Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Voice device detection

FortiSwitch is able to parse LLDP messages from voice devices such as FortiFone, and pass this information to FortiGate for device detection. You can use FortiSwitch NAC policies to assign a device to an LLDP profile, QoS policy, and VLAN policy. When a detected device is matched to a NAC policy, the corresponding policy actions will be applied on the switch port.

Example

In the following example, FortiFone is connected to port11 of FortiSwitch. A NAC policy is created to apply a VLAN policy, LLDP policy, and QoS policy to Device Family FortiFone.

To create a FortiSwitch NAC policy in the GUI:
  1. Configure a NAC policy on a switch port. See NAC policies on switch ports.
  2. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  3. Create or edit an NAC policy.
  4. Set the Category to Device.
  5. Enable Device family, and enter name such as FortiFone.
  6. Select Apply Port Specific Settings.
  7. Enable LLDP profile, and select a voice profile from the dropdown.
  8. Enable QoS policy, and select a voice policy from the dropdown.
  9. Enable VLAN policy, and select a voice policy from the dropdown.

  10. Click OK.

    The NAC policy is applied after a FortiFone is plugged into port11 of the FortiSwitch:

To create a FortiSwitch NAC policy in the CLI:
  1. Assign the FortiFone to a VLAN policy, LLDP policy, and QoS Policy.

    config user nac-policy

    edit "FortiFone"

    set family "FortiFone"

    set switch-fortilink "fortilink"

    set switch-port-policy "FortiFone"

    next

    end

    config switch-controller port-policy

    edit "FortiFone"

    set fortilink "fortilink"

    set lldp-profile "fortivoice.fortilink"

    set qos-policy "voice-qos"

    set vlan-policy "fortiFone"

    next

    end

    config switch-controller vlan-policy

    edit "fortiFone"

    set fortilink "fortilink"

    set vlan "voice"

    next

    end

    config switch-controller lldp-profile

    edit "fortivoice.fortilink"

    set med-tlvs inventory-management network-policy location-identification

    set auto-isl disable

    config med-network-policy

    edit "voice"

    set status enable

    set vlan-intf "voice"

    set assign-vlan enable

    set dscp 46

    next

    edit "voice-signaling"

    set status enable

    set vlan-intf "voice"

    set assign-vlan enable

    set dscp 46

    next

    edit "guest-voice"

    next

    edit "guest-voice-signaling"

    next

    edit "softphone-voice"

    next

    edit "video-conferencing"

    next

    edit "streaming-video"

    next

    edit "video-signaling"

    next

    end

    next

    end

    config switch-controller qos qos-policy

    edit "voice-qos"

    set trust-dot1p-map "voice-dot1p"

    set trust-ip-dscp-map "voice-dscp"

    set queue-policy "voice-egress"

    next

    end

  2. FortiSwitch receives an LLDP message from FortiFone after it is plugged into port11.
  3. Run diagnose switch-controller switch-info to check the device information on FortiGate. The FortiFone is identified.

    # diagnose switch-controller switch-info lldp neighbors-detail S124EP5918000276 port11

    Vdom: root

    Managed Switch : S124EP5918000276 0

     

    Capability codes:

    R:Router, B:Bridge, T:Telephone, C:DOCSIS Cable Device

    W:WLAN Access Point, P:Repeater, S:Station, O:Other

     

    MED TLV Capability codes:

    C:Capabilities, P:Network Policies, L:Location, S:MDI PSE

    D:MDI PD, I:Inventory

     

    _______________________________________________________________

    Neighbor learned on port port11 by LLDP protocol

    Last change 20 seconds ago

    Last packet received 20 seconds ago

     

    Chassis ID: 169.254.15.3 (ip)

    System Name: FON-675i

    System Description:

    :14.0.0.1.r4

     

    Time To Live: 60 seconds

    System Capabilities: BT

    Enabled Capabilities: BT

    MED type: Communication Device Endpoint (Class III)

    MED Capabilities: CP

    Management IP Address: 169.254.15.3

     

    Port ID: 70:4c:a5:e2:6b:b2 (mac)

    Port description: WAN Port 10M/100M/1000M

    IEEE802.3, Power via MDI:

    Power devicetype: PD

    PSE MDI Power: Not Supported

    PSE MDI Power Enabled: No

    PSE Pair Selection: Can not be controlled

    PSE power pairs: Signal

    Power class: 1 (class-0)

    Power type: 802.3at off

    Power source: Unknown

    Power priority: Unknown

    Power requested: 0.0W

    Power allocated: 0.0W

    LLDP-MED, Network Policies:

    voice: VLAN: 256 (untagged), Priority: 0 DSCP: 46

    voice-signaling: VLAN: 256 (untagged), Priority: 0 DSCP: 46

    streaming-video: VLAN: 256 (untagged), Priority: 0 DSCP: 46

     

    # diagnose user device list

    hosts

    vd root/0  70:4c:a5:e2:6b:b2  gen 5  req OUA/34

    created 3522s  gen 3  seen 24s  onboarding  gen 2

    hardware vendor 'Fortinet'  src lldp weight 128

    type 'IP Phone'  src lldp  id 1523  weight 128

    family 'FortiFone'  src lldp  id 1523  weight 128

    host 'FON-675i'  src lldp

Voice device detection

FortiSwitch is able to parse LLDP messages from voice devices such as FortiFone, and pass this information to FortiGate for device detection. You can use FortiSwitch NAC policies to assign a device to an LLDP profile, QoS policy, and VLAN policy. When a detected device is matched to a NAC policy, the corresponding policy actions will be applied on the switch port.

