Fortinet black logo

IP Phone Integration

Home FortiNAC-F 7.2.0 IP Phone Integration

IP Phones Using Tagged Voice VLANs

7.2.0
7.4.0
7.2.0
Copy Link
Copy Doc ID 08326dbd-ae36-11ed-8e6d-fa163e15d75b:323994
Download PDF

IP Phones Using Tagged Voice VLANs

Overview

Important: This document is intended to be used in environments where IP Phones utilize a tagged Voice VLAN. This VLAN operates independently of the untagged VLAN that governs other traffic (data) on the connecting switch port. If the IP Phones to be integrated do not use tagged Voice VLANs, see section IP Phones Using Untagged VLANs for instructions.

What it Does

Provides visibility and control for endpoints connecting behind IP Phones on the network.

FortiNAC does not provide any special integration logic for different IP phone vendors. Typically, the network administrator deploys the organization's IP phone infrastructure independently of configuring the FortiNAC. Because FortiNAC's focus is on endpoints daisy-chained to the phone, the type of phone that is used is unimportant.

How it Works

  • IP phone MAC address is ignored when determining the appropriate untagged VLAN for a port: The untagged VLAN on a given port (data VLAN) will not be switched based upon the presence of a device with the IP Phone device type. The untagged VLAN will only switch based upon a device connecting behind the phone.

    Example:

  1. An unregistered/Rogue IP phone connects to a switch port and is isolated.

  2. Device is registered using type IP Phone.

  3. Although the device is now registered, the untagged VLAN will not change because the IP Phone device type is ignored.

  • Voice VLAN manipulation: By default, FortiNAC does not provision voice VLANs when an IP phone connects. Additional configuration is required using one of the following methods:

    • FlexCLI: FortiNAC configures the port to support voice when an IP Phone is detected. The configuration is removed when the phone disconnects. FortiNAC has limited support for this by leveraging the FlexCLI feature to specify the switch-specific commands to manage this process. For a list of supported vendors, refer to the CLI Configuration section of the Administration Guide.

    • RADIUS: When IP Phone connects, FortiNAC includes the Voice VLAN value in the RADIUS response. Switch ports must be configured for RADIUS authentication.

  • IP Phone Connection information: Cisco switches can send CDP notifications triggered by IP Phone traffic that is transmitted across untagged VLANs. Other switches have the ability to send MAC Notification messaging as well. FortiNAC has the ability to process this traffic and update connection information for endpoints already classified as IP Phones. The ability to process and update IP Phone connectivity information is applicable for the following use cases:

    • Device Profiling: Revalidate IP Phone on connect

    • Automated Voice VLAN Configuration

      Note: Function is disabled by default.

  • Connection information of hosts daisy-chained to the phone: FortiNAC learns when endpoints come and go from the phone ports through either MAC Notification Traps or RADIUS authentication. FortiNAC cannot rely on linkUp/linkDown traps since the IP Phone keeps the link state up.

Note: RADIUS authentication may not provide real time information when an endpoint disconnects.

Host Connection Process Through Phone Port

  1. PC connects to the port on the back of the phone.

  2. FortiNAC learns of the connection:

    • If MAC Notification Traps are enabled, a trap is sent to FortiNAC.

    • If RADIUS is configured, an Access Request is sent to FortiNAC.

    • If neither MAC Notification Traps nor RADIUS are configured, then the presence of the host connection is not detected until the next L2 Poll. The host will connect immediately to the network or VLAN to which the port is currently set. If the polling interval is very long, a host may have to wait before being able to register or moving to the correct VLAN.

  3. FortiNAC searches for the PC’s MAC address in the database to determine whether or not it is registered.

  4. If it is not registered, the PC is placed in the Registration VLAN but the phone remains in the Voice VLAN.

  5. If it is registered, the PC is placed in the Production VLAN but the phone remains in the Voice VLAN.

Note: Once an IP Phone is connected to a port, FortiNAC does not bring down the interface to change VLANs. If there is an agent installed on the connected machine, the agent does a release/renew of the IP address (see PA Optimization under Device Properties in the Administration Guide). If there is no agent installed, the user must wait for the IP address lease to expire. Default lease times for FortiNAC isolation scopes are 60 seconds.

Requirements

  • RADIUS or MAC Notification Traps for accurate and timely connection information regarding endpoints behind IP Phones.

    Note:

    • Some switches may not support MAC Notification Traps or RADIUS. In such cases, consider increasing the L2 Poll frequency for the switch model.

    • When a registered IP Phone connects or moves to another wired port, the change is not detected until an L2 poll is performed on the switch. By default, MAC Notification Traps for IP Phones are ignored. This setting can be changed under Network > Settings > Network Device, however, enabling the processing of traps for IP Phones could potentially impact performance.

