Before attempting to configure Dynamic Port Policies, validate the matrix compatibility table between FortiGate and FortiSwitch: See FortiLink Compatibility.

1. Attach a VLAN created to one specific port, set dynamic mode and assign port policy:

FortiGate # config switch-controller managed-switch

FortiGate (managed-switch) # edit FortiSwitch

FortiGate (FortiSwitch) # config ports

FortiGate (ports) # edit port2

FortiGate (port2) # show

config ports

    edit "port2"

        set vlan "VLAN10Users1"

        set untagged-vlans "quarantine"

        set access-mode dynamic

        set packet-sampler enabled

        set sample-direction rx

        set port-policy "fortilink1"  

        set lldp-profile "Phones"

end

2. Set the FortiLink policy settings to the FortiLink interface:

FortiGate # config system  interface

FortiGate (interface) # edit fortilink1

FortiGate (fortilink1) # sho fu | grep dynamic

    set switch-controller-dynamic "fortilink1"

end 

3. Create the FortiLink policy settings from the switch-controller side:

FortiGate # config switch-controller fortilink-settings

FortiGate (fortilink-settings) # edit fortilink1

FortiGate (fortilink1) # show

config switch-controller fortilink-settings

    edit "fortilink1"

        set fortilink "fortilink1"

            config nac-ports

                set onboarding-vlan "onboarding"

            end

        next

    end

4. Create the dynamic port policy rule, the name is TestWindows:

FortiGate # config switch-controller dynamic-port-policy

FortiGate (dynamic-port-policy) # show

config switch-controller dynamic-port-policy

    edit "fortilink1"

        set description "Phonetest"

        set fortilink "fortilink1"

            config policy

                edit "TestWindows"

                    set mac "00:E0:4C:36:10:38"  

                next

            end

        next

        edit "port1"

            set fortilink "port1"

        next

5. Dynamic Port Policy configuration from the FortiGate GUI side:

6. Create a VLAN Policy. Once the Dynamic Port Policy makes a match, it will change the device VLAN to the new VLAN segment later:

FortiGate # config switch-controller vlan-policy

FortiGate (vlan-policy) # sho fu

config switch-controller vlan-policy

    edit "VlanPolicyNEW"

        set description "TestAssignment"

        set fortilink "fortilink1"

        set vlan "APs-Management"

        set allowed-vlans "APs-Management" "VLAN10Users1"

        set allowed-vlans-all disable

        set discard-mode none

    next

end

The result shows a successful TestWindows policy is present. Without a VLAN policy applied yet, the segment is VLAN10Users1:

7. Dynamic Port Policy with LLDP pattern fortivoice.lan:

FortiGate # config switch-controller dynamic-port-policy

FortiGate (dynamic-port-policy) # edit "fortilink1"

FortiGate (fortilink1) # show

config switch-controller dynamic-port-policy

    edit "fortilink1"

        set description "Phonetest"

        set fortilink "fortilink1"

            config policy

                edit "TestWindows"

                    set mac "00:E0:4C:36:10:38"

                    set lldp-profile "fortivoice.lan"

                next

            end

The final result from FortiSwitch shows the LLDP profile fortivoice.lan has already changed:

FortiSwitch # config switch physical-port

FortiSwitch (physical-port) # edit port2

FortiSwitch (port2) # show fu | grep lldp

    set lldp-profile "fortivoice.lan"

end

8. Dynamic Port Policy including QoS profile, moved to voice-qos:

FortiGate # config switch-controller dynamic-port-policy

FortiGate (dynamic-port-policy) # edit "fortilink1"

FortiGate (fortilink1) # show

config switch-controller dynamic-port-policy

    edit "fortilink1"

        set description "Phonetest"

        set fortilink "fortilink1"

            config policy

                edit "TestWindows"

                   set mac "00:E0:4C:36:10:38"

                   set lldp-profile "fortivoice.lan"

                   set qos-policy "default"

               next

           end

From the FortiSwitch side the results are evident before and after the change:

Before the change:

FortiSwitch (port2) # show fu | grep qo

    set qos-policy "default"

After the change:

FortiSwitch # config switch interface

FortiSwitch (interface) # edit port2

FortiSwitch (port2) #  show fu | grep qo

    set qos-policy "voice-egress"  

end

9. Include the Dynamic VLAN Policy created before:

FortiGate # config switch-controller dynamic-port-policy

FortiGate (dynamic-port-policy) # edit "fortilink1"

FortiGate (fortilink1) # show

config switch-controller dynamic-port-policy

    edit "fortilink1"

        set description "Phonetest"

        set fortilink "fortilink1"

            config policy

                edit "TestWindows"

                    set mac "00:E0:4C:36:10:38"

                    set lldp-profile "fortivoice.lan"

                    set qos-policy "voice-qos"

                    set vlan-policy "VlanPolicyNEW"

                next

            end

Finally, following the verification from the Windows machine, the IP address changed because of the VLAN Policy match:

Device client list verification: