Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Voice device detection

FortiSwitchOS is able to parse LLDP messages from voice devices such as FortiFone and pass this information to a FortiGate device for device detection. You can use a dynamic port policy to assign a device to an LLDP profile, QoS policy, and VLAN policy. When a detected device is matched to the dynamic port policy, the corresponding policy actions are applied on the switch port.

In the following example, FortiFone is connected to port2 of the FortiSwitch unit. A dynamic port policy is created to apply a VLAN policy, LLDP policy, and QoS policy to the device family FortiFone.

The following is a summary of the procedure:

  1. Use the FortiGate CLI to configure the VLAN policy, LLDP profile, and Quality of Service (QoS) policy. You can use the predefined voice-qos policy for QoS and the predefined fortivoice.fortilink profile for LLDP.
  2. Use the FortiGate GUI to configure a dynamic port policy to match the FortiFone device family with the actions from the assigned LLDP profile, QoS policy, and VLAN policy.
  3. Use the FortiGate GUI to assign the dynamic port policy to the FortiSwitch port.
To create a dynamic port policy in the GUI and then assign it to a FortiSwitch port:
  1. Go to WiFi & Switch Controller > FortiSwitch Port Policies and click Dynamic Port Policies.
    1. Click Create New to create a dynamic port policy.
    2. In the Name field, enter FortiFone.

    3. Click Create new to create a dynamic port policy rule.
    4. In the Name field, enter FortiFone.
    5. Disable MAC address.
    6. Enable Device family and enter FortiFone.
    7. Enable LLDP profile and select a voice profile.
    8. Enable QoS policy and select a voice policy.
    9. Enable VLAN policy and select a voice policy.

    10. Click OK to save the dynamic port policy rule.

    11. Click OK to save the dynamic port policy.
  2. Go to WiFi & Switch Controller > FortiSwitch Ports.
  3. Right-click port2 and select Mode > Assign Port Policy.

  4. Click the pencil icon in the Port Policy column, select the FortiFone dynamic port policy, and then click Apply.

  5. Plug the FortiFone into port2 of the FortiSwitch unit.
  6. Go to Dashboard > Users & Devices and verify that the FortiFone is displayed in the FortiSwitch NAC VLANs pane.

To configure voice device detection in the CLI:
  1. Use the FortiGate CLI to configure the VLAN policy, LLDP profile, and QoS policy.

     

    config switch-controller lldp-profile

    edit "fortivoice.fortilink"

    set med-tlvs inventory-management network-policy location-identification

    set auto-isl disable

    config med-network-policy

    edit "voice"

    set status enable

    set vlan-intf "voice"

    set assign-vlan enable

    set dscp 46

    next

    edit "voice-signaling"

    set status enable

    set vlan-intf "voice"

    set assign-vlan enable

    set dscp 46

    next

    edit "guest-voice"

    next

    edit "guest-voice-signaling"

    next

    edit "softphone-voice"

    next

    edit "video-conferencing"

    next

    edit "streaming-video"

    next

    edit "video-signaling"

    next

    end

    config med-location-service

    edit "coordinates"

    next

    edit "address-civic"

    next

    edit "elin-number"

    next

    end

    next

    end

     

    config switch-controller qos qos-policy

    edit "voice-qos"

    set trust-dot1p-map "voice-dot1p"

    set trust-ip-dscp-map "voice-dscp"

    set queue-policy "voice-egress"

    next

    end

     

    config switch-controller vlan-policy

    edit "fon"

    set fortilink "fortilink"

    set vlan "default_10"

    set allowed-vlans "quarantine" "voice"

    set untagged-vlans "quarantine"

    next

    end

     

  2. Configure a dynamic port policy to match the FortiFone device family with the actions from the assigned LLDP profile, QoS policy, and VLAN policy.

     

    config switch-controller dynamic-port-policy

    edit "FortiFone"

    set fortilink "fortilink"

    config policy

    edit "FortiFone"

    set family "FortiFone"

    set lldp-profile "fortivoice.fortilink"

    set qos-policy "voice-qos"

    set vlan-policy "fon"

    next

    end

    next

    end

     

  3. Assign the dynamic port policy to port2 of the FortiSwitch unit.

     

    config switch-controller managed-switch

    edit S108DVIJAK1VGG54

    config ports

    edit "port2"

    set vlan "default_10"

    set allowed-vlans "quarantine"

    set untagged-vlans "quarantine"

    set access-mode dynamic

    set port-policy "FortiFone"

    set export-to "root"

    set mac-addr 02:09:0f:00:2c:01

    next

    end

     

  4. The FortiSwitch unit receives an LLDP message from FortiFone after it is plugged into port2.
  5. Run the diagnose switch-controller mac-device dynamic command to check the device information on FortiGate device. The FortiFone is identified.

     

    FGT_Switch_Controller (root) # diagnose switch-controller mac-device dynamic 
    Vdom: root
    MAC                LAST-KNOWN-SWITCH  LAST-KNOWN-PORT    DYNAMIC-PORT-POLICY      POLICY             LAST-SEEN    COMMENTS
    00:15:65:83:cb:16  S108DVIJAK1VGG54   port2              FortiFone                FortiFone          148          auto detected @ 2021-04-29 19:12:42

     

Voice device detection

FortiSwitchOS is able to parse LLDP messages from voice devices such as FortiFone and pass this information to a FortiGate device for device detection. You can use a dynamic port policy to assign a device to an LLDP profile, QoS policy, and VLAN policy. When a detected device is matched to the dynamic port policy, the corresponding policy actions are applied on the switch port.

