Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Configuring LLDP profiles

LLDP profile contains most of the port-specific configuration. Profiles are designed to provide a central point of configuration for LLDP settings that are likely to be the same for multiple ports.

Two static LLDP profiles, default and default-auto-isl, are created automatically. They can be modified but not deleted. The default-auto-isl profile always has auto-isl enabled and rejects any configurations that attempt to disable it.

LLDP-MED network policies

LLDP-MED network policies cannot be deleted or added. To use a policy, set the med-tlvs field to include network-policy and the desired network policy to enabled. The VLAN values on the policy are cross-checked against the VLAN native and untagged attributes for any interfaces that contain physical-ports using this profile. The cross-check determines if the policy Type Length Value (TLV) should be sent (VLAN must be native or allowed) and if the TLV should mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is automatically updated when either a switch interface changes VLAN configuration or a physical port is added to, or removed from, a trunk.

The FortiSwitch unit supports the following LLDP-MED TLVs:

  • Inventory Management TLVs
  • Location Identification TLVs
  • Network Policy TLV
  • Power Management TLVs

Refer to the Configuration deployment example.

Custom TLVs (organizationally specific TLVs)

Custom TLVs are configured in their own subtable, available in each profile. They allow you to emulate the TLVs defined in various specifications by using their OUI and subtype and ensuring that the data is formatted correctly. You could also define a purely arbitrary custom TLV for some other vendor or for their company.

The “name” value for each custom TLV is neither used by nor has an effect on LLDP; it simply differentiates between custom TLV entries:

config custom-tlvs

edit <TLVname_str>

set information-string <hex-bytes>

set oui <hex-bytes>

set subtype <integer>

next

 

The OUI value for each TLV must be set to three bytes. If just one of those bytes is nonzero it is accepted; any value other than "000" is valid. The subtype is optional and ranges from 0 (default) to 255. The information string can be 0 to 507 bytes, in hexadecimal notation.

The FortiSwitch unit does not check for conflicts either between custom TLV values or with standardized TLVs. That is, other than ensuring that the OUI is nonzero, the FortiSwitch unit does not check the OUI, subtype (or data) values entered in the CLI for conflicts with other Custom TLVs or with the OUI and subtypes of TLVs defined by the 802.1, 802.3, LLDP-MED, or other standards. While this behavior could cause LLDP protocol issues, it also allows a large degree of flexibility were you to substitute a standard TLV that is not supported yet.

802.1 TLVs

The only 802.1 TLV that can be enabled or disabled is Port VLAN ID. This TLV sends the native VLAN of the port. This value is updated when the native VLAN of the interface representing the physical port changes or if the physical port is added to, or removed from, a trunk.

By default, no 802.1 TLVs are enabled.

802.3 TLVs

There are three 802.3 TLVs that can be enabled or disabled:

  • Efficient Energy Ethernet Config—This TLV sends whether energy-efficient Ethernet is enabled on the port. If this variable is changed, the sent value will reflect the updated value.
  • Maximum Frame Size—This TLV sends the max-frame-size value of the port. If this variable is changed, the sent value will reflect the updated value.
  • PoE+ Classification—This TLV sends whether there is software PoE negotiation on the port.

By default, no 802.3 TLVs are enabled.

In the following example, you need to specify that the TLV sends the PoE classification of the port to power up an IP phone with expansion modules.

config switch lldp profile

edit "phone-with-expansion-modules"

set 802.3-tlvs power-negotiation <--------- must have

...

Auto-ISL

The auto-ISL configuration that was formerly in the switch physical-port command has been moved to the switch lldp-profile command. All behavior and default values are unchanged.

Assigning a VLAN to a port in the LLDP profile

You can configure the network policy of an LLDP profile to assign the specified VLAN to ports that use the LLDP profile. The VLAN is added as though it were configured in the set allowed-vlans setting in the config switch interface configuration.

This feature has the following requirements:

  • The port cannot belong to a trunk or virtual wire.
  • The port must have lldp-status set to rx-only, tx-only, or tx-rx.
  • The port must have private-vlan set to disabled.
  • LLDP must be enabled under the config switch lldp settings command.
  • The set med-tlvs network-policy option must be set under the config switch lldp profile configuration.
  • The assign-vlan option must be enabled in the med-network-policy configuration under the config switch lldp profile configuration.
  • The VLAN assigned in the LLDP profile must be a valid VLAN.

Note:

  • If the VLAN added to the interface by the LLDP profile is also listed under the set untagged-vlans configuration in the config switch interface command, the VLAN is added as untagged.
  • If the VLAN added to the interface by the LLDP profile is also the native VLAN of the port, no changes occur.
  • The LLDP service determines the contents of the network-policy TLV being sent based on the current state of the switch interface. If the LLDP VLAN assignment does not happen or the assigned VLAN is changed by another configuration (such as the set untagged-vlans configuration in config switch interface), the LLDP network policy TLVs being sent will reflect the actual state of the interface, not the configured value.
To specify a VLAN in the network policy of an LLDP profile:

config med-network-policy

edit <policy_type_name>

set status enable

set assign-vlan enable

set dscp <0-63>

set priority <0-7>

set vlan <0-4094>

next

 

For example:

config med-network-policy

edit default

set status enable

set assign-vlan enable

set vlan 15

set dscp 30

set priority 3

next

Configuring LLDP profiles

LLDP profile contains most of the port-specific configuration. Profiles are designed to provide a central point of configuration for LLDP settings that are likely to be the same for multiple ports.