Example

In the following example, FortiFone is connected to port11 of FortiSwitch. A NAC policy is created to apply a VLAN policy, LLDP policy, and QoS policy to Device Family FortiFone.

To create a FortiSwitch NAC policy in the GUI:
  1. Configure a NAC policy on a switch port. See NAC policies on switch ports.
  2. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  3. Create or edit an NAC policy.
  4. Set the Category to Device.
  5. Enable Device family, and enter name such as FortiFone.
  6. Select Apply Port Specific Settings.
  7. Enable LLDP profile, and select a voice profile from the dropdown.
  8. Enable QoS policy, and select a voice policy from the dropdown.
  9. Enable VLAN policy, and select a voice policy from the dropdown.

  10. Click OK.

    The NAC policy is applied after a FortiFone is plugged into port11 of the FortiSwitch:

To create a FortiSwitch NAC policy in the CLI:
  1. Assign the FortiFone to a VLAN policy, LLDP policy, and QoS Policy.

    config user nac-policy

    edit "FortiFone"

    set family "FortiFone"

    set switch-fortilink "fortilink"

    set switch-port-policy "FortiFone"

    next

    end

    config switch-controller port-policy

    edit "FortiFone"

    set fortilink "fortilink"

    set lldp-profile "fortivoice.fortilink"

    set qos-policy "voice-qos"

    set vlan-policy "fortiFone"

    next

    end

    config switch-controller vlan-policy

    edit "fortiFone"

    set fortilink "fortilink"

    set vlan "voice"

    next

    end

    config switch-controller lldp-profile

    edit "fortivoice.fortilink"

    set med-tlvs inventory-management network-policy location-identification

    set auto-isl disable

    config med-network-policy

    edit "voice"

    set status enable

    set vlan-intf "voice"

    set assign-vlan enable

    set dscp 46

    next

    edit "voice-signaling"

    set status enable

    set vlan-intf "voice"

    set assign-vlan enable

    set dscp 46

    next

    edit "guest-voice"

    next

    edit "guest-voice-signaling"

    next

    edit "softphone-voice"

    next

    edit "video-conferencing"

    next

    edit "streaming-video"

    next

    edit "video-signaling"

    next

    end

    next

    end

    config switch-controller qos qos-policy

    edit "voice-qos"

    set trust-dot1p-map "voice-dot1p"

    set trust-ip-dscp-map "voice-dscp"

    set queue-policy "voice-egress"

    next

    end

  2. FortiSwitch receives an LLDP message from FortiFone after it is plugged into port11.
  3. Run diagnose switch-controller switch-info to check the device information on FortiGate. The FortiFone is identified.

    # diagnose switch-controller switch-info lldp neighbors-detail S124EP5918000276 port11

    Vdom: root

    Managed Switch : S124EP5918000276 0

     

    Capability codes:

    R:Router, B:Bridge, T:Telephone, C:DOCSIS Cable Device

    W:WLAN Access Point, P:Repeater, S:Station, O:Other

     

    MED TLV Capability codes:

    C:Capabilities, P:Network Policies, L:Location, S:MDI PSE

    D:MDI PD, I:Inventory

     

    _______________________________________________________________

    Neighbor learned on port port11 by LLDP protocol

    Last change 20 seconds ago

    Last packet received 20 seconds ago

     

    Chassis ID: 169.254.15.3 (ip)

    System Name: FON-675i

    System Description:

    :14.0.0.1.r4

     

    Time To Live: 60 seconds

    System Capabilities: BT

    Enabled Capabilities: BT

    MED type: Communication Device Endpoint (Class III)

    MED Capabilities: CP

    Management IP Address: 169.254.15.3

     

    Port ID: 70:4c:a5:e2:6b:b2 (mac)

    Port description: WAN Port 10M/100M/1000M

    IEEE802.3, Power via MDI:

    Power devicetype: PD

    PSE MDI Power: Not Supported

    PSE MDI Power Enabled: No

    PSE Pair Selection: Can not be controlled

    PSE power pairs: Signal

    Power class: 1 (class-0)

    Power type: 802.3at off

    Power source: Unknown

    Power priority: Unknown

    Power requested: 0.0W

    Power allocated: 0.0W

    LLDP-MED, Network Policies:

    voice: VLAN: 256 (untagged), Priority: 0 DSCP: 46

    voice-signaling: VLAN: 256 (untagged), Priority: 0 DSCP: 46

    streaming-video: VLAN: 256 (untagged), Priority: 0 DSCP: 46

     

    # diagnose user device list

    hosts

    vd root/0  70:4c:a5:e2:6b:b2  gen 5  req OUA/34

    created 3522s  gen 3  seen 24s  onboarding  gen 2

    hardware vendor 'Fortinet'  src lldp weight 128

    type 'IP Phone'  src lldp  id 1523  weight 128

    family 'FortiFone'  src lldp  id 1523  weight 128

    host 'FON-675i'  src lldp