Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sachitdas_FTNT
Staff
Staff

Created on ‎08-17-2020 06:20 AM Edited on ‎07-20-2022 06:14 AM By Community Manager

Article Id 196701

Troubleshooting Tip: QoS for voice on managed FortiSwitch

Description


This article describes how to configure QoS for voice to prioritize voice traffic.

Scope

 

FortiGate.

Solution


Refer to the sample example and make sure to configure this during a maintenance window as the network is impacted during point7.

1) Create an LLDP profile.

 

# config switch-controller lldp-profile
    edit "phone-site-1"
        set med-tlvs inventory-management network-policy
        set 802.1-tlvs port-vlan-id
        set 802.3-tlvs power-negotiation
        set auto-isl disable
        # config med-network-policy
            edit "voice"
                set status enable
                set vlan-intf "vlan2"         <----- Voice VLAN.
                set assign-vlan enable
                set priority 5          <----- CoS 5 for voice traffic.
                set dscp 46         <----- DSCP 46 for voice traffic.
            next
            edit "voice-signaling"
                set status enable
                set vlan-intf "vlan2"               <----- Voice VLAN.
                set assign-vlan enable
                set priority 5         <----- CoS 5 for voice traffic.
                set dscp 46       <----- DSCP 46 for voice traffic.
            next

end

 

# sh switch-controller lldp-profile phone-site-1

 

2) Configure layer-3 QoS DSCP:

 

# config switch-controller qos ip-dscp-map
    edit "voice-dscp"
        # config map
            edit "1"       <----- Mapping voice traffic with DSCP 46 to queue-5.
                set cos-queue 5
                set value 46
            next
        end
end

# show switch-controller qos ip-dscp-map

 

3) Configure layer-2 QOS 802.1p.

 

# config switch-controller qos dot1p-map
    edit "voice-dot1p"
        set priority-5 queue-5      <----- Mapping voice traffic with CoS 5 to queue-5.
    next
end

# show switch-controller qos dot1p-map

 

4) Configure the egress QoS policy.

 

# config switch-controller qos queue-policy
    edit "q5-strict"
        set schedule strict
        set rate-by percent
        # config cos-queue
            edit "queue-5"      <----- Make voice queue-5 as strict priority queue with limit bandwidth.
                set min-rate-percent 1
                set max-rate-percent 10
            next

end

 

# show switch-controller qos queue-policy

 

5) Configure the overall policy that will be applied to the switchports.

 

# config switch-controller qos qos-policy
    edit "strict-voice"
        set trust-dot1p-map "voice-dot1p"
        set trust-ip-dscp-map "voice-dscp"
        set queue-policy "q5-strict"
    next
end

# show switch-controller qos qos-policy

 

6) Specify policy definitions that define the behavior on automatically configured interfaces.

 

# config switch-controller auto-config policy
    edit "voice-icl"
        set qos-policy "strict-voice"
        set poe-status disable
        set igmp-flood-report enable
        set igmp-flood-traffic enable
    next
    edit "voice-trunk"
        set qos-policy "strict-voice"
        set poe-status disable
    next
end

# show switch-controller auto-config policy

 

7) Apply QoS config on auto FortiLink trunks.

 

# config switch-controller auto-config default    <-- Apply voice QoS on auto fortilink trunks.
    set fgt-policy "voice-trunk"
    set isl-policy "voice-trunk"
    set icl-policy "voice-icl"
end

# show switch-controller auto-config default

 

8) Apply LLDP profile and QoS policy to host ports connected to the phone, and make sure voice VLAN is mapped under allowed VLAN, it is expected for phones to get an IP address from the tagged VLAN with LLDP profile mapped to the port.

From GUI, select multiple ports and do a bulk update.
- Go to Fortiswitch Ports, there are 2 columns 'LLDP profile' and 'QoS Policy'.


If the columns are not visible, select the column tab and then add the 2 columns ‘LLDPprofile’ and ‘QoS’.


  
- Now select multiple ports by pressing the 'CTRL' or 'Shift' button and then map the LLDP profile and QoS policy to the ports.
 
 
- Map the phone VLAN as tagged(allowed) VLAN on the ports, usually, VOIP units get an IP address from the tagged VLAN once the LLDP profile is mapped.
Starting from 6.4, VLAN gets automatically mapped as tagged VLAN once the LLDP profile is mapped.
 
 
 
9) Diagnose commands (these commands need to be executed on FortiSwitch).
 
# diagnose switch physical-ports qos-stats
list                      <----- List qos-stats.
non-zero                  <----- List only qos-stats that are not zero.
set-qos-counter-revert    <----- Revert port QoS counters to direct hardware value.
set-qos-counter-zero      <----- Reset port's QoS counters to zero (applies to all applications except SNMP)

 

Related links:

Fortinet Documentation.


Page#80 LLDP-MED: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/2f7d95c8-7367-11ea-9384-005056...


Page#139 Configure QOS for managed switch: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/2f7d95c8-7367-11ea-9384-005056...

6659
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.