Example for Connecting Cisco IP Phones to Switches Using HDP

Created: Mar 22, 2017 10:11:36Latest reply: Mar 22, 2017 13:38:27 3644 1 0 0

Overview

A Cisco IP phone can obtain a voice VLAN ID through the Cisco Discovery Protocol (CDP) only but not LLDP or DHCP. A Huawei switch provides the Huawei Discovery Protocol (HDP) to allocate a voice VLAN ID to the Cisco phone. To provide the HDP function, enable CDP-compatible LLDP on the interface.

Configuration Notes

l   This example applies to all versions of all S series switches.

l   Cisco 7912, Cisco 7940G, and Cisco 7960G phones are non-standard PDs. If a switch is required to provide PoE, run the poe legacy enable command on interfaces of the switch connected to IP phones to enable compatibility detection for PDs on the PSE.

l   Cisco SPA 303 phones do not support PoE, so you need to connect Cisco SPA 303 phones to external power supplies and then connect them to switches.

Applicable IP Phones

See "1.3 Interconnection Modes Supported by Different Models of IP phones".

Networking Requirements

In Figure 1-7:

l   Cisco IP phones are deployed. They can obtain a voice VLAN ID through CDP only.

l   The priority of voice packets sent by IP phones is low and needs to be increased to ensure communication quality.

l   Voice packets are transmitted in VLAN 100.

l   The IP addresses of IP phones and the DHCP server's IP address are on different network segments.

l   IP phones need to connect to switches through 802.1x authentication and MAC address authentication.

Connecting Cisco IP phones to switches using HDP

20170322101003242001.png

 

Configuration Roadmap

The configuration roadmap is as follows:

1.         Configure the voice VLAN function to improve the priority of voice packets from IP phones.

2.         Enable CDP-compatible LLDP so that the switch allocates a voice VLAN ID to the IP phones.

3.         Configure the DHCP relay and DHCP server functions so that IP addresses are allocated to IP phones.

4.         Configure 802.1x authentication and MAC address authentication for IP phones. (This step can be ignored if authentication is not required.)

Procedure

Step1  Enable the voice VLAN function on SwitchA.

# Create VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100  //Configure VLAN 100 where voice packets are transmitted.

# Add interfaces to the voice VLAN.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid   //In V200R005C00 and later versions, the default link type of an interface is not hybrid, and needs to be manually configured.
[SwitchA-GigabitEthernet1/0/1] port hybrid tagged vlan 100  //Add the interface to voice VLAN 100 in tagged mode.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type hybrid
[SwitchA-GigabitEthernet1/0/2] port hybrid tagged vlan 100
[SwitchA-GigabitEthernet1/0/2] quit

# Enable the voice VLAN function on the interface.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] voice-vlan 100 enable
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000  //In earlier versins of V200R003, the OUI needs to be configured. The OUI corresponds to the IP phone's MAC address. In V200R003 and later versions, the OUI does not need to be configured.
[SwitchA] voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000

Step2  Enable CDP-compatible LLDP on SwitchA.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] voice-vlan legacy enable
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] voice-vlan legacy enable
[SwitchA-GigabitEthernet1/0/2] quit

Step3  Configure the DHCP relay function and DHCP server.

1. Configure the DHCP relay function on SwitchA.

# Configure the DHCP relay function on an interface.

[SwitchA] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled.
[SwitchA] interface Vlanif 100  //Create VLANIF 100.
[SwitchA-Vlanif100] ip address 10.20.20.1 255.255.255.0  //Assign an IP address to VLANIF 100.
[SwitchA-Vlanif100] dhcp select relay  //Enable the DHCP relay function on VLANIF 100.
[SwitchA-Vlanif100] dhcp relay server-ip 10.10.20.2  //Configure the DHCP server address on the DHCP relay agent.
[SwitchA-Vlanif100] quit

# Create VLANIF 200.

[SwitchA] vlan batch 200
[SwitchA] interface Vlanif 200
[SwitchA-Vlanif200] ip address 10.10.20.1 255.255.255.0  //Configure an IP address for VLANIF 200 for communication with SwitchB.
[SwitchA-Vlanif200] quit

# Add the uplink interface to VLAN 200.

[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type hybrid
[SwitchA-GigabitEthernet1/0/3] port hybrid pvid vlan 200
[SwitchA-GigabitEthernet1/0/3] port hybrid untagged vlan 200
[SwitchA-GigabitEthernet1/0/3] quit

# Configure a default static route.

[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2  //The next hop address of the route corresponds to the IP address of VLANIF 200 on SwitchB.

