LLDP-MED

The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.

Fortinet data center switches support LLDP-MED (Media Endpoint Discovery), which is an enhancement of LLDP that provides the following facilities:

• Auto-discovery of LAN policies (such as VLAN, layer-2 priority, and differentiated services settings), to enable plug-and-play networking.
• Device location discovery to allow the creation of location databases and Enhanced 911 services for Voice over Internet Protocol (VoIP).
• Extended and automated power management for power over Ethernet (PoE) endpoints.
• Inventory management, allowing network administrators to track their network devices, and determine their characteristics (manufacturer, software and hardware versions, serial or asset number).

The switch will multicast LLDP packets to advertise its identity and capabilities. The switch receives the equivalent information from adjacent layer-2 peers.

Starting in FortiSwitch 6.2.0, you can use the CLI to configure the location table used by LLDP-MED for enhanced 911 emergency calls.

This chapter covers the following topics:

• Configuration notes
• LLDP global settings
• Configuring LLDP profiles
• Configuring an LLDP profile for the port
• Enabling LLDP on a port
• Checking the LLDP configuration
• Configuration deployment example
• Checking LLDP details
• LLDP OIDs

Configuration notes

Review the following notes before configuring LLDP-MED:

• When 802.1x and LLDP turn on at the same port, switching between LLDP profiles requires a manual reset of all authentication sessions.
• Fortinet recommends LLDP-MED-capable phones.
• The FortiSwitch unit functions as a Network Connectivity device (that is, NIC, switch, router, and gateway), and will only support sending TLVs intended for Network Connectivity devices.
• LLDP supports up to 16 neighbors per physical port.
• The FortiSwitch unit accepts and parses packets using the CDP (Cisco Discovery Protocol) and count CDP neighbors towards the neighbor limit on a physical port. If neighbors exist, the FortiSwitch unit transmits CDP packets in addition to LLDP.
• With release 3.5.1, CDP is independently controllable through the set cdp-status command on the physical port. The FortiSwitch unit no longer requires a neighbor to trigger it to transmit CDP; it will transmit provided cdp-status is configured as tx-only or tx-rx. The default configuration for CDP-status is disabled. It still uses values pulled from the lldp-profile to configure its contents.
• LLDP must be globally enabled under the config switch lldp settings command for CDP to be transmitted or received:
• If a port is added into a virtual-wire (connects two ends of a controlled system using a radio frequency [RF] medium), the FortiSwitch unit will disable the transmission and receipt of LLDP and CDP packets and remove all neighbors from the port. This virtual-wire state is noted in the get switch lldp neighbor-summary command output.
• If the combination of configured TLVs exceeds the maximum frame size on a port, that frame cannot be sent.
• If a port is configured with an LLDP profile that has auto-isl enabled, the LLDP transmit frequency (normally set under config switch lldp settings with the set tx-interval command) for that port is overridden by the profileʼs auto-isl-hello-timer setting (the default is 3 seconds).
• When the switch is in FortLink mode, all ports are changed to have profiles with auto-isl enabled by default, and the portsʼ normal transmit interval is overridden by the auto-isl-hello-timer setting in that profile (the default is 3 seconds).
• The default-auto-isl LLDP profile, which is one of the two default LLDP profiles, has auto-isl enabled. Any port configured with the default-auto-isl profile will transmit LLDP PDUs every 3 seconds when the auto-isl-hello-timer option in that profile is set at the default of 3 seconds.
• The Time to Live (TTL) value sent in the LLDP PDUs is still based on the tx-interval and tx-hold values under config switch lldp settings, even if the transmit interval has been overridden by the auto-isl-hello-timer setting.

LLDP global settings

Using the GUI:

1. Go to Switch > LLDP MED > Settings.
2. Select or clear Enable LLDP Transmit/Receive.
3. Select the management interface.
4. Enter a value in the Transmit Hold field.
5. Enter the number of seconds for the transmit interval.
6. Select or clear Fast Start. If you select Fast Start, enter the number of seconds.
7. Select Update.

