Skip to main content
ehamud
Staff
ehamud
Staff
December 18, 2025

Technical Tip: Dynamic Port Policies configuration with FortiLink using QoS, LLDP and MAC patterns

  • December 18, 2025
  • 0 replies
  • 388 views
Description This article explains how to configure Dynamic Port Policies directly to FortiSwitch ports demonstrating how Dynamic Port Policies assign network parameters based on device patterns. 
Scope FortiSwitch with FortiLink management mode. 
Solution

Before attempting to configure Dynamic Port Policies, validate the matrix compatibility table between FortiGate and FortiSwitch: See FortiLink Compatibility.

 

  1. Attach a VLAN created to one specific port, set dynamic mode and assign port policy:

 

FortiGate # config switch-controller managed-switch

FortiGate (managed-switch) # edit FortiSwitch

FortiGate (FortiSwitch) # config ports

FortiGate (ports) # edit port2

FortiGate (port2) # show

config ports

    edit "port2"

        set vlan "VLAN10Users1"

        set untagged-vlans "quarantine"

        set access-mode dynamic

        set packet-sampler enabled

        set sample-direction rx

        set port-policy "fortilink1"  

        set lldp-profile "Phones"

end

 

  1. Set the FortiLink policy settings to the FortiLink interface:

 

FortiGate # config system  interface

FortiGate (interface) # edit fortilink1

FortiGate (fortilink1) # sho fu | grep dynamic

    set switch-controller-dynamic "fortilink1"

end 

 

  1. Create the FortiLink policy settings from the switch-controller side:

 

FortiGate # config switch-controller fortilink-settings

FortiGate (fortilink-settings) # edit fortilink1

FortiGate (fortilink1) # show

config switch-controller fortilink-settings

    edit "fortilink1"

        set fortilink "fortilink1"

            config nac-ports

                set onboarding-vlan "onboarding"

            end

        next

    end

 

  1. Create the dynamic port policy rule, the name is TestWindows:

 

FortiGate # config switch-controller dynamic-port-policy

FortiGate (dynamic-port-policy) # show

config switch-controller dynamic-port-policy

    edit "fortilink1"

        set description "Phonetest"

        set fortilink "fortilink1"

            config policy

                edit "TestWindows"

                    set mac "00:E0:4C:36:10:38"  

                next

            end

        next

        edit "port1"

            set fortilink "port1"

        next

 

  1. Dynamic Port Policy configuration from the FortiGate GUI side:

gui1.jpg


gui2.jpg

 

  1. Create a VLAN Policy. Once the Dynamic Port Policy makes a match, it will change the device VLAN to the new VLAN segment later:

 

FortiGate # config switch-controller vlan-policy

FortiGate (vlan-policy) # sho fu

config switch-controller vlan-policy

    edit "VlanPolicyNEW"

        set description "TestAssignment"

        set fortilink "fortilink1"

        set vlan "APs-Management"

        set allowed-vlans "APs-Management" "VLAN10Users1"

        set allowed-vlans-all disable

        set discard-mode none

    next

end

 

The result shows a successful TestWindows policy is present. Without a VLAN policy applied yet, the segment is VLAN10Users1:


ipman.jpg

 

gui3.jpg

 

  1. Dynamic Port Policy with LLDP pattern fortivoice.lan:

 

gui4.jpg

 

FortiGate # config switch-controller dynamic-port-policy

FortiGate (dynamic-port-policy) # edit "fortilink1"

FortiGate (fortilink1) # show

config switch-controller dynamic-port-policy

    edit "fortilink1"

        set description "Phonetest"

        set fortilink "fortilink1"

            config policy

                edit "TestWindows"

                    set mac "00:E0:4C:36:10:38"

                    set lldp-profile "fortivoice.lan"

                next

            end

 

The final result from FortiSwitch shows the LLDP profile fortivoice.lan has already changed:

 

FortiSwitch # config switch physical-port

FortiSwitch (physical-port) # edit port2

FortiSwitch (port2) # show fu | grep lldp

    set lldp-profile "fortivoice.lan"

end

 

  1. Dynamic Port Policy including QoS profile, moved to voice-qos:

 

FortiGate # config switch-controller dynamic-port-policy

FortiGate (dynamic-port-policy) # edit "fortilink1"

FortiGate (fortilink1) # show

config switch-controller dynamic-port-policy

    edit "fortilink1"

        set description "Phonetest"

        set fortilink "fortilink1"

            config policy

                edit "TestWindows"

                   set mac "00:E0:4C:36:10:38"

                   set lldp-profile "fortivoice.lan"

                   set qos-policy "default"

               next

           end

 

From the FortiSwitch side the results are evident before and after the change:

 

Before the change:

 

FortiSwitch (port2) # show fu | grep qo

    set qos-policy "default"

 

After the change:

 

FortiSwitch # config switch interface

FortiSwitch (interface) # edit port2

FortiSwitch (port2) #  show fu | grep qo

    set qos-policy "voice-egress"  

end

 

  1. Include the Dynamic VLAN Policy created before:

 

gui5.jpg

 

FortiGate # config switch-controller dynamic-port-policy

FortiGate (dynamic-port-policy) # edit "fortilink1"

FortiGate (fortilink1) # show

config switch-controller dynamic-port-policy

    edit "fortilink1"

        set description "Phonetest"

        set fortilink "fortilink1"

            config policy

                edit "TestWindows"

                    set mac "00:E0:4C:36:10:38"

                    set lldp-profile "fortivoice.lan"

                    set qos-policy "voice-qos"

                    set vlan-policy "VlanPolicyNEW"

                next

            end

 

Finally, following the verification from the Windows machine, the IP address changed because of the VLAN Policy match:

 

gui6.jpg

 

Device client list verification:

 

ipman2.jpg
    Terms & ConditionsAccessibility statement