[All About Switches] Example for Connecting an S Series Switch to an IP Phone Us

Created Sep 24, 2015 15:56:49Latest reply Aug 24, 2016 03:50:51 3738 1 2 0
 

1.1 NAC Overview

Network Admission Control (NAC) is an end-to-end secure access framework and includes 802.1x authentication, MAC address authentication, and Portal authentication. The 802.1x protocol is an interface-based network access control protocol that authenticates access devices connected to interfaces of LAN access control devices, so as to control access to network resources.

NAC authentication modes are classified into common mode and unified mode. Switches in versions earlier than V200R005C00 support only the common mode. Switches in V200R005C00 and later versions support both modes. The default mode is unified mode.

1.2 Applicable Version and Model

Switch Version and Model

IP Phone Model

All models of all versions

IP phones that support the 802.1x protocol such as Avaya IP phones, and Link Layer Discovery Protocol (LLDP) must be enabled on the switch

 

The configuration in this example is performed on a switch in V200R006C00. Differences between versions are described in section 1.8 Summary.

1.3 Networking Requirements

Voice data flows of HSI, VoIP, and IPTV services are transmitted on a network. Users require high quality of the VoIP service. Users require high quality of the voice service. Therefore, voice data flows must be transmitted with a high priority to ensure the voice service quality. Users have high security requirements. Therefore, only authenticated voice devices can access the network.

As shown in the following figure, the IP phone supports 802.1x authentication and forwards voice packets with the default 802.1p priority of 5. Configure NAC on the switch. The switch uses 802.1x authentication to authenticate the IP phone, and obtains the voice VLAN ID configured on the Remote Authentication Dial In User Service (RADIUS) server. The switch then uses LLDP to allocate the voice VLAN ID to the IP phone. The default 802.1p priority in voice packets sent by the IP phone is 5. The switch maintains and trusts the 802.1p priority of the voice packets.

1.4 Data Plan

VLAN plan: Voice flows (VoIP) are transmitted in VLAN 300 and data flows (HIS and IPTV) are transmitted in VLAN 500.

1.5 Configuration Roadmap

The configuration roadmap is as follows:

l   Create VLANs in which voice flows and data flows are transmitted.

l   Configure 802.1x authentication to authenticate the IP phone.

l   Configure the Switch to use LLDP to allocate a voice VLAN ID to the IP phone.

1.6 Procedure

   Step 1      Create VLANs in which voice flows and data flows are transmitted on the Switch.

<HUAWEI> system-view

[HUAWEI] vlan batch 300 500

 

   Step 2      Configure the interface type and port default VLAN ID (PVID) for data flow forwarding. Add an interface to the voice VLAN for voice flow forwarding.

[HUAWEI] interface gigabitethernet 1/0/1

[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid //Configure the interface connecting the Switch to the IP phone to a hybrid interface so that it can forward both voice and data flows.

[HUAWEI-GigabitEthernet1/0/1] port hybrid pvid vlan 500 //Set the default VLAN ID of the interface to 500. This configuration enables GE1/0/1 to tag received untagged packets with VLAN 500 and forward the packets in VLAN 500. This configuration is usually used for data packet forwarding.

[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 500 //Configure GE1/0/1 to remove the VLAN tag from a packet whose VLAN ID is 500 before sending the packet so that downstream users receive untagged packets.

[HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 300 //Add the interface to the voice VLAN so that the interface can forward voice flows.

[HUAWEI-GigabitEthernet1/0/1] quit

 

   Step 3      Configure 802.1x authentication to authenticate the IP phone.

1.    Configure the RADIUS server.

[HUAWEI] radius-server template cmn //Create the RADIUS server template cmn.

[HUAWEI-radius-cmn] radius-server authentication 10.1.1.6 1812 //Configure the IP address and port number for the RADIUS server.

[HUAWEI-radius-cmn] quit

2.    Configure AAA authentication domain.

[HUAWEI] aaa //Enter the AAA view.

[HUAWEI-aaa] authentication-scheme cmn //Create an AAA authentication scheme cmn.