Using the CLI:

config switch lldp settings

set status {enable | disable}

set tx-hold <int>

set tx-interval <int>

set fast-start-interval <int>

set management-interface <layer-3 interface>

end

Variable	Description
status	Enable or disable
tx-hold	Number of tx-intervals before the local LLDP data expires (that is, the packet TTL (in seconds) is tx-hold times tx-interval). The range for tx-hold is 1 to 16, and the default value is 4.
tx-interval	Frequency of LLDP PDU transmission ranging from 5 to 4095 seconds (default is 30).
fast-start-interval	How often the FortiSwitch unit transmits the first four LLDP packets when a link comes up. The range is 2 to 5 seconds, and the default is 2 seconds. Set this variable to zero to disable fast start.
management-interface	Primary management interface advertised in LLDP and CDP PDUs.

Setting the asset tag

To help identify the unit, LLDP uses the asset tag, which can be at most 32 characters. It will be added to the LLDP-MED inventory TLV (when that TLV is enabled):

config system global

set asset-tag <string>

end

Configuring the location table

Because mobile phones have no fixed addresses associated with them, calls to 911 need the location information provided in emergency location identifier numbers (ELINs). You need to first configure the location table used by LLDP-MED for enhanced 911 emergency calls and then configure the LLDP profile to use the location table.

Using the GUI:

1. Go to System > Locations.
2. Select Add Location.
3. Required. In the Name field, enter a unique name for the location entry.
4. In the ELIN Number field, enter the ELIN, which is a unique phone number. The value must be no more than 31-characters long.
5. Enter the civic address.
   1. In the Additional field, enter additional location information, for example, west wing.
   2. In the Additional Code field, enter the additional country-specific code for the location. In Japan, use the Japan Industry Standard (JIS) address code.
   3. In the Block field, enter the neighborhood (Korea) or block
   4. In the Branch Road field, enter the branch road name. This value is used when side streets do not have unique names so that both the primary road and side street are used to identify the correct road
   5. In the Building field, enter the name of the building (structure) if the address includes more than one building, for example, Law Library.
   6. In the City field, enter the city (Germany), township, or shi (Japan).
   7. In the City Division field, enter the city division, borough, city district (Germany), ward, or chou (Japan).
   8. Required. In the Country field, enter the two-letter ISO 3166 country code in capital ASCII letters, for example, US, CA, DK, and DE.
   9. In the Country Subdivision field, enter the national subdivision (such as state, canton, region, province, or prefecture). In Canada, the subdivision is province. In Germany, the subdivision is state. In Japan, the subdivision is metropolis. In Korea, the subdivision is province. In the United States, the subdivision is state.
   10. In the County field, enter the county (Canada, Germany, Korea, and United States), parish, gun (Japan), or district (India).
   11. In the Direction field, enter N, E, S, W, NE, NW, SE, or SW for the leading street direction.
   12. In the Floor field, enter the floor number, for example, 4.
   13. In the Landmark field, enter the nickname, landmark, or vanity address, for example, UC Berkeley.
   14. In the Language field, enter the ISO 639 language code used for the address information.
   15. In the Name field, enter the person or organization associated with the address, for example, Fortinet or Textures Beauty Salon.
   16. In the Number field, enter the street address, for example, 1560.
   17. In the Number Suffix field, enter any modifier to the street address. For example, if the full street address is 1560A, enter 1560 for the number and A for the number suffix.
   18. In the Place Type field, enter the type of place, for example, home, office, or street.
   19. In the Post Office Box field, enter the post office box, for example, P.O. Box 1543. When the post-office-box value is set, the street address components are replaced with this value.
   20. In the Postal Community field, enter the postal community name, for example, Alviso. When the postal community name is set, the civic community name is replaced by this value.
   21. In the Primary Road field, enter the primary road or street name for the address.
   22. In the Road Section field, enter the specific section or stretch of a primary road. This field is used when the same street number appears more than once on the primary road.
   23. In the Room field, enter the room number, for example, 7A.
   24. In the Script field, enter the script used to present the address information, for example, Latn.
   25. In the Seat field, enter the seat number in a stadium or theater or a cubicle number in an office or a booth in a trade show.
   26. In the Street field, enter the street (Canada, Germany, Korea, and United States).
   27. In the Street Name Post Mod field, enter an optional part of the street name that appears after the actual street name. If the full street name is East End Avenue Extended, enter Extended.
   28. In the Street Name Pre Mod field, enter an optional part of the street name that appears before the actual street name. If the full street name is Old North First Street, enter Old.
   29. In the Street Suffix field, enter the type of street, for example, Ave or Place. Valid values are listed in the United States Postal Service Publication 28 [18], Appendix C.
   30. In the Sub Branch Road field, enter the name of a street that branches off of a branch road. This value is used when the primary road, branch road, and subbranch road names are needed to identify the correct street.
   31. In the Trailing Str Suffix field, enter N, E, S, W, NE, NW, SE, or SW for the trailing street direction.
   32. In the Unit field, enter the unit (apartment or suite), for example, Apt 27.
   33. In the ZIP field, enter the postal or zip code for the address, for example, 94089-1345.
6. Enter the GPS coordinates.
   1. Required. In the Altitude field, enter the vertical height of a location in feet or meters. The format is +/- floating-point number, for example, 117.47.
   2. Select Feet or Meters for the unit of measurement for the altitude.
   3. For the Datum drop-down list, select which map is used for the location: WGS84, NAD83, or NAD83/MLLW.
   4. Required. In the Latitude field, enter the latitude. The format is floating point starting with +/- or ending with N/S, for example, +/-16.67 or 16.67N.
   5. Required. In the Longitude field, enter the longitude. The format is floating point starting with +/- or ending with E/W, for example, +/-26.789 or 26.789E.
7. Select Add.

