The Network submenu provides options to configure network connectivity and administrative access to the web-based manager or CLI of the FortiVoice unit through each network interface.
This topic includes:
- About IPv6 Support
- About the management IP
- About FortiVoice logical interfaces
- Configuring the network interfaces
- Configuring static routes
- Configuring DNS
- Configuring DHCP server
- Capturing voice and fax packets
IP version 6 (IPv6) handles issues that were not around decades ago when IPv4 was created such as running out of IP addresses, fair distributing of IP addresses, built-in quality of service (QoS) features, better multimedia support, and improved handling of fragmentation. A bigger address space, bigger default packet size, and more optional header extensions provide these features with flexibility to customize them to any needs.
IPv6 has 128-bit addresses compared to IPv4’s 32-bit addresses, effectively eliminating address exhaustion. This new very large address space will likely reduce the need for network address translation (NAT) since IPv6 provides more than a billion IP addresses for each person on Earth. All hardware and software network components must support this new address size, an upgrade that may take a while to complete and will force IPv6 and IPv4 to work side-by-side during the transition period.
The FortiVoice unit supports the following IPv6 features:
- Network interface
- Network routing
- Phone extension
The FortiVoice unit has an IP address for administrators to configure it through a network connection rather than a local console. The management IP address enables administrators to connect to the FortiVoice unit through port1 or other network ports, even when they are currently bridging.
By default, the management IP address is indirectly bound to port1 through the bridge. If other network interfaces are also included in the bridge with port1, you can configure the FortiVoice unit to respond to connections to the management IP address that arrive on those other network interfaces.
You can access the web-based manager and the FortiVoice user account using the management IP address. For details, see Connecting to the web-based manager.
In addition to the FortiVoice physical interfaces, you can create the following types of logical interfaces on the FortiVoice unit:
A Virtual LAN (VLAN) subinterface, also called a VLAN, is a virtual interface on a physical interface. The subinterface allows routing of VLAN tagged packets using that physical interface, but it is separate from any other traffic on the physical interface.
Virtual LANs (VLANs) use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.
One example of an application of VLANs is a company’s accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet.
For information about adding VLAN subinterfaces, see Configuring the network interfaces.
On the FortiVoice unit, you can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.
In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed high availability (HA) configuration.
A physical interface is available to be in a redundant interface if:
- it is a physical interface, not a VLAN interface
- it is not already part of a redundant interface
- it has no defined IP address and is not configured for DHCP
- it does not have any VLAN subinterfaces
- it is not monitored by HA
When a physical interface is included in a redundant interface, it is not listed on the System > Network > Network page. You cannot configure the interface anymore.
For information about adding redundant interfaces, see Configuring the network interfaces.
A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.
The FortiVoice’s loopback IP address does not depend on one specific external port, and is therefore possible to access it through several physical or VLAN interfaces. In the current release, you can only add one loopback interface on the FortiVoice unit.
For information about adding a loopback interface, see Configuring the network interfaces.
The System > Network > Network tab displays the FortiVoice unit’s network interfaces.
You must configure at least one network interface for the FortiVoice unit to connect to your network. Depending on your network topology and other considerations, you can connect the FortiVoice unit to your network using two or more of the network interfaces. You can configure each network interface separately. You can also configure advanced interface options, including VLAN subinterfaces, redundant interfaces, and loopback interfaces. For more information, see About FortiVoice logical interfaces, and Editing network interfaces.
To view the list of network interfaces, go to System > Network > Network.
Displays the name of the network interface, such as port1.
Displays the interface type: physical, VLAN, redundant, or loopback. For details, see About FortiVoice logical interfaces.
Displays the IP address and netmask of the network interface.
Displays the IPv6 address and netmask of the network interface. For more information about IPv6 support, see About IPv6 Support.
Displays the administrative access and phone user access that are enabled on the network interface, such as HTTPS for the web-based manager.
Indicates the up (available) or down (unavailable) administrative status for the network interface.
To change the administrative status (that is, bring up or down a network interface), see Editing network interfaces.
You can edit FortiVoice’s physical network interfaces to change their IP addresses, netmasks, administrative access protocols, and other Setting. You can also create or edit logical interfaces, such as VLANs, redundant interfaces and the loopback interface.
Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiVoice unit.
