Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.0 Administration Guide
    6.4.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Voice device detection

    Voice device detection

    FortiSwitch is able to parse LLDP messages from voice devices such as FortiFone, and pass this information to FortiGate for device detection. You can use FortiSwitch NAC policies to assign a device to an LLDP profile, QoS policy, and VLAN policy. When a detected device is matched to a NAC policy, the corresponding policy actions will be applied on the switch port.

    Example

    In the following example, FortiFone is connected to port11 of FortiSwitch. A NAC policy is created to apply a VLAN policy, LLDP policy, and QoS policy to Device Family FortiFone.

    To create a FortiSwitch NAC policy in the GUI:
    1. Configure a NAC policy on a switch port. See NAC policies on switch ports.
    2. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
    3. Create or edit an NAC policy.
    4. Set the Category to Device.
    5. Enable Device family, and enter name such as FortiFone.
    6. Select Apply Port Specific Settings.
    7. Enable LLDP profile, and select a voice profile from the dropdown.
    8. Enable QoS policy, and select a voice policy from the dropdown.
    9. Enable VLAN policy, and select a voice policy from the dropdown.

    10. Click OK.

      The NAC policy is applied after a FortiFone is plugged into port11 of the FortiSwitch:

    To create a FortiSwitch NAC policy in the CLI:
    1. Assign the FortiFone to a VLAN policy, LLDP policy, and QoS Policy.

      config user nac-policy

      edit "FortiFone"

      set family "FortiFone"

      set switch-fortilink "fortilink"

      set switch-port-policy "FortiFone"

      next

      end

      config switch-controller port-policy

      edit "FortiFone"

      set fortilink "fortilink"

      set lldp-profile "fortivoice.fortilink"

      set qos-policy "voice-qos"

      set vlan-policy "fortiFone"

      next

      end

      config switch-controller vlan-policy

      edit "fortiFone"

      set fortilink "fortilink"

      set vlan "voice"

      next

      end

      config switch-controller lldp-profile

      edit "fortivoice.fortilink"

      set med-tlvs inventory-management network-policy location-identification

      set auto-isl disable

      config med-network-policy

      edit "voice"

      set status enable

      set vlan-intf "voice"

      set assign-vlan enable

      set dscp 46

      next

      edit "voice-signaling"

      set status enable

      set vlan-intf "voice"

      set assign-vlan enable

      set dscp 46

      next

      edit "guest-voice"

      next

      edit "guest-voice-signaling"

      next

      edit "softphone-voice"

      next

      edit "video-conferencing"

      next

      edit "streaming-video"

      next

      edit "video-signaling"

      next

      end

      next

      end

      config switch-controller qos qos-policy

      edit "voice-qos"

      set trust-dot1p-map "voice-dot1p"

      set trust-ip-dscp-map "voice-dscp"

      set queue-policy "voice-egress"

      next

      end

    2. FortiSwitch receives an LLDP message from FortiFone after it is plugged into port11.
    3. Run diagnose switch-controller switch-info to check the device information on FortiGate. The FortiFone is identified.

      # diagnose switch-controller switch-info lldp neighbors-detail S124EP5918000276 port11

      Vdom: root

      Managed Switch : S124EP5918000276 0

      Capability codes:

      R:Router, B:Bridge, T:Telephone, C:DOCSIS Cable Device

      W:WLAN Access Point, P:Repeater, S:Station, O:Other

      MED TLV Capability codes:

      C:Capabilities, P:Network Policies, L:Location, S:MDI PSE

      D:MDI PD, I:Inventory

      _______________________________________________________________

      Neighbor learned on port port11 by LLDP protocol

      Last change 20 seconds ago

      Last packet received 20 seconds ago

      Chassis ID: 169.254.15.3 (ip)

      System Name: FON-675i

      System Description:

      :14.0.0.1.r4

      Time To Live: 60 seconds

      System Capabilities: BT

      Enabled Capabilities: BT

      MED type: Communication Device Endpoint (Class III)

      MED Capabilities: CP

      Management IP Address: 169.254.15.3

      Port ID: 70:4c:a5:e2:6b:b2 (mac)

      Port description: WAN Port 10M/100M/1000M

      IEEE802.3, Power via MDI:

      Power devicetype: PD

      PSE MDI Power: Not Supported

      PSE MDI Power Enabled: No

      PSE Pair Selection: Can not be controlled

      PSE power pairs: Signal

      Power class: 1 (class-0)

      Power type: 802.3at off

      Power source: Unknown

      Power priority: Unknown

      Power requested: 0.0W

      Power allocated: 0.0W

      LLDP-MED, Network Policies:

      voice: VLAN: 256 (untagged), Priority: 0 DSCP: 46

      voice-signaling: VLAN: 256 (untagged), Priority: 0 DSCP: 46

      streaming-video: VLAN: 256 (untagged), Priority: 0 DSCP: 46

      # diagnose user device list

      hosts

      vd root/0 70:4c:a5:e2:6b:b2 gen 5 req OUA/34

      created 3522s gen 3 seen 24s onboarding gen 2

      hardware vendor 'Fortinet' src lldp weight 128

      type 'IP Phone' src lldp id 1523 weight 128

      family 'FortiFone' src lldp id 1523 weight 128

      host 'FON-675i' src lldp

    Previous
    Next

    Voice device detection

    Voice device detection

    FortiSwitch is able to parse LLDP messages from voice devices such as FortiFone, and pass this information to FortiGate for device detection. You can use FortiSwitch NAC policies to assign a device to an LLDP profile, QoS policy, and VLAN policy. When a detected device is matched to a NAC policy, the corresponding policy actions will be applied on the switch port.