Using the CLI:

config system location

edit <name>

config address-civic

set additional <string>

set additional-code <string>

set block <string>

set branch-road <string>

set building <string>

set city <string>

set city-division <string>

set country <string>

set country-subdivision <string>

set county <string>

set direction <string>

set floor <string>

set landmark <string>

set language <string>

set name <string>

set number <string>

set number-suffix <string>

set place-type <string>

set post-office-box <string>

set postal-community <string>

set primary-road <string>

set road-section <string>

set room <string>

set script <string>

set seat <string>

set street <string>

set street-name-post-mod <string>

set street-name-pre-mod <string>

set street-suffix <string>

set sub-branch-road <string>

set trailing-str-suffix <string>

set unit <string>

set zip <string>

end

config coordinates

set altitude <string>

set altitude-unit {f | m}

set datum {NAD83 | NAD83/MLLW | WGS84}

set latitude <string>

set longitude <string>

end

config elin-number

set elin-number <number>

end

For example:

config system location

edit Fortinet

config address-civic

set country "US"

set language "English"

set county "Santa Clara"

set city "Sunnyvale"

set street "Kifer"

set street-suffix "Road"

set number "899"

set zip "94086"

set building "1"

set floor "1"

set seat "1293"

end

next

edit "Fortinet"

config elin-number

set elin-number "14082357700"

end

end

Configuring LLDP profiles

LLDP profile contains most of the port-specific configuration. Profiles are designed to provide a central point of configuration for LLDP settings that are likely to be the same for multiple ports.

Two static LLDP profiles, default and default-auto-isl, are created automatically. They can be modified but not deleted. The default-auto-isl profile always has auto-isl enabled and rejects any configurations that attempt to disable it.

LLDP-MED network policies

LLDP-MED network policies cannot be deleted or added. To use a policy, set the med-tlvs field to include network-policy and the desired network policy to enabled. The VLAN values on the policy are cross-checked against the VLAN native and untagged attributes for any interfaces that contain physical-ports using this profile. The cross-check determines if the policy Type Length Value (TLV) should be sent (VLAN must be native or allowed) and if the TLV should mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is automatically updated when either a switch interface changes VLAN configuration or a physical port is added to, or removed from, a trunk.