2. Configure SwitchB as the DHCP server to allocate IP addresses to IP phones.

# Configure an address pool.

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] ip pool ip-phone  //Create an address pool.
[SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1  //Configure the gateway address on the DHCP server.
[SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0  //Configure allocatable IP addresses in the IP address pool.
[SwitchB-ip-pool-ip-phone] quit

# Configure the DHCP server function.

[SwitchB] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled.
[SwitchB] vlan batch 200
[SwitchB] interface Vlanif 200  //Create VLANIF 200.
[SwitchB-Vlanif200] ip address 10.10.20.2 255.255.255.0  //Assign an IP address to VLANIF 200.
[SwitchB-Vlanif200] dhcp select global  //Configure SwitchB to allocate IP addresses from the global IP address pool to the IP phone.
[SwitchB-Vlanif200] quit

# Add the downlink interface to VLAN 200.

[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] port link-type hybrid
[SwitchB-GigabitEthernet1/0/3] port hybrid pvid vlan 200
[SwitchB-GigabitEthernet1/0/3] port hybrid untagged vlan 200
[SwitchB-GigabitEthernet1/0/3] quit

# Configure a return route.

[SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1

Step4  Configure 802.1x authentication and MAC address authentication for IP phones.

1. Configure an authentication domain.

# Create and configure a RADIUS server template.

[SwitchA] radius-server template cisco  //Create a RADIUS server template named cisco.
[SwitchA-radius-cisco] radius-server authentication 192.168.6.182 1812  //Configure the IP address and port number of the RADIUS authentication server.
[SwitchA-radius-cisco] radius-server accounting 192.168.6.182 1813  //Configure the IP address and port number of the RADIUS accounting server.
[SwitchA-radius-cisco] quit

# Configure an authentication scheme.

[SwitchA] aaa
[SwitchA-aaa] authentication-scheme radius  //Create an authentication scheme named radius.
[SwitchA-aaa-authen-radius] authentication-mode radius  //Set the authentication mode to RADIUS.
[SwitchA-aaa-authen-radius] quit

# Create an authentication domain and bind the RADIUS server template and authentication scheme to the authentication domain.

[SwitchA-aaa] domain default  //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius  //Bind the authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server cisco  //Bind the RADIUS server template cisco to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit

2. Configure 802.1x authentication and MAC address authentication for IP phones.

           V200R007C00 and earlier versions, and V200R008C00

# Set the NAC mode to traditional.

[SwitchA] undo authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

# Enable 802.1x authentication and MAC address authentication on interfaces.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] dot1x mac-bypass  //Enable MAC address bypass authentication. MAC address authentication is used when 802.1x authentication fails.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] dot1x mac-bypass
[SwitchA-GigabitEthernet1/0/2] quit

           V200R009C00 and later versions

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

# Configure access profiles.

[SwitchA] dot1x-access-profile name cisco  //Create an 802.1x access profile named cisco.
[SwitchA-dot1x-access-profile-cisco] quit
[SwitchA] mac-access-profile name cisco  //Create a MAC access profile named cisco.
[SwitchA-mac-access-profile-cisco] quit

# Configure an authentication profile.

[SwitchA] authentication-profile name cisco  //Configure an authentication profile.
[SwitchA-authen-profile-cisco] dot1x-access-profile cisco  //Bind the 802.1x access profile cisco to the authentication profile.
[SwitchA-authen-profile-cisco] mac-access-profile cisco  //Bind the MAC access profile cisco to the authentication profile.
[SwitchA-authen-profile-cisco] quit

# Apply the authentication profile to interfaces.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] authentication-profile cisco  //Bind the authentication profile.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] authentication-profile cisco
[SwitchA-GigabitEthernet1/0/2] quit

3. Configure the Agile Controller. The display of the Agile Controller varies depending on versions. V100R002C10SPC401 is used as an example.

a.         Log in to the Agile Controller.