Two static LLDP profiles, default and default-auto-isl, are created automatically. They can be modified but not deleted. The default-auto-isl profile always has auto-isl enabled and rejects any configurations that attempt to disable it.

LLDP-MED network policies

LLDP-MED network policies cannot be deleted or added. To use a policy, set the med-tlvs field to include network-policy and the desired network policy to enabled. The VLAN values on the policy are cross-checked against the VLAN native and untagged attributes for any interfaces that contain physical-ports using this profile. The cross-check determines if the policy Type Length Value (TLV) should be sent (VLAN must be native or allowed) and if the TLV should mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is automatically updated when either a switch interface changes VLAN configuration or a physical port is added to, or removed from, a trunk.

The FortiSwitch unit supports the following LLDP-MED TLVs:

  • Inventory Management TLVs
  • Location Identification TLVs
  • Network Policy TLV
  • Power Management TLVs

Refer to the Configuration deployment example.

Custom TLVs (organizationally specific TLVs)

Custom TLVs are configured in their own subtable, available in each profile. They allow you to emulate the TLVs defined in various specifications by using their OUI and subtype and ensuring that the data is formatted correctly. You could also define a purely arbitrary custom TLV for some other vendor or for their company.

The “name” value for each custom TLV is neither used by nor has an effect on LLDP; it simply differentiates between custom TLV entries:

config custom-tlvs

edit <TLVname_str>

set information-string <hex-bytes>

set oui <hex-bytes>

set subtype <integer>

next

 

The OUI value for each TLV must be set to three bytes. If just one of those bytes is nonzero it is accepted; any value other than "000" is valid. The subtype is optional and ranges from 0 (default) to 255. The information string can be 0 to 507 bytes, in hexadecimal notation.

The FortiSwitch unit does not check for conflicts either between custom TLV values or with standardized TLVs. That is, other than ensuring that the OUI is nonzero, the FortiSwitch unit does not check the OUI, subtype (or data) values entered in the CLI for conflicts with other Custom TLVs or with the OUI and subtypes of TLVs defined by the 802.1, 802.3, LLDP-MED, or other standards. While this behavior could cause LLDP protocol issues, it also allows a large degree of flexibility were you to substitute a standard TLV that is not supported yet.

802.1 TLVs

The only 802.1 TLV that can be enabled or disabled is Port VLAN ID. This TLV sends the native VLAN of the port. This value is updated when the native VLAN of the interface representing the physical port changes or if the physical port is added to, or removed from, a trunk.

By default, no 802.1 TLVs are enabled.

802.3 TLVs

There are three 802.3 TLVs that can be enabled or disabled:

  • Efficient Energy Ethernet Config—This TLV sends whether energy-efficient Ethernet is enabled on the port. If this variable is changed, the sent value will reflect the updated value.
  • Maximum Frame Size—This TLV sends the max-frame-size value of the port. If this variable is changed, the sent value will reflect the updated value.
  • PoE+ Classification—This TLV sends whether there is software PoE negotiation on the port.

By default, no 802.3 TLVs are enabled.

In the following example, you need to specify that the TLV sends the PoE classification of the port to power up an IP phone with expansion modules.

config switch lldp profile

edit "phone-with-expansion-modules"

set 802.3-tlvs power-negotiation <--------- must have

...

Auto-ISL

The auto-ISL configuration that was formerly in the switch physical-port command has been moved to the switch lldp-profile command. All behavior and default values are unchanged.

Assigning a VLAN to a port in the LLDP profile

You can configure the network policy of an LLDP profile to assign the specified VLAN to ports that use the LLDP profile. The VLAN is added as though it were configured in the set allowed-vlans setting in the config switch interface configuration.

This feature has the following requirements:

  • The port cannot belong to a trunk or virtual wire.
  • The port must have lldp-status set to rx-only, tx-only, or tx-rx.
  • The port must have private-vlan set to disabled.
  • LLDP must be enabled under the config switch lldp settings command.
  • The set med-tlvs network-policy option must be set under the config switch lldp profile configuration.
  • The assign-vlan option must be enabled in the med-network-policy configuration under the config switch lldp profile configuration.
  • The VLAN assigned in the LLDP profile must be a valid VLAN.

Note:

  • If the VLAN added to the interface by the LLDP profile is also listed under the set untagged-vlans configuration in the config switch interface command, the VLAN is added as untagged.
  • If the VLAN added to the interface by the LLDP profile is also the native VLAN of the port, no changes occur.
  • The LLDP service determines the contents of the network-policy TLV being sent based on the current state of the switch interface. If the LLDP VLAN assignment does not happen or the assigned VLAN is changed by another configuration (such as the set untagged-vlans configuration in config switch interface), the LLDP network policy TLVs being sent will reflect the actual state of the interface, not the configured value.
To specify a VLAN in the network policy of an LLDP profile:

config med-network-policy

edit <policy_type_name>

set status enable

set assign-vlan enable

set dscp <0-63>

set priority <0-7>

set vlan <0-4094>

next

 

For example:

config med-network-policy

edit default

set status enable

set assign-vlan enable

set vlan 15

set dscp 30

set priority 3

next