The FortiSwitch unit supports the following LLDP-MED TLVs:

• Inventory Management TLVs
• Location Identification TLVs
• Network Policy TLV
• Power Management TLVs

Refer to the Configuration deployment example.

Custom TLVs (organizationally specific TLVs)

Custom TLVs are configured in their own subtable, available in each profile. They allow you to emulate the TLVs defined in various specifications by using their OUI and subtype and ensuring that the data is formatted correctly. You could also define a purely arbitrary custom TLV for some other vendor or for their company.

The “name” value for each custom TLV is neither used by nor has an effect on LLDP; it simply differentiates between custom TLV entries:

config custom-tlvs

edit <TLVname_str>

set information-string <hex-bytes>

set oui <hex-bytes>

set subtype <integer>

next

The OUI value for each TLV must be set to three bytes. If just one of those bytes is nonzero it is accepted; any value other than "000" is valid. The subtype is optional and ranges from 0 (default) to 255. The information string can be 0 to 507 bytes, in hexadecimal notation.

The FortiSwitch unit does not check for conflicts either between custom TLV values or with standardized TLVs. That is, other than ensuring that the OUI is nonzero, the FortiSwitch unit does not check the OUI, subtype (or data) values entered in the CLI for conflicts with other Custom TLVs or with the OUI and subtypes of TLVs defined by the 802.1, 802.3, LLDP-MED, or other standards. While this behavior could cause LLDP protocol issues, it also allows a large degree of flexibility were you to substitute a standard TLV that is not supported yet.

802.1 TLVs

The only 802.1 TLV that can be enabled or disabled is Port VLAN ID. This TLV sends the native VLAN of the port. This value is updated when the native VLAN of the interface representing the physical port changes or if the physical port is added to, or removed from, a trunk.

By default, no 802.1 TLVs are enabled.

802.3 TLVs

There are three 802.3 TLVs that can be enabled or disabled:

• Efficient Energy Ethernet Config—This TLV sends whether energy-efficient Ethernet is enabled on the port. If this variable is changed, the sent value will reflect the updated value.
• PoE+ Classification—This TLV sends whether PoE power is enabled on the port. If this variable is changed, the sent value will reflect the updated value.
• Maximum Frame Size—This TLV sends the max-frame-size value of the port. If this variable is changed, the sent value will reflect the updated value.

By default, no 802.3 TLVs are enabled.

Auto-ISL

The auto-ISL configuration that was formerly in the switch physical-port command has been moved to the switch lldp-profile command. All behavior and default values are unchanged.

Assigning a VLAN to a port in the LLDP profile

You can configure the network policy of an LLDP profile to assign the specified VLAN to ports that use the LLDP profile. The VLAN is added as though it were configured in the set allowed-vlans setting in the config switch interface configuration.

This feature has the following requirements:

• The port cannot belong to a trunk or virtual wire.
• The port must have lldp-status set to rx-only, tx-only, or tx-rx.
• The port must have private-vlan set to disabled.
• LLDP must be enabled under the config switch lldp settings command.
• The set med-tlvs network-policy option must be set under the config switch lldp profile configuration.
• The assign-vlan option must be enabled in the med-network-policy configuration under the config switch lldp profile configuration.
• The VLAN assigned in the LLDP profile must be a valid VLAN.

Note:

• If the VLAN added to the interface by the LLDP profile is also listed under the set untagged-vlans configuration in the config switch interface command, the VLAN is added as untagged.
• If the VLAN added to the interface by the LLDP profile is also the native VLAN of the port, no changes occur.
• The LLDP service determines the contents of the network-policy TLV being sent based on the current state of the switch interface. If the LLDP VLAN assignment does not happen or the assigned VLAN is changed by another configuration (such as the set untagged-vlans configuration in config switch interface), the LLDP network policy TLVs being sent will reflect the actual state of the interface, not the configured value.

