Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 7.2.3 Administration Guide
    7.2.3
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    Configuring LLDP profiles

    Configuring LLDP profiles

    LLDP profile contains most of the port-specific configuration. Profiles are designed to provide a central point of configuration for LLDP settings that are likely to be the same for multiple ports.

    Two static LLDP profiles, default and default-auto-isl, are created automatically. They can be modified but not deleted. The default-auto-isl profile always has auto-isl enabled and rejects any configurations that attempt to disable it.

    LLDP-MED network policies

    LLDP-MED network policies cannot be deleted or added. To use a policy, set the med-tlvs field to include network-policy and the desired network policy to enabled. The VLAN values on the policy are cross-checked against the VLAN native and untagged attributes for any interfaces that contain physical-ports using this profile. The cross-check determines if the policy Type Length Value (TLV) should be sent (VLAN must be native or allowed) and if the TLV should mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is automatically updated when either a switch interface changes VLAN configuration or a physical port is added to, or removed from, a trunk.

    The FortiSwitch unit supports the following LLDP-MED TLVs:

    • Inventory Management TLVs
    • Location Identification TLVs
    • Network Policy TLV
    • Power Management TLVs

    Refer to the Configuration deployment example.

    Custom TLVs (organizationally specific TLVs)

    Custom TLVs are configured in their own subtable, available in each profile. They allow you to emulate the TLVs defined in various specifications by using their OUI and subtype and ensuring that the data is formatted correctly. You could also define a purely arbitrary custom TLV for some other vendor or for their company.

    The “name” value for each custom TLV is neither used by nor has an effect on LLDP; it simply differentiates between custom TLV entries:

    config custom-tlvs

    edit <TLVname_str>

    set information-string <hex-bytes>

    set oui <hex-bytes>

    set subtype <integer>

    next

    The OUI value for each TLV must be set to three bytes. If just one of those bytes is nonzero it is accepted; any value other than "000" is valid. The subtype is optional and ranges from 0 (default) to 255. The information string can be 0 to 507 bytes, in hexadecimal notation.

    The FortiSwitch unit does not check for conflicts either between custom TLV values or with standardized TLVs. That is, other than ensuring that the OUI is nonzero, the FortiSwitch unit does not check the OUI, subtype (or data) values entered in the CLI for conflicts with other Custom TLVs or with the OUI and subtypes of TLVs defined by the 802.1, 802.3, LLDP-MED, or other standards. While this behavior could cause LLDP protocol issues, it also allows a large degree of flexibility were you to substitute a standard TLV that is not supported yet.

    802.1 TLVs

    Two 802.1 TLVs are supported in the LLDP profile:

    • Port VLAN ID

    • VLAN Name

    By default, no 802.1 TLVs are enabled.

    The Port VLAN ID TLV sends the native VLAN of the port. This value is updated when the native VLAN of the interface representing the physical port changes or if the physical port is added to, or removed from, a trunk.

    The VLAN Name TLV sends the VLAN descriptions that are configured in the set description command under config switch vlan.

    The following are the requirements for using the VLAN Name TLV:

    • The VLAN description is set in the set description command under config switch vlan.

    • The set 802.1-tlvs command is set to vlan-name.

    • The VLAN identifiers listed in the set vlan-name-map command are separated with commas and no spaces.

    • The vlan-name-map configuration must be less than 4,096 characters.

    • The port that uses the LLDP profile with the VLAN Name TLV is the same port advertising the VLAN names.

    • The VLAN identifier is allowed on the port in the config switch interface command.

    • A maximum of 10 VLAN names is supported.

    To enable the VLAN Name TLV:

    config switch lldp profile

    edit <LLDP_profile_name>

    set 802.1-tlvs vlan-name

    set vlan-name-map <single_VLANs_or_VLAN_ranges>

    next

    end

    For example:

    config switch lldp profile

    edit newprofile

    set 802.1-tlvs vlan-name

    set vlan-name-map 1,5,10-15

    next

    end

    802.3 TLVs

    There are three 802.3 TLVs that can be enabled or disabled:

    • Efficient Energy Ethernet Config—This TLV sends whether energy-efficient Ethernet is enabled on the port. If this variable is changed, the sent value will reflect the updated value.
    • Maximum Frame Size—This TLV sends the max-frame-size value of the port. If this variable is changed, the sent value will reflect the updated value.
    • PoE+ Classification—This TLV sends whether there is software PoE negotiation on the port.

