
25 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2559 | |
| 1356 | |
| 795 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.