Auto VLAN and QoS for VOIP Phones (FortiSwitch managed by FortiGate)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we will go over how to configure Voice VLAN and qos on a 40 switch that's managed by a 40 gate firewall alright so here we're going to use lldpmed or media endpoint Discovery this needs to be a feature that's available on both the the phone and as well as on the switch right so the idea here is that these two devices are going to be communicating with this protocol the switch is pre-configured so that it's going to instruct the the phone on which VLAN the phone needs to be on which is going to be VLAN 117 so the idea here is that traffic from the phone and it's important to know that it's sourced from the phone not the PC traffic from the phone is going to be tagged with VLAN 117 before it even arrives to the switch and then also we're going to be instructing same as before via lldp Med we're going to be instructing the the phone on what dscp classification decimal number needs to be used in this case it will be decimal number 46 which is the expedited forwarding bit now the benefit to that dscp classification is now now we give the switch the ability to differentiate between voice traffic from the phone and uh say the PC traffic right so that we could uh we could instruct the switch to in in its own type of queuing system to prioritize that voice traffic as well now this is also dependent on the switch that you're using so make sure that the 40 switch you're using is also capable of of enabling qos all right so the end result then here would be that VLAN 117 can be tagged from traffic sourced from the phone as well as uh you know qos can be utilized on the switch because of that dscp bit now let's talk about the PC for a second so the PC is not using lldp Med right so the PC's traffic will just be going on pretty much the access VLAN that's configured on the switch right which in this case we'll just use it as VLAN 100. right so so just to kind of summarize here VLAN 100 would be used for Native traffic or pretty much traffic from any device that's not a phone right that's just going to be the regular native VLAN or access VLAN that we have configured on the switch whereas if we go back just a step here there's a little more Logic for the traffic specific to the phone because the phone is actually going to be tagging traffic on VLAN 117. all right so looking at the 40 Gates configuration under network interfaces we've got our production VLAN which is VLAN ID 100 so this is pretty much the PC VLAN um 192 168 111 is the network and then let's also look at the phones VLAN so this is going to be vlanid117 it's on the 117 Network let's click into it so we do have a DHCP server configuration but additionally I've added option code 66 which is a string and this is pretty much pointing to the 40 Voice or it really this is just like the the PBX that's going to be that these phones are going to be registering to so that they know what to communicate with once they're powered on so then if we go to Wi-Fi and switch controller 40 switch ports we'll go down so I have a an IP phone it's actually a 40 phone it's connected to port 11 and I have another one connected to Port 12. as we can see the native VLAN is vlanid100 so this is you know if a PC were to connect to it right now um it would be untagged traffic and when it gets received by the switch Port the switch is going to tag it for VLAN ID 100 but then we also have a loud vlans so um you know anything that's on VLAN ID 117 on both of these switch ports um any TR any tagged traffic received on any of these switch ports will be received by the switch and it can also be forwarded Upstream all right now let's take a look at the lldp profile that we have Associated to both of those switch ports in this case it's called Phones Dash lldp all right now some of this is already pre-configured but let's take a look if we go config switch controller lldp profile and then once we entered that we'll go edit and then we're going to edit that phones lldp profile we'll do a show here so we have the same configuration for voice and voice signaling but starting from the top here's our profile here's our config Med Network policy which gets us down to the next subsection and then if we edit the voice section here I've pre-configured that we have status set to enable we have the VLAN interface that we want to assign um voice traffic to or phones to and that's going to be that name phones which is again that's our VLAN ID 117 that we showed before and then yeah we have set assigned VLAN enabled so that we can assign this VLAN interface so the same configuration is set also for the voice signaling section all right now it's always good to be able to check our configuration is actually working so if we type in diagnose switch controller switch info lldp it'll be neighbor Neighbors detail and then this is the switches serial number it'll be different in your case and then let's look at port 11 for example so if we take a look here we can see information about you know the manage switch we can see the the phone serial number that's connected information about the firmware build of the phone um its IP address so we can see that it is uh it is actually in the correct VLAN which is the 117 VLAN um on the 117 Network and we also have some information from the phone about what voice VLAN the device is in so it's traffic from the phone is tagged for VLAN 117 we don't actually have a dscp configuration yet because we haven't actually configured that yet on the lldp profile but at least we know Step One is complete so phones are being associated to VLAN 117. all right now let's take a look at dscp and priority queuing so we'll go back to that same profile that we had before so it's config switch controller lldp profile let's edit the phones lldp we'll do a show just to see where we're at so we go to the config Med Network policy policy and we'll edit voice and then we'll just do a show here to see where we're at we'll go Set uh dscp 46 and then let's do the same thing for voice signaling set dscp 46. all right we'll go end end and then now everything's saved all right back to our 40 switch let's just do a Poe reset this is really I guess it's just going to reboot the phone and then we'll come back and look at that diagnostic command in just a moment okay the switch is fully rebooted now it's up and running let's run that exact same command again to check the Diagnostics on that port with regards to lldp and when we