    By default, no 802.3 TLVs are enabled.

    In the following example, you need to specify that the TLV sends the PoE classification of the port to power up an IP phone with expansion modules.

    config switch lldp profile

    edit "phone-with-expansion-modules"

    set 802.3-tlvs power-negotiation <--------- must have

    ...

    Auto-ISL

    The auto-ISL configuration that was formerly in the switch physical-port command has been moved to the switch lldp-profile command. All behavior and default values are unchanged.

    Assigning a VLAN to a port in the LLDP profile

    You can configure the network policy of an LLDP profile to assign the specified VLAN to ports that use the LLDP profile. The VLAN is added as though it were configured in the set allowed-vlans setting in the config switch interface configuration.

    This feature has the following requirements:

    • The port cannot belong to a trunk or virtual wire.
    • The port must have lldp-status set to rx-only, tx-only, or tx-rx.
    • The port must have private-vlan set to disabled.
    • LLDP must be enabled under the config switch lldp settings command.
    • The set med-tlvs network-policy option must be set under the config switch lldp profile configuration.
    • The assign-vlan option must be enabled in the med-network-policy configuration under the config switch lldp profile configuration.
    • The VLAN assigned in the LLDP profile must be a valid VLAN.

    Note:

    • If the VLAN added to the interface by the LLDP profile is also listed under the set untagged-vlans configuration in the config switch interface command, the VLAN is added as untagged.
    • If the VLAN added to the interface by the LLDP profile is also the native VLAN of the port, no changes occur.
    • The LLDP service determines the contents of the network-policy TLV being sent based on the current state of the switch interface. If the LLDP VLAN assignment does not happen or the assigned VLAN is changed by another configuration (such as the set untagged-vlans configuration in config switch interface), the LLDP network policy TLVs being sent will reflect the actual state of the interface, not the configured value.
    To specify a VLAN in the network policy of an LLDP profile:

    config med-network-policy

    edit <policy_type_name>

    set status enable

    set assign-vlan enable

    set dscp <0-63>

    set priority <0-7>

    set vlan <0-4094>

    next

    For example:

    config med-network-policy

    edit default

    set status enable

    set assign-vlan enable

    set vlan 15

    set dscp 30

    set priority 3

    next

    Previous
    Next

    Configuring LLDP profiles

    Configuring LLDP profiles

    LLDP profile contains most of the port-specific configuration. Profiles are designed to provide a central point of configuration for LLDP settings that are likely to be the same for multiple ports.

    Two static LLDP profiles, default and default-auto-isl, are created automatically. They can be modified but not deleted. The default-auto-isl profile always has auto-isl enabled and rejects any configurations that attempt to disable it.

    LLDP-MED network policies

    LLDP-MED network policies cannot be deleted or added. To use a policy, set the med-tlvs field to include network-policy and the desired network policy to enabled. The VLAN values on the policy are cross-checked against the VLAN native and untagged attributes for any interfaces that contain physical-ports using this profile. The cross-check determines if the policy Type Length Value (TLV) should be sent (VLAN must be native or allowed) and if the TLV should mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is automatically updated when either a switch interface changes VLAN configuration or a physical port is added to, or removed from, a trunk.

    The FortiSwitch unit supports the following LLDP-MED TLVs:

    • Inventory Management TLVs
    • Location Identification TLVs
    • Network Policy TLV
    • Power Management TLVs

    Refer to the Configuration deployment example.

    Custom TLVs (organizationally specific TLVs)

    Custom TLVs are configured in their own subtable, available in each profile. They allow you to emulate the TLVs defined in various specifications by using their OUI and subtype and ensuring that the data is formatted correctly. You could also define a purely arbitrary custom TLV for some other vendor or for their company.

    The “name” value for each custom TLV is neither used by nor has an effect on LLDP; it simply differentiates between custom TLV entries:

    config custom-tlvs

    edit <TLVname_str>

    set information-string <hex-bytes>

    set oui <hex-bytes>

    set subtype <integer>

    next

    The OUI value for each TLV must be set to three bytes. If just one of those bytes is nonzero it is accepted; any value other than "000" is valid. The subtype is optional and ranges from 0 (default) to 255. The information string can be 0 to 507 bytes, in hexadecimal notation.