    Example

    In the following example, FortiFone is connected to port11 of FortiSwitch. A NAC policy is created to apply a VLAN policy, LLDP policy, and QoS policy to Device Family FortiFone.

    To create a FortiSwitch NAC policy in the GUI:
    1. Configure a NAC policy on a switch port. See NAC policies on switch ports.
    2. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
    3. Create or edit an NAC policy.
    4. Set the Category to Device.
    5. Enable Device family, and enter name such as FortiFone.
    6. Select Apply Port Specific Settings.
    7. Enable LLDP profile, and select a voice profile from the dropdown.
    8. Enable QoS policy, and select a voice policy from the dropdown.
    9. Enable VLAN policy, and select a voice policy from the dropdown.

    10. Click OK.

      The NAC policy is applied after a FortiFone is plugged into port11 of the FortiSwitch:

    To create a FortiSwitch NAC policy in the CLI:
    1. Assign the FortiFone to a VLAN policy, LLDP policy, and QoS Policy.

      config user nac-policy

      edit "FortiFone"

      set family "FortiFone"

      set switch-fortilink "fortilink"

      set switch-port-policy "FortiFone"

      next

      end

      config switch-controller port-policy

      edit "FortiFone"

      set fortilink "fortilink"

      set lldp-profile "fortivoice.fortilink"

      set qos-policy "voice-qos"

      set vlan-policy "fortiFone"

      next

      end

      config switch-controller vlan-policy

      edit "fortiFone"

      set fortilink "fortilink"

      set vlan "voice"

      next

      end

      config switch-controller lldp-profile

      edit "fortivoice.fortilink"

      set med-tlvs inventory-management network-policy location-identification

      set auto-isl disable

      config med-network-policy

      edit "voice"

      set status enable

      set vlan-intf "voice"

      set assign-vlan enable

      set dscp 46

      next

      edit "voice-signaling"

      set status enable

      set vlan-intf "voice"

      set assign-vlan enable

      set dscp 46

      next

      edit "guest-voice"

      next

      edit "guest-voice-signaling"

      next

      edit "softphone-voice"

      next

      edit "video-conferencing"

      next

      edit "streaming-video"

      next

      edit "video-signaling"

      next

      end

      next

      end

      config switch-controller qos qos-policy

      edit "voice-qos"

      set trust-dot1p-map "voice-dot1p"

      set trust-ip-dscp-map "voice-dscp"

      set queue-policy "voice-egress"

      next

      end

    2. FortiSwitch receives an LLDP message from FortiFone after it is plugged into port11.
    3. Run diagnose switch-controller switch-info to check the device information on FortiGate. The FortiFone is identified.

      # diagnose switch-controller switch-info lldp neighbors-detail S124EP5918000276 port11

      Vdom: root

      Managed Switch : S124EP5918000276 0

      Capability codes:

      R:Router, B:Bridge, T:Telephone, C:DOCSIS Cable Device

      W:WLAN Access Point, P:Repeater, S:Station, O:Other

      MED TLV Capability codes:

      C:Capabilities, P:Network Policies, L:Location, S:MDI PSE

      D:MDI PD, I:Inventory

      _______________________________________________________________

      Neighbor learned on port port11 by LLDP protocol

      Last change 20 seconds ago

      Last packet received 20 seconds ago

      Chassis ID: 169.254.15.3 (ip)

      System Name: FON-675i

      System Description:

      :14.0.0.1.r4

      Time To Live: 60 seconds

      System Capabilities: BT

      Enabled Capabilities: BT

      MED type: Communication Device Endpoint (Class III)

      MED Capabilities: CP

      Management IP Address: 169.254.15.3

      Port ID: 70:4c:a5:e2:6b:b2 (mac)

      Port description: WAN Port 10M/100M/1000M

      IEEE802.3, Power via MDI:

      Power devicetype: PD

      PSE MDI Power: Not Supported

      PSE MDI Power Enabled: No

      PSE Pair Selection: Can not be controlled

      PSE power pairs: Signal

      Power class: 1 (class-0)

      Power type: 802.3at off

      Power source: Unknown

      Power priority: Unknown

      Power requested: 0.0W

      Power allocated: 0.0W

      LLDP-MED, Network Policies:

      voice: VLAN: 256 (untagged), Priority: 0 DSCP: 46

      voice-signaling: VLAN: 256 (untagged), Priority: 0 DSCP: 46

      streaming-video: VLAN: 256 (untagged), Priority: 0 DSCP: 46

      # diagnose user device list

      hosts

      vd root/0 70:4c:a5:e2:6b:b2 gen 5 req OUA/34

      created 3522s gen 3 seen 24s onboarding gen 2

      hardware vendor 'Fortinet' src lldp weight 128

      type 'IP Phone' src lldp id 1523 weight 128

      family 'FortiFone' src lldp id 1523 weight 128

      host 'FON-675i' src lldp

    Previous
    Next