You can restrict which IP addresses are permitted to log in as a FortiVoice administrator through network interfaces. For details, see Configuring administrator accounts.
To create or edit a network interface
- Go to System > Network > Network.
- Double-click a network interface to modify it or select the interface and click Edit. If you want to create a logical interface, click New.
The Edit Interface dialog appears.
- Configure the following:
If you are editing an existing interface, this field displays the name (such as port2) and media access control (MAC) address for this network interface.
If you are creating a logical interface, enter a name for the interface.
If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see About FortiVoice logical interfaces.
- VLAN: If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface. Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.
- Redundant: If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.
- Loopback: If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on the FortiVoice unit.
- Manual: Select to enter the IP address or IPv6 address and netmask for the network interface in IP/Netmask or IPv6/Netmask.
- DHCP: Select and click Update request to retrieve a dynamic IP address using DHCP.
Enable protocols that this network interface should accept for connections to the FortiVoice unit itself. (These options do not affect connections that will travel through the FortiVoice unit.)
- HTTPS: Enable to allow secure HTTPS connections to the web‑based manager, and extension user account through this network interface.
- HTTP: Enable to allow HTTP connections to the web‑based manager, and extension user account through this network interface.
- PING: Enable to allow ICMP ECHO (ping) responses from this network interface.
- SSH: Enable to allow SSH connections to the CLI through this network interface.
SNMP: Enable to allow SNMP connections (queries) to this network interface.
For information on further restricting access, or on configuring the network interface that will be the source of traps, see Configuring the network interfaces.
- TELNET: Enable to allow Telnet connections to the CLI through this network interface.
- TFTP: Enable to allow TFTP connections to this network interface.
- NTP: Enable to allow SIP phones to connect to this server to synchronize time.
- LDAP: Enable to allow SIP phones to connect to this server to retrieve phone directories.
- SIPPnP: Enable SIPPnP multicast function for the connected phones to find the provisioning server contained in its message for the phones.
- MDNS: Enable MDNS multicast function for the connected phones to find the TFTP provisioning server contained in its message for the phones. This is mainly for backward support of legacy FortiFones.
HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiVoice unit. For information on further restricting access of administrative connections, see Configuring administrator accounts.
MTU:Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.
If network devices between the FortiVoice unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.
The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.
Administrative status: Select either:
- Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.
- Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.
The System > Network > Routing tab displays a list of routes and lets you configure static routes and gateways used by the FortiVoice unit.
Static routes direct traffic exiting the FortiVoice unit. You can specify through which network interface a packet will leave, and the IP address of a next-hop router that is reachable from that network interface. The router is aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets’ ultimate destinations.
A default route is a special type of static route. A default route matches all packets, and defines a gateway router that can receive and route packets if no other, more specific static route is defined for the packet’s destination IP address.
You should configure at least one static route, a default route, that points to your gateway. However, you may configure multiple static routes if you have multiple gateway routers, each of which should receive packets destined for a different subset of IP addresses.
To determine which route a packet will be subject to, the FortiVoice unit compares the packet’s destination IP address to those of the static routes and forwards the packet to the route with the large prefix match.
When you add a static route through the web-based manager, the FortiVoice unit evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. If no route having the same destination exists in the list of static routes, the FortiVoice unit adds the static route.
To view or configure static routes
- Go to System > Network > Routing.
Displays the route status.
Displays the destination IP address and subnet of packets subject to the static route.
A setting of 0.0.0.0/0.0.0indicates that the route matches all destination IP addresses.
Displays the IP address of the next-hop router to which packets subject to the static route will be forwarded.
The interface that this route applies to.
Displays any notes on the static route.
- Either click New to add a route or double-click a route to modify it.
A dialog appears.
- Select Enable to activate the route.
- In Destination IP/netmask, enter the destination IP address and netmask of packets that will be subject to this static route.
To create a default route that will match all packets, enter
- Select the interface that this route applies to.
- In Gateway, type the IP address of the next-hop router to which the FortiVoice unit will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/netmask. For an Internet connection, the next hop routing gateway routes traffic to the Internet.
- Enter any comments you have for the route.
- Click Create or OK.
FortiVoice units require DNS servers for features such as reverse DNS lookups. Your ISP may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.
For improved FortiVoice unit performance, use DNS servers on your local network.