To specify a VLAN in the network policy of an LLDP profile:

config med-network-policy

edit <policy_type_name>

set status enable

set assign-vlan enable

set dscp <0-63>

set priority <0-7>

set vlan <0-4094>

next

For example:

config med-network-policy

edit default

set status enable

set assign-vlan enable

set vlan 15

set dscp 30

set priority 3

next

Configuring an LLDP profile for the port

Configure an LLDP profile for the port. By default, the port uses the default LLDP profile.

Using the GUI:

1. Go to Switch > LLDP-MED > Profiles.
2. Select Add Profile.
3. Enter a name for your LLDP profile.
4. If needed, select Port VLAN ID.
5. If needed, select one or more of the 802.3 TLVs: Efficient Energy Ethernet Config, PoE+ Classification, and Maximum Frame Size.
6. If needed, select Enable for Auto-ISL.
7. Enter the number of seconds for the Auto-ISL Hello Timer.
8. Enter the port group number for the Auto-ISL Port Group.
9. Enter the number of seconds for the Auto-ISL Receive Timeout.
10. If needed, select one or more of the MED TLVs: Inventory Management, Location Identification, Network Policy, and Power Management.
11. Select Add.

Using the CLI:

config switch lldp profile

edit <profile>

set 802.1-tlvs port-vlan-id

set 802.3-tlvs max-frame-size

set auto-isl {active | inactive}

set auto-isl-hello-timer <1-30>

set auto-isl-port-group <0-9>

set auto-isl-receive-timeout <3-90>

set auto-mclag-icl {enable | disable}

set med-tlvs (inventory-management | location-identification | network-policy | power-management)

config custom-tlvs

edit <TLVname_str>

set information-string <hex-bytes>

set oui <hex-bytes>

set subtype <integer>

next

config med-location-service

edit address-civic

set status {enable | disable}

set sys-location-id <string>

next

edit coordinates

set status {enable | disable}

set sys-location-id <string>

next

edit elin-number

set status {enable | disable}

set sys-location-id <string>

next

config med-network-policy

edit <policy_type_name>

set status {enable | disable}

set assign-vlan {enable | disable}

set dscp <0-63>

set priority <0-7>

set vlan <0-4094>

next

end

Enabling LLDP on a port

To enable LLDP MED on a port, set the LLDP status to receive-only, transmit-only, or receive and transmit. The default value is TX/RX.

Using the GUI:

1. Go to Switch > Port > Physical.
2. Select a port and select Edit.
3. Select TX/RX, RX Only, TX Only, or Disable for the LLDP-MED status.
4. Select an LLDP profile.
5. Select Update.

Using the CLI:

config switch physical-port

edit <port>

set lldp-status (rx-only | tx-only | tx-rx | disable)

set lldp-profile <profile name>

next

end

Checking the LLDP configuration

View the LLDP configuration settings using the GUI:

1. Go to Switch > LLDP-MED > Settings.
2. Make any changes that are needed.
3. Select Update.

View the LLDP configuration settings using the CLI:

get switch lldp settings

status : enable

tx-hold : 4

tx-interval : 30

fast-start-interval : 2

management-interface: internal

View the LLDP profiles using the GUI:

1. Go to Switch > LLDP-MED > Profiles.
2. Select a profile and then select Edit.
3. Make any changes that are needed.
4. Select Update.