In the following example, FortiFone is connected to port2 of the FortiSwitch unit. A dynamic port policy is created to apply a VLAN policy, LLDP policy, and QoS policy to the device family FortiFone.

The following is a summary of the procedure:

  1. Use the FortiGate CLI to configure the VLAN policy, LLDP profile, and Quality of Service (QoS) policy. You can use the predefined voice-qos policy for QoS and the predefined fortivoice.fortilink profile for LLDP.
  2. Use the FortiGate GUI to configure a dynamic port policy to match the FortiFone device family with the actions from the assigned LLDP profile, QoS policy, and VLAN policy.
  3. Use the FortiGate GUI to assign the dynamic port policy to the FortiSwitch port.
To create a dynamic port policy in the GUI and then assign it to a FortiSwitch port:
  1. Go to WiFi & Switch Controller > FortiSwitch Port Policies and click Dynamic Port Policies.
    1. Click Create New to create a dynamic port policy.
    2. In the Name field, enter FortiFone.

    3. Click Create new to create a dynamic port policy rule.
    4. In the Name field, enter FortiFone.
    5. Disable MAC address.
    6. Enable Device family and enter FortiFone.
    7. Enable LLDP profile and select a voice profile.
    8. Enable QoS policy and select a voice policy.
    9. Enable VLAN policy and select a voice policy.

    10. Click OK to save the dynamic port policy rule.

    11. Click OK to save the dynamic port policy.
  2. Go to WiFi & Switch Controller > FortiSwitch Ports.
  3. Right-click port2 and select Mode > Assign Port Policy.

  4. Click the pencil icon in the Port Policy column, select the FortiFone dynamic port policy, and then click Apply.

  5. Plug the FortiFone into port2 of the FortiSwitch unit.
  6. Go to Dashboard > Users & Devices and verify that the FortiFone is displayed in the FortiSwitch NAC VLANs pane.

To configure voice device detection in the CLI:
  1. Use the FortiGate CLI to configure the VLAN policy, LLDP profile, and QoS policy.

     

    config switch-controller lldp-profile

    edit "fortivoice.fortilink"

    set med-tlvs inventory-management network-policy location-identification

    set auto-isl disable

    config med-network-policy

    edit "voice"

    set status enable

    set vlan-intf "voice"

    set assign-vlan enable

    set dscp 46

    next

    edit "voice-signaling"

    set status enable

    set vlan-intf "voice"

    set assign-vlan enable

    set dscp 46

    next

    edit "guest-voice"

    next

    edit "guest-voice-signaling"

    next

    edit "softphone-voice"

    next

    edit "video-conferencing"

    next

    edit "streaming-video"

    next

    edit "video-signaling"

    next

    end

    config med-location-service

    edit "coordinates"

    next

    edit "address-civic"

    next

    edit "elin-number"

    next

    end

    next

    end

     

    config switch-controller qos qos-policy

    edit "voice-qos"

    set trust-dot1p-map "voice-dot1p"

    set trust-ip-dscp-map "voice-dscp"

    set queue-policy "voice-egress"

    next

    end

     

    config switch-controller vlan-policy

    edit "fon"

    set fortilink "fortilink"

    set vlan "default_10"

    set allowed-vlans "quarantine" "voice"

    set untagged-vlans "quarantine"

    next

    end

     

  2. Configure a dynamic port policy to match the FortiFone device family with the actions from the assigned LLDP profile, QoS policy, and VLAN policy.

     

    config switch-controller dynamic-port-policy

    edit "FortiFone"

    set fortilink "fortilink"

    config policy

    edit "FortiFone"

    set family "FortiFone"

    set lldp-profile "fortivoice.fortilink"

    set qos-policy "voice-qos"

    set vlan-policy "fon"

    next

    end

    next

    end

     

  3. Assign the dynamic port policy to port2 of the FortiSwitch unit.

     

    config switch-controller managed-switch

    edit S108DVIJAK1VGG54

    config ports

    edit "port2"

    set vlan "default_10"

    set allowed-vlans "quarantine"

    set untagged-vlans "quarantine"

    set access-mode dynamic

    set port-policy "FortiFone"

    set export-to "root"

    set mac-addr 02:09:0f:00:2c:01

    next

    end

     

  4. The FortiSwitch unit receives an LLDP message from FortiFone after it is plugged into port2.
  5. Run the diagnose switch-controller mac-device dynamic command to check the device information on FortiGate device. The FortiFone is identified.

     

    FGT_Switch_Controller (root) # diagnose switch-controller mac-device dynamic 
    Vdom: root
    MAC                LAST-KNOWN-SWITCH  LAST-KNOWN-PORT    DYNAMIC-PORT-POLICY      POLICY             LAST-SEEN    COMMENTS
    00:15:65:83:cb:16  S108DVIJAK1VGG54   port2              FortiFone                FortiFone          148          auto detected @ 2021-04-29 19:12:42