The DNS tab lets you configure the DNS servers that the FortiVoice unit queries to resolve domain names into IP addresses.
To configure the primary and secondary DNS servers
- Go to System > Network > DNS.
- In Primary DNS server, enter the IP address of the primary DNS server.
- In Secondary DNS server, enter the IP address of the secondary DNS server.
- Click Apply.
A DHCP server provides an address to a client on the network, when requested, from a defined address range.
You can configure one or more DHCP servers on any FortiVoice interface. A DHCP server dynamically assigns IP addresses to the clients on the network connected to the interface. These clients must be configured to obtain their IP addresses using DHCP.
To configure the DHCP server
- Go to System > Network > DHCP.
- Click New and configure the following:
Network Interface Setting
The system will generate an ID for this configuration. This is view only.
Select to enable the DHCP server.
If this FortiVoice is in HA mode, make sure that the secondary unit has the same interface as the primary unit. For information on HA, see Using high availability.
Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
Select to use either a specific DNS server or the system’s DNS Setting.
If you select a specific DNS server, enter the Primary DNS server and the Secondary DNS server fields.
For more information, see Configuring DNS.
Enter the domain that the DHCP server assigns to its clients.
Enter the netmask of the addresses that the DHCP server assigns.
Lease time (Seconds)
Enter the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client request for an IP address. The default time is 604800 seconds.
Vender Class Identifier option
Select this option to apply the DHCP configuration to the phones of a specific vendor identified by the VCI string supplied by the vendor or by checking Monitor > PBX Status > DHCP > VCI.
Enter the phone VCI string supplied by the vendor.
DHCP IP Range
Enter the start and end for the range of IP addresses that this DHCP server assigns to the DHCP clients.
DHCP Excluded IP Range
Enter a range of IP addresses that this server should not assign to the DHCP clients.
Reserved IP Address
Enter an IP address from the DHCP server to match it to a specific client using its MAC address.
In a typical situation, an IP address is assigned ad hoc to a client, and that assignment times out after a specific time of inactivity from the client, known as the lease time. To ensure a client always has the same IP address, that is, there is no lease time, use this option.
- Click Create.
When troubleshooting networks, it helps to look inside the contents of the packets. This helps to determine if the packets, route, and destination are all what you expect. Traffic capture can also be called packet sniffing, a network tap, or logic analyzing.
Packet sniffing tells you what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:
- Finding missing traffic.
- Seeing if sessions are setting up properly.
- Locating ARP problems such as broadcast storm sources and causes.
- Confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks.
- Confirming routing is working as you expect.
- Intermittent missing PING packets.
If you are running a constant traffic application such as ping, packet sniffing can tell you if the traffic is reaching the destination, how the port enters and exits the FortiVoice unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. You can also use packet switching to verify that NAT or other configuration is translating addresses or routing traffic the way that you want it to.
Before you start sniffing packets, you need to have a good idea of what you are looking for. Sniffing is used to confirm or deny your ideas about what is happening on the network. If you try sniffing without a plan to narrow your search, you could end up with too much data to effectively analyze. On the other hand, you need to sniff enough packets to really understand all of the patterns and behavior that you are looking for.
To capture voice and fax packets
- Go to System > Network > Traffic Capture.
Click to stop the packet capture.
When the capture is complete, click Download to save the packet capture file to your hard disk for further analysis.
The name of the packet capture file.
The size of the packet capture file.
The status of the packet capture process, Complete or Running.
- Click New.
- Enter a prefix for the file generated from the captured traffic. This will make it easier to recognize the files.
- Enter the time period for performing the packet capture.
- If you choose SIP or Use protocol for Filter, from the Available peers field, select the extension or trunk of which you want to capture the voice packets and click -> to move them into the Selected peers field. You can select up to 3 peers.
- If you want to limit the scope of traffic capture, in the IP/HOST field, enter a maximum of 3 IP addresses or host names for the extensions and trunks you selected. Only traffic on these IP addresses or host names is captured.
- Select the filter for the traffic capture:
- SIP: Only SIP traffic of the peers you select will be captured.
- Use protocol: Only UDP or TCP traffic of the peers you select will be captured.
- Capture all: All network traffic will be captured.
- For Exclusion, enter the IP addresses/host names and port numbers of which you do not want to capture voice traffic.
- Click Create.