Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiSwitch LLDP-MED profile DSCP marking problem

FortiSwitch 108E

Standalone mode

v. 7.2.3

I have created a LLDP-MED profile "Phone-LLDP" with MED TLVs:

VLAN 100


for Voice and Voice Signaling.

And enabled LLDP on a physical port TX/RX with the "Phone-LLDP" profile.

Packet capture on both ends of the VoIP traffic (3CX PBX and Fanvil IP phone) confirms that DSCP 46 has not been applied.

VLAN assignment works.

Any ideas?



First thing you need to do is to capture LLDP L2 frames between the FSW and the end device on both directions.
Below is one of Cisco switch's description but I think FSW's default behavior is the same.

"By default, the switch only sends LLDP packets until it receives LLDP-MED packets from the end device. It will then send LLDP packets with MED TLVs as well. When the LLDP-MED entry has been aged out, it only sends LLDP packets again. " I quoted from below:

To capture them you might need to set SPAN to mirror all frames/packets sent/received at the port to another port and run Wireshark on a machine hooked up at the mirror port. You can use a filter output with just "lldp".

I recently did that with an 224D and verified LLDP frames that contain the network-policy TLV I configured (vlan, dscp, cos priority) came out after my Polycom phone came up and sent out its LLDP frames to the FSW.




Hi @Toshi_Esumi ,


Thank you for this detailed information. This is my first experience with LLDP-MED. If I understand it correctly, LLDP MED Network Policy doesn't do any traffic shaping on its own but rather instructs LLDP media end point to follow these policy, like VLAN, priority and DSCP.

Is this correct?

If I do not see any changes related to the DSCP on the IP phone (packet capture) I can assume that the phone just doesn't understand this DSCP part of the network policy, but complies with the VLAN part of it.

Is my understanding correct?



My understanding is the same as yours. It's just providing information to a device connected to the port. My guess was the FWS was sending LLDP-MED exactly what you configured, but the device is ignoring some of them whatever the reason is. When you sniff the LLDP frames you should be able to determine if that's the fact, or it's a bug of the FSW software missing some part of your config.


I have mirrored ports on FortiSwitch; port6-source, port5-destination.

Wireshark output:


Telecommunications Industry Association TR-41 Committee - Network Policy
    1111 111. .... .... = TLV Type: Organization Specific (127)
    .... ...0 0000 1000 = TLV Length: 8
    Organization Unique Code: 00:12:bb (Telecommunications In
    Media Subtype: Network Policy (0x02)
    Application Type: Voice (1)
    0... .... .... .... .... .... = Policy: Defined
    .1.. .... .... .... .... .... = Tagged: Yes
    ...0 0000 1100 100. .... .... = VLAN Id: 100
    .... .... .... ...0 00.. .... = L2 Priority: 0
    .... .... .... .... ..10 1110 = DSCP Priority: 46



And Fanvil X3U states :


Capabilities: 0x0003
    .... .... .... ...1 = LLDP-MED Capabilities: Capable
    .... .... .... ..1. = Network Policy: Capable
    .... .... .... .0.. = Location Identification: Not capable
    .... .... .... 0... = Extended Power via MDI-PSE: Not capable
    .... .... ...0 .... = Extended Power via MDI-PD: Not capable
    .... .... ..0. .... = Inventory: Not capable


It looks like the phone overestimates its capabilities.



Since it's capable taking the VLAN ID portion, it has to say "Capable". Otherwise, the FSW wouldn't even include the TLV. It's just not capable taking the DSCP value.
If you're lucky you might be able to configure it manually on the phone. But chances are no way configuring it on the phone, and you need to mark traffic on the port at the FSW.
For that part, I haven't done it myself with FSWs yet so ask somebody else if you need help. I think you can figure out yourself though.




Top Kudoed Authors