Open the Internet Explorer, enter the Agile Controller access address in the address bar, and press Enter.

Enter the administrator user name and password. If you log in to the Agile Controller for the first time, use the super administrator user name admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller cannot be used.

The following access modes of the Agile Controller can be used.

Access Mode

Description

https://Agile Controller-IP:8443

Agile Controller-IP specifies the IP address of the Agile Controller.

IP address of the Agile Controller

If port 80 is enabled during installation, you can access the Agile Controller by entering its IP address without the port number. The URL of the Agile Controller will automatically change to https://Agile Controller-IP:8443.

 

b.         Add a common account.

i.          Choose Resource > User > User Management.

ii.        Click Add in the operation area on the right to create a common account.

20170322101004049002.png

c.         Add SwitchA to the Agile Controller.

i.          Choose Resource > Device > Device Management.

ii.        Click Add. On the Add Device page, add SwitchA used to authenticate IP phones.

20170322101005638003.png

d.         Add an authentication rule.

Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule and click Add to create an authentication rule.

20170322101006639004.png

e.         Add an authorization result.

Choose Policy > Permission Control > Authentication & Authorization > Authorization Result and click Add to create an authorization result.

20170322101007245005.png

f.          Add an authorization rule.

After the check in the authentication phase is passed, the authorization phase starts. In the authorization phase, the Agile Controller assigns rights to users based on authorization rules.

Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule and click Add to create an authorization rule. Select Service type as Access, select voice-vlan 100 that is created in the preceding step.

20170322101008642006.png

Step5  Verify the configuration.

l   IP phones can obtain the voice VLAN ID and IP addresses.

l   The display access-user command output on SwitchA displays connection information about IP phones.

----End

Configuration Files

l   SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)

#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
#
vlan batch 100 200
#
undo authentication unified-mode
#  
dhcp enable
#
radius-server template cisco
 radius-server authentication 192.168.6.182 1812 weight 80
 radius-server accounting 192.168.6.182 1813 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain default
  authentication-scheme radius
  radius-server cisco
#
interface Vlanif100
 ip address 10.20.20.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
 ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1       
 port link-type hybrid
 voice-vlan 100 enable
 voice-vlan legacy enable
 port hybrid tagged vlan 100
 dot1x mac-bypass
#
interface GigabitEthernet1/0/2       
 port link-type hybrid
 voice-vlan 100 enable
 voice-vlan legacy enable
 port hybrid tagged vlan 100
 dot1x mac-bypass
#
interface GigabitEthernet1/0/3       
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return

l   SwitchA configuration file (V200R009C00 and later versions)

#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name cisco
 dot1x-access-profile cisco
 mac-access-profile cisco
#
dhcp enable
#
radius-server template cisco
 radius-server authentication 192.168.6.182 1812 weight 80
 radius-server accounting 192.168.6.182 1813 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain default
  authentication-scheme radius
  radius-server cisco
#
interface Vlanif100
 ip address 10.20.20.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
 ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1       
 port link-type hybrid
 voice-vlan 100 enable
 voice-vlan legacy enable
 port hybrid tagged vlan 100
 authentication-profile cisco
#
interface GigabitEthernet1/0/2       
 port link-type hybrid
 voice-vlan 100 enable
 voice-vlan legacy enable
 port hybrid tagged vlan 100
 authentication-profile cisco
#
interface GigabitEthernet1/0/3       
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
dot1x-access-profile name cisco
#
mac-access-profile name cisco
#
return

l   SwitchB configuration file

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-phone
 gateway-list 10.20.20.1 
 network 10.20.20.0 mask 255.255.255.0 
#
interface Vlanif200
 ip address 10.10.20.2 255.255.255.0
 dhcp select global
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return

 

  • x
  • convention:

user_2790689     Created Mar 22, 2017 13:38:27 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top