[HUAWEI-aaa-authen-cmn] authentication-mode radius //Set the authentication mode to RADIUS.

[HUAWEI-aaa-authen-cmn] quit

[HUAWEI-aaa] domain default //Use the default authentication domain.

[HUAWEI-aaa-domain-default] authentication-scheme cmn //Bind the configured authentication scheme cmn to the domain.

[HUAWEI-aaa-domain-default] radius-server cmn //Bind the configured RADIUS server template cmn to the domain.

[HUAWEI-aaa-domain-default] quit

[HUAWEI-aaa] quit

3.    Enable 802.1x authentication.

[HUAWEI] interface gigabitethernet 1/0/1

[HUAWEI-GigabitEthernet1/0/1] authentication dot1x

[HUAWEI-GigabitEthernet1/0/1] quit

If the switch runs a version earlier than V200R005C00 or uses common mode, run the following command to enable 802.1x authentication. Run the display authentication mode command to check NAC mode.

[HUAWEI] dot1x enable

[HUAWEI] interface gigabitethernet 1/0/1

[HUAWEI-GigabitEthernet1/0/1] dot1x enable

[HUAWEI-GigabitEthernet1/0/1] quit

 

   Step 4      Configure the RADIUS server. Note: Set the attribute field device-traffic-class of the voice VLAN to voice on the RADIUS server. Change the authorized untagged VLAN to tagged VLAN and set voice VLAN ID to 300.

 

   Step 5      Enable LLDP so that the Switch can allocate obtained voice VLAN ID to the IP phone.

[HUAWEI] lldp enable

 

   Step 6      Configure the interface to trust and maintain the 802.1p priority of packets.

[HUAWEI] interface gigabitethernet 1/0/1

HUAWEI-GigabitEthernet1/0/1] trust 8021p //Configure GE1/0/1 to trust the 802.1p priority carried in packets. Run the trust 8021p inner command on modular switches.

[HUAWEI-GigabitEthernet1/0/1] quit

 

   Step 7      Configure the uplink interface to transparently transmit voice flows and data flows from VLAN 300 and VLAN 500.

[HUAWEI] interface gigabitethernet 1/0/2

[HUAWEI-GigabitEthernet1/0/2] port link-type trunk //Configure the interface as a trunk interface to transparently transmit VLAN packets.

[HUAWEI-GigabitEthernet1/0/2] port trunk allow-pass vlan 300 500

[HUAWEI-GigabitEthernet1/0/2] quit

 

   Step 8      Verify the configuration.

l   Run the display dot1x command to check whether the 802.1x authentication configuration is correct.

[HUAWEI] display dot1x

  Global 802.1x is Enabled

  Authentication method is CHAP

  Max users: 16384

  Current users: 0

  DHCP-trigger is Disabled

  Handshake is Disabled

  Quiet function is Disabled

  Parameter set:Dot1x Handshake Period        60s   Reauthen Period   3600s

                Arp Handshake Period           0s   Client Timeout       5s

                Quiet Period                  60s   Quiet-times          3

                Eth-Trunk Handshake Period   120s

  dot1x URL: Not configed.

  Dropped   EAPOL Access Flow Control       : 0

            EAPOL Check Sysmac Error        : 0

            EAPOL Get Vlan ID Error         : 0

            EAPOL Packet Flow Control       : 0

            EAPOL Online User Reach Max     : 0

            EAPOL Static or BlackHole Mac   : 0

            EAPOL Get Vlan Mac Error        : 0

  Free-ip configuration(IP/mask): Not configed.

                                                                               

 GigabitEthernet1/0/1 status: UP 802.1x protocol is Enabled                 

  Port control type is Auto                                                    

  Authentication mode is MAC-based                                             

  Authentication method is CHAP                                                

  Reauthentication is disabled                                                 

  Maximum users: 8192                                                          

  Current users: 0                                                             

                                                                                

  Authentication Success: 0          Failure: 0                                

  EAPOL Packets: TX     : 0          RX     : 0                                

  Sent      EAPOL Request/Identity Packets  : 0                                

            EAPOL Request/Challenge Packets : 0                                

            Multicast Trigger Packets       : 0                                

            EAPOL Success Packets           : 0                                 

            EAPOL Failure Packets           : 0                                

  Received  EAPOL Start Packets             : 0                                

            EAPOL Logoff Packets            : 0                                 

            EAPOL Response/Identity Packets : 0                                

            EAPOL Response/Challenge Packets: 0                                                     

 

l   The IP phone can be used to make phone calls. Check the MAC address entry of the IP phone. You can see that the VLAN ID is 300.

[HUAWEI] display mac-address 00e0-bb00-1234

-------------------------------------------------------------------------------

MAC Address    VLAN/VSI      Learned-From        Type       

-------------------------------------------------------------------------------

00e0-bb00-1234 300/-           GE0/0/1             dynamic    

                                                                               

-------------------------------------------------------------------------------

Total items displayed = 1

1.7 Configuration Files

Common mode

#

sysname HUAWEI

#

vlan batch 300 500

#

dot1x enable

#

lldp enable

#                                                                         

radius-server template cmn                    

 radius-server authentication 10.1.1.6 1812 weight 80

# 

aaa          

authentication-scheme cmn                    

  authentication-mode radius                  

domain default                               

  authentication-scheme cmn                   

  radius-server cmn  

#

interface GigabitEthernet1/0/1

port link-type hybrid

port hybrid pvid vlan 500

port hybrid tagged vlan 300

port hybrid untagged vlan 500

dot1x enable

trust 8021p

#

interface GigabitEthernet1/0/2

port link-type trunk

port trunk allow-pass vlan 300 500

#

return

Unified mode

#

sysname HUAWEI

#

vlan batch 300 500

#

lldp enable

#                                                                         

radius-server template cmn                    

 radius-server authentication 10.1.1.6 1812 weight 80

# 

aaa          

authentication-scheme cmn                    

  authentication-mode radius                  

domain default                               

  authentication-scheme cmn                   

  radius-server cmn  

#

interface GigabitEthernet1/0/1

port link-type hybrid

port hybrid pvid vlan 500

port hybrid tagged vlan 300

port hybrid untagged vlan 500

authentication dot1x

trust 8021p

#

interface GigabitEthernet1/0/2

port link-type trunk

port trunk allow-pass vlan 300 500

#

return

 

1.8 Summary

l   In this example, the IP phone model is Avaya 9620 and the RADIUS server model is CiscoSecure ACS. If the timer on the Avaya IP phone times out, the IP phone may fail to access the network. Therefore, increase the timer value on the IP phone. Configure the VLAN test timer in the following procedure:

1.         Press * and enter the password to access the menu.

2.         Select VLAN Test and change the default value (60s) to 0 so that the timer will not time out.

l   If the AAA authentication domain is not the default domain, run the domain test command to create the domain test.

[HUAWEI] domain test //Create the domain test.

 

l   This example uses 802.1x authentication. MAC address authentication can also be used. Change the command for enabling 802.1x authentication in step 3 to the following format to configure MAC address authentication.

Common mode:

[HUAWEI] vlan batch 100 //Configure VLAN 100 as the guest VLAN for MAC address authentication.

[HUAWEI] interface gigabitethernet 1/0/1

[HUAWEI-GigabitEthernet1/0/1] mac-authen

[HUAWEI-GigabitEthernet1/0/1] authentication guest-vlan 100

[HUAWEI-GigabitEthernet1/0/1] mac-authen domain default //Configure the default domain as the default authentication domain for MAC address authenticaiton.

Unified mode:

[HUAWEI] interface gigabitethernet 1/0/1

[HUAWEI-GigabitEthernet1/0/1] authentication mac-authen

 

      ★★★Summary★★★ All About Huawei Switch Features and Configurations

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

liuliuliu     Created Sep 24, 2015 16:00:03 Helpful(1) Helpful(1)

Tanks, Good.
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top