  • Do not trunk Cisco ports that have IP Phones connected. Configure the access (untagged) VLAN and Voice VLAN for the port. FortiNAC does not manage trunked ports.

Previous
Next

IP Phones Using Tagged Voice VLANs

Overview

Important: This document is intended to be used in environments where IP Phones utilize a tagged Voice VLAN. This VLAN operates independently of the untagged VLAN that governs other traffic (data) on the connecting switch port. If the IP Phones to be integrated do not use tagged Voice VLANs, see section IP Phones Using Untagged VLANs for instructions.

What it Does

Provides visibility and control for endpoints connecting behind IP Phones on the network.

FortiNAC does not provide any special integration logic for different IP phone vendors. Typically, the network administrator deploys the organization's IP phone infrastructure independently of configuring the FortiNAC. Because FortiNAC's focus is on endpoints daisy-chained to the phone, the type of phone that is used is unimportant.

How it Works

  • IP phone MAC address is ignored when determining the appropriate untagged VLAN for a port: The untagged VLAN on a given port (data VLAN) will not be switched based upon the presence of a device with the IP Phone device type. The untagged VLAN will only switch based upon a device connecting behind the phone.

    Example:

  1. An unregistered/Rogue IP phone connects to a switch port and is isolated.

  2. Device is registered using type IP Phone.

  3. Although the device is now registered, the untagged VLAN will not change because the IP Phone device type is ignored.

  • Voice VLAN manipulation: By default, FortiNAC does not provision voice VLANs when an IP phone connects. Additional configuration is required using one of the following methods:

    • FlexCLI: FortiNAC configures the port to support voice when an IP Phone is detected. The configuration is removed when the phone disconnects. FortiNAC has limited support for this by leveraging the FlexCLI feature to specify the switch-specific commands to manage this process. For a list of supported vendors, refer to the CLI Configuration section of the Administration Guide.

    • RADIUS: When IP Phone connects, FortiNAC includes the Voice VLAN value in the RADIUS response. Switch ports must be configured for RADIUS authentication.

  • IP Phone Connection information: Cisco switches can send CDP notifications triggered by IP Phone traffic that is transmitted across untagged VLANs. Other switches have the ability to send MAC Notification messaging as well. FortiNAC has the ability to process this traffic and update connection information for endpoints already classified as IP Phones. The ability to process and update IP Phone connectivity information is applicable for the following use cases:

    • Device Profiling: Revalidate IP Phone on connect

    • Automated Voice VLAN Configuration

      Note: Function is disabled by default.

  • Connection information of hosts daisy-chained to the phone: FortiNAC learns when endpoints come and go from the phone ports through either MAC Notification Traps or RADIUS authentication. FortiNAC cannot rely on linkUp/linkDown traps since the IP Phone keeps the link state up.

Note: RADIUS authentication may not provide real time information when an endpoint disconnects.

Host Connection Process Through Phone Port

  1. PC connects to the port on the back of the phone.

  2. FortiNAC learns of the connection:

    • If MAC Notification Traps are enabled, a trap is sent to FortiNAC.

    • If RADIUS is configured, an Access Request is sent to FortiNAC.

    • If neither MAC Notification Traps nor RADIUS are configured, then the presence of the host connection is not detected until the next L2 Poll. The host will connect immediately to the network or VLAN to which the port is currently set. If the polling interval is very long, a host may have to wait before being able to register or moving to the correct VLAN.

  3. FortiNAC searches for the PC’s MAC address in the database to determine whether or not it is registered.

  4. If it is not registered, the PC is placed in the Registration VLAN but the phone remains in the Voice VLAN.

  5. If it is registered, the PC is placed in the Production VLAN but the phone remains in the Voice VLAN.

Note: Once an IP Phone is connected to a port, FortiNAC does not bring down the interface to change VLANs. If there is an agent installed on the connected machine, the agent does a release/renew of the IP address (see PA Optimization under Device Properties in the Administration Guide). If there is no agent installed, the user must wait for the IP address lease to expire. Default lease times for FortiNAC isolation scopes are 60 seconds.

Requirements

  • RADIUS or MAC Notification Traps for accurate and timely connection information regarding endpoints behind IP Phones.

    Note:

    • Some switches may not support MAC Notification Traps or RADIUS. In such cases, consider increasing the L2 Poll frequency for the switch model.

    • When a registered IP Phone connects or moves to another wired port, the change is not detected until an L2 poll is performed on the switch. By default, MAC Notification Traps for IP Phones are ignored. This setting can be changed under Network > Settings > Network Device, however, enabling the processing of traps for IP Phones could potentially impact performance.

  • Do not trunk Cisco ports that have IP Phones connected. Configure the access (untagged) VLAN and Voice VLAN for the port. FortiNAC does not manage trunked ports.

Previous
Next