run it this time around same as before we see VLAN 117 but here's what's changed is dscp now shows with as the value 46 for voice and voice signaling all right and we can do a quick verification in Wireshark if we'd like to so if we take a look at the IP address of that phone let's just hover over here okay it's the 117.3 and then we'll just start a packet capture just do a quick packet capture here okay I've started it I'm going to make a quick call between the two phones and we'll come back all right so now we have the packet capture we can see that we've captured some packets here um so let's download that capture let's have a view of it in Wireshark okay so let's take a look at some of the RTP traffic here um so we can see traffic sourced from the 117.3 which is actually the the phone in this case it's it's destined for the production Network which has uh the 40 Voice or the PBX essentially which is the uh 111.11 IP address but looking at this packet if we look into the IP header um and look into the differentiated Services field we can see that the EF bit is set and we see that expedited forwarding is enabled on that packet so that's perfect now we can actually take action based off of this information from from the phone during a call okay so let's get into that a little bit so the the 40 switch so right now we're actually going to be running a command same as always we're running the command on the 40 gate and we're looking at the 40 switch so if we go diag switch controller uh switch info qos stats um I'll type in the switch's serial number and then let's go to port 11 just to keep things simple here okay so we can think of it like this right q0 that's going to be pretty much the default queue so unless we tell the switch specifically what we want it to do with regards to prioritization traffic will be hitting this this q0 which is the least prioritized Q right so think of it like this if if the if we associate traffic with a higher Q number then the switch knows to prioritize that traffic over the lower Q number traffic so in this case for for example purposes let's associate Q5 with all of our voice traffic which I've already done but let's go over the configuration on how that was done okay so it starts with an ipdscp map so if we go config switch controller qos IP dscp map I'm going to edit the one I've already created called test dscp I do a show we can see that under the profile test dscp have gone config map and then I've edited an entry I just made it number two and then we can see here that when the switch sees the value 46 and the dscp value then it will associate that traffic with cos Q5 all right and next step we have to check where that ipdscp mapping is is being referenced right so that's config switch controller qos qos policy I'll edit test qos do a show here we can see that the test qos qos policy references the ipdscp map called test dscp which we just went over a moment ago and the final step is just to make sure that this qos policy called test qos is applied to the switch ports that we want this Qs policy to be enabled on so config switch controller manage switch I'm going to edit the switch the devices are connected to I believe config ports you know let's edit port 11 for example I'll do a show here as we can see the qos policy test qos is enabled on that port and the same is the case for Port 12. I can see that quick if I go next to go back one step edit Port 12. same thing if I show it test qos policy has been enabled oh actually and one last thing that we do have to do because we are using 40 link here this is with I believe this is with regards to the trunk but uh here's the config config switch controller Auto config policy and then um you know let's take a look at voice ICL so I have this configuration here where we're referencing that previously referenced qos policy test Dash qos and then if we go back we'll go edit this will be voice trunk we'll do a show here and then here's this uh the second Auto config policy that we have same thing as it references that test qos policy and then if we go now where we reference those two items is config config switch controller Auto config default and then we'll do a show there and then we can see that the 40 gate policy and the ISL policy is voice trunk which is the second of the two above and then the ICL policy is voice Ico okay all right now finally Let's test to see if our queuing is um is working as expected for The Voice traffic right so I just queried this com the same command we did before to check the Qs stats for port 11 where one of the 40 phones is connected so I've checked it twice here we can see in Q5 after checking it with like you know a 10 second difference there we can see that nothing is increasing in packets it's eight two one five three but that's expected right now so let me make a call right now and let's see if that changes okay so I've initiated a call we can see on my 40 voice which is pretty much the PBX system here we've got John Smith calling Mary Jones and we see that they've been connected uh for a little while right now so that call is in session and now if I re-query that same command Okay so that that value has increased this time and it's increasing every you know pretty much every second so we can confirm now that our um our queue is set to five for the voice traffic and then everything else will remain uh in q0 there and additionally here when we go back to that 40 switch Port section there we have it we can see that the the phone is connected to the phone's VLAN and then you know I've also connected a laptop to that phone just to confirm that it accesses the production VLAN as expected and is associated with the 111 subnet all right so that wraps things up here I've linked a GitHub Link in the description because I know there's a lot of commands that are nested or referencing each other I find it's a lot easier to follow Maybe by just reviewing the GitHub in addition to the video so feel free to take a look at that hopefully this helps and we'll see in the next video thanks

Info

Channel: ToThePoint Fortinet

Views: 7,177

Rating: undefined out of 5

Keywords: FortiGate, FortiGate how to, Fortinet how to, FortiGate tutorial, Fortinet tutorial, Security, fortiswitch, fortilink, managed switch, layer 2 switch, VLAN, Dynamic VLAN, FortiVoice, Voice VLAN, auto vlan, qos, priority, queueing, lldp, lldp-med, dscp, policing, fortifone

Id: 5nMjPI3PI_8

Channel Id: undefined

Length: 14min 43sec (883 seconds)

Published: Sat Oct 08 2022