    The FortiSwitch unit does not check for conflicts either between custom TLV values or with standardized TLVs. That is, other than ensuring that the OUI is nonzero, the FortiSwitch unit does not check the OUI, subtype (or data) values entered in the CLI for conflicts with other Custom TLVs or with the OUI and subtypes of TLVs defined by the 802.1, 802.3, LLDP-MED, or other standards. While this behavior could cause LLDP protocol issues, it also allows a large degree of flexibility were you to substitute a standard TLV that is not supported yet.

    802.1 TLVs

    Two 802.1 TLVs are supported in the LLDP profile:

    • Port VLAN ID

    • VLAN Name

    By default, no 802.1 TLVs are enabled.

    The Port VLAN ID TLV sends the native VLAN of the port. This value is updated when the native VLAN of the interface representing the physical port changes or if the physical port is added to, or removed from, a trunk.

    The VLAN Name TLV sends the VLAN descriptions that are configured in the set description command under config switch vlan.

    The following are the requirements for using the VLAN Name TLV:

    • The VLAN description is set in the set description command under config switch vlan.

    • The set 802.1-tlvs command is set to vlan-name.

    • The VLAN identifiers listed in the set vlan-name-map command are separated with commas and no spaces.

    • The vlan-name-map configuration must be less than 4,096 characters.

    • The port that uses the LLDP profile with the VLAN Name TLV is the same port advertising the VLAN names.

    • The VLAN identifier is allowed on the port in the config switch interface command.

    • A maximum of 10 VLAN names is supported.

    To enable the VLAN Name TLV:

    config switch lldp profile

    edit <LLDP_profile_name>

    set 802.1-tlvs vlan-name

    set vlan-name-map <single_VLANs_or_VLAN_ranges>

    next

    end

    For example:

    config switch lldp profile

    edit newprofile

    set 802.1-tlvs vlan-name

    set vlan-name-map 1,5,10-15

    next

    end

    802.3 TLVs

    There are three 802.3 TLVs that can be enabled or disabled:

    • Efficient Energy Ethernet Config—This TLV sends whether energy-efficient Ethernet is enabled on the port. If this variable is changed, the sent value will reflect the updated value.
    • Maximum Frame Size—This TLV sends the max-frame-size value of the port. If this variable is changed, the sent value will reflect the updated value.
    • PoE+ Classification—This TLV sends whether there is software PoE negotiation on the port.

    By default, no 802.3 TLVs are enabled.

    In the following example, you need to specify that the TLV sends the PoE classification of the port to power up an IP phone with expansion modules.

    config switch lldp profile

    edit "phone-with-expansion-modules"

    set 802.3-tlvs power-negotiation <--------- must have

    ...

    Auto-ISL

    The auto-ISL configuration that was formerly in the switch physical-port command has been moved to the switch lldp-profile command. All behavior and default values are unchanged.

    Assigning a VLAN to a port in the LLDP profile

    You can configure the network policy of an LLDP profile to assign the specified VLAN to ports that use the LLDP profile. The VLAN is added as though it were configured in the set allowed-vlans setting in the config switch interface configuration.

    This feature has the following requirements:

    • The port cannot belong to a trunk or virtual wire.
    • The port must have lldp-status set to rx-only, tx-only, or tx-rx.
    • The port must have private-vlan set to disabled.
    • LLDP must be enabled under the config switch lldp settings command.
    • The set med-tlvs network-policy option must be set under the config switch lldp profile configuration.
    • The assign-vlan option must be enabled in the med-network-policy configuration under the config switch lldp profile configuration.
    • The VLAN assigned in the LLDP profile must be a valid VLAN.

    Note:

    • If the VLAN added to the interface by the LLDP profile is also listed under the set untagged-vlans configuration in the config switch interface command, the VLAN is added as untagged.
    • If the VLAN added to the interface by the LLDP profile is also the native VLAN of the port, no changes occur.
    • The LLDP service determines the contents of the network-policy TLV being sent based on the current state of the switch interface. If the LLDP VLAN assignment does not happen or the assigned VLAN is changed by another configuration (such as the set untagged-vlans configuration in config switch interface), the LLDP network policy TLVs being sent will reflect the actual state of the interface, not the configured value.
    To specify a VLAN in the network policy of an LLDP profile:

    config med-network-policy

    edit <policy_type_name>

    set status enable

    set assign-vlan enable

    set dscp <0-63>

    set priority <0-7>

    set vlan <0-4094>

    next

    For example:

    config med-network-policy

    edit default

    set status enable

    set assign-vlan enable

    set vlan 15

    set dscp 30

    set priority 3

    next

    Previous
    Next