Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Partisan44
New Contributor

Created on ‎11-26-2024 08:05 AM

Fortinac - Enforced Ethernet Port With PC + Phone Looping

I am currently experiencing this issue-

I have connected a phone &behind it a pc to a cisco switch on an ethernet port enforced by fortinac.

when i shut & unshut the ethernet port with both the pc & phone connected it stays in a loop.

On the switch cli i see fortinac putting the port into admin state down-> applies a dacl -> port moves into correct vlan-> then shuts its down and this happens over & over ,

However if i let the phone come up register & thereafter i connect the pc ,its not a problem

Anyone experience this?

 

 

 

Labels:
291
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎11-26-2024 08:32 AM

In normal condition, if a port has a voice VLAN defined and a phone connected to it, FortiNAC doesn't shut it down when changing VLAN. So check the below:

  • Is the phone registered on FNAC?
  • Is the voice VLAN ID defined in the "Voice VLAN" field in the switch model configuration?
  • Is the voice VLAN defined on the affected switch-port? I mean something like this:
    switchport access vlan X
    switchport mode access
    switchport voice vlan Y

 

AEK
AEK
280
0 Kudos
Partisan44
New Contributor
In response to AEK

Created on ‎11-26-2024 10:17 AM

@AEK 

 

  • Is the phone registered on FNAC - Yes
  • Is the voice VLAN ID defined in the "Voice VLAN" field in the switch model configuration? - Yes
  • Is the voice VLAN defined on the affected switch-port? I mean something like this:
    switchport access vlan X
    switchport mode access
    switchport voice vlan Y
Yes and an additional configuration - 
spanning-tree portfast

 

246
0 Kudos
ebilcari
Staff
Staff

Created on ‎11-26-2024 09:15 AM

Is this behavior happening only when one of the host is showing as Rogue or even when they are both registered (PC&IP Phone)?


Is the IP Phone registered as a standard IP Phone (black icon) or as a different host? Normally the port status should not appear as multihost like in this example but it should show a host behind a phone:

 

mixed.png

If this is the case than there will be a racing condition of which host policy will get applied.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
260
0 Kudos
Partisan44
New Contributor
In response to ebilcari

Created on ‎11-26-2024 10:22 AM

Hi

 

@ebilcari 

Both hosts are registered 

Is the IP Phone registered as a standard IP Phone (black icon) - Yes,its not a rogue host

245
0 Kudos
ebilcari
Staff
Staff
In response to Partisan44

Created on ‎11-28-2024 07:23 AM

The idea is to not have the port showing as multi host but as a daisy chain icon (now I have the right screenshot):

IP Phone.PNG

Is the IP Phone having a network access policy and does it also get CLI commands applied or only the host behind it? Usually the Voice VLAN is negotiated between the IP Phone and the switch via CDP/LLDP and FNAC should not apply any configuration for the IP Phone.

The 'Port Changes' tab may give a better overview of the applied actions and the timing of the actions.
Check also the 'Ignore MAC Notification Traps for IP Phones' (by default enabled) in System> Settings> Network Device

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
150
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.