View the LLDP profiles using the CLI:

get switch lldp profile

== [ default ]

name: default 802.1-tlvs: 802.3-tlvs: med-tlvs: inventory-management network-policy

== [ default-auto-isl ]

name: default-auto-isl 802.1-tlvs: 802.3-tlvs: med-tlvs:

Use the following commands to display the LLDP information about LLDP status or the layer-2 peers for this FortiSwitch unit:

get switch lldp (auto-isl-status | neighbors-detail | neighbors-summary | profile | settings | stats)

Configuration deployment example

To configure LLDP:

1. Configure LLDP global configuration settings using the config switch lldp settings command.
2. Create LLDP profiles using the config switch lldp profile command to configure Type Length Values (TLVs) and other per-port settings.
3. Assign LLDP profiles to physical ports.
4. Apply VLAN to interface. (NOTE: LLDP profile values that are tied to VLANs will only be sent if the VLAN is assigned on the switch interface.)
   1. Configure the profile.

      show switch lldp profile Forti670i

      config switch lldp profile

      edit "Forti670i"

      config med-network-policy

      edit "voice"

      set dscp 46

      set priority 5

      set status enable

      set vlan 400

      next

      edit "guest-voice"

      next

      edit "guest-voice-signaling"

      next

      edit "softphone-voice"

      next

      edit "video-conferencing"

      next

      edit "streaming-video"

      set dscp 40

      set priority 3

      set status enable

      set vlan 400

      next

      edit "video-signalling"

      next

      end

      set med-tlvs inventory-management network-policy

      next

      end

   2. Configure the interface.

      show switch interface port4

      config switch interface

      edit "port4"

      set allowed-vlans 400

      set snmp auto

      next

      end

   3. Connect a phone with LLDP-MED capability to the interface. NOTE: Make certain the LLDP, Learning, and DHCP features are enabled.

      show switch physical-port port4

      config switch physical-port

      edit "port4"

      set lldp-profile "Forti670i"

      set speed auto

      next

      end

   4. Verify.

      show switch lldp neighbor-det port4

      Neighbor learned on port port4 by LLDP protocol

      Last change 12 seconds ago

      Last packet received 12 seconds ago

      Chassis ID: 10.105.251.40 (ip)

      System Name: FON-670i

      System Description:

      V12.740.335.12.B

      Time To Live: 60 seconds

      System Capabilities: BT

      Enabled Capabilities: BT

      MED type: Communication Device Endpoint (Class III)

      MED Capabilities: CP

      Management IP Address: 10.105.251.40

      Port ID: 00:a8:59:d8:f1:f6 (mac)

      Port description: WAN Port 10M/100M/1000M

      IEEE802.3, Power via MDI:

      Power devicetype: PD

      PSE MDI Power: Not Supported

      PSE MDI Power Enabled: No

      PSE Pair Selection: Can not be controlled

      PSE power pairs: Signal

      Power class: 1

      Power type: 802.3at off

      Power source: Unknown

      Power priority: Unknown

      Power requested: 0

      Power allocated: 0

      LLDP-MED, Network Policies:

      voice: VLAN: 400 (tagged), Priority: 5 DSCP: 46

      voice-signaling: VLAN: 400 (tagged), Priority: 4 DSCP: 35

      streaming-video: VLAN: 400 (tagged), Priority: 3 DSCP: 40

Checking LLDP details

Using the GUI:

Go to Switch > Monitor > LLDP.

LLDP OIDs

Starting in FortiSwitchOS 6.2.2, the following object identifiers (OIDs) are supported by the LLDP management information base (MIB) file:

• .1.0.8802.1.1.2.1.1 (lldpConfiguration)
  • lldpMessageTxInterval
  • lldpMessageTxHoldMultiplier
  • lldpReinitDelay
  • lldpTxDelay
  • lldpNotificationInterval
• .1.0.8802.1.1.2.1.4.1 (lldpRemoteSystemsData.lldpRemTable)
  • lldpRemChassisIdSubtype
  • lldpRemChassisId
  • lldpRemPortSubtype
  • lldpRemPortId
  • lldpRemPortDesc
  • lldpRemSysName
  • lldpRemSysDesc
  • lldpRemSysCapSupported
  • lldpRemSysCapEnabled
• .1.0.8802.1.1.2.1.4.2 (lldpRemoteSystemsData.lldpRemManAddrTable)
  • lldpRemManAddrIfSubtype
  • lldpRemManAddrIfId
  • lldpRemManAddrOID