Example for Connecting IP Phones to Switches Through an ACL

Created: Mar 22, 2017 10:30:22Latest reply: Mar 22, 2017 13:38:53 2206 1 0 1

Overview

If a voice device does not support LLDP or DHCP, a switch cannot allocate a voice VLAN ID to the voice device. You can configure a traffic policy on the switch. Then the switch identifies voice packets based on the traffic policy and increases the priority of voice packets. The traffic policy implementation on switch models is different. Two methods are available:

l   ACL: Run the port add-tag acl command on an interface.

l   ACL-based simplified traffic policy: Run the traffic-remark inbound acl command on an interface.

Configuration Notes

l   If an IP phone sends tagged packets and the VLAN ID in the tags is 0, the switch does not add the voice VLAN ID to the tagged packets. As a result, the IP phone cannot connect to the switch. You can change the configuration of the IP phone or configure a traffic policy or re-marking to connect the IP phone to the switch.

l   After the Avaya phone fails to obtain an IP address through DHCP within 60s and the timer expires, the Avaya phone sends packets tagged with VLAN 0 continuously. The switch processes packets tagged with VLAN 0 in the same manner as untagged packets. That is, the switch processes packets tagged with VLAN 0 in the VLAN specified by the PVID of an interface, and such packets are not processed in the voice VLAN. As a result, the Avaya phone fails to be authenticated and cannot connect to the switch.

You can use either of the following methods to solve the problem:

           In V200R003C00 and later versions, Voice-VLAN include-untagged is recommended. For details, see 1.11 Example for Connecting IP Phones to Switches Through the OUI-based voice VLAN. In V200R010 and later versions, run the voice-vlan vlan-id enable include-tag0 command to enabled the switch to process packets tagged with voice VLAN 0 for the S5720EI, S5720HI, S6720EI, S6720S-EI, and modular devices.

           Modify the value of the VLAN TEST timer of the IP phone: Press the asterisk key and enter the password to access the menu. Select VLAN TEST and change the default value to 0. After the Avaya phone restarts, the timer settings are ineffective and need to be reconfigured.

l   Cisco 7912, Cisco 7940G, and Cisco 7960G phones are non-standard PDs. If a switch is required to provide PoE, run the poe legacy enable command on interfaces of the switch connected to IP phones to enable compatibility detection for PDs on the PSE.

l   Cisco SPA 303 and Linksys SPA 921 phones do not support PoE, so you need to connect Cisco SPA 303 and Linksys SPA 921 phones to external power supplies and then connect them to switches.

l   For Mitel 5212 phones, Option 128, Option 129, Option 130, and Option 131 need to be configured in the address pool of the DHCP server; otherwise, Mitel 5212 phones cannot identify DHCP Offer packets sent by the DHCP server or go online. The configuration on the switch is as follows:

<HUAWEI> system-view
[HUAWEI] ip pool ip-phone
[HUAWEI-ip-pool-ip-phone] option 128 ip-address 10.20.20.1
[HUAWEI-ip-pool-ip-phone] option 129 ip-address 11.20.20.1
[HUAWEI-ip-pool-ip-phone] option 130 ascii MITEL IP PHONE
[HUAWEI-ip-pool-ip-phone] option 131 ip-address 11.20.20.1

l   The following describes the applicable product models and versions.

Applicable product models and versions

Product

Product Model

Software Version

S2700

S2752EI

V100R006C05

S3700

S3700SI and S3700EI

V100R006C05

S3700HI

V200R001C00

S5700

S5700EI

V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02&C03)

S5700HI

V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00SPC500&C01&C02)

S5710EI

V200R001C00, V200R002C00, V200R003C00, V200R005(C00&C02)

S5720EI

V200R007C00, V200R008C00, V200R009C00, V200R010C00

S5710HI

V200R003C00, V200R005(C00&C02&C03)

S5720HI

V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00

S6700

S6700EI

V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01)

S6720EI

V200R008C00, V200R009C00, V200R010C00

S6720S-EI

V200R009C00, V200R010C00

S7700

S7703, S7706, and S7712

V200R001(C00&C01), V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00

S9700

S9703, S9706, and S9712

V200R001(C00&C01), V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00

 

note

To know details about software mappings, see Version Mapping Search for Huawei Campus Switches.

Applicable IP Phones

See "1.3 Interconnection Modes Supported by Different Models of IP phones".

Networking Requirements

In Figure 1-12:

l   IP phones can send only untagged voice packets.

l   The priority of voice packets needs to be increased to ensure communication quality.

l   Voice packets are transmitted in VLAN 100.

l   The IP addresses of IP phones and the DHCP server's IP address are on different network segments.

l   IP phones need to connect to switches through 802.1x authentication.

Connecting IP phones to switches through an ACL

20170322102817030002.png

 

Configuration Roadmap

The configuration roadmap is as follows:

1.         Add an interface to a VLAN in untagged mode so that voice packets are forwarded in the VLAN.

2.         Run the port add-tag acl command to add the voice VLAN ID to packets and increase the priority of packets.

3.         Configure the DHCP relay and DHCP server functions so that IP addresses are allocated to IP phones.

4.         Configure 802.1x authentication for IP phones. (This step can be ignored if authentication is not required.)

Procedure

Step1  Add an interface on SwitchA to a VLAN.

# Create VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100  //Configure VLAN 100 in which voice traffic is transmitted.

# Add an interface to VLAN 100 in untagged mode.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid   //In V200R005C00 and later versions, the default link type of an interface is not hybrid, and needs to be manually configured.
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100  //Packets sent by IP phones do not carry tags, so the interface must be join VLAN 100 in untagged mode.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type hybrid
[SwitchA-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[SwitchA-GigabitEthernet1/0/2] quit

Step2  Configure an ACL to identify voice packets, and add the voice VLAN ID to the voice packets and increase the priority.

[SwitchA] acl 4000
[SwitchA-acl-L2-4000] rule permit source-mac 001d-a21a-0000 ffff-ffff-0000  //The IP phone's MAC address uses the 24-bit mask.
[SwitchA-acl-L2-4000] rule permit source-mac 0021-a08f-0000 ffff-ffff-0000  //This is the MAC address of another IP phone.
[SwitchA-acl-L2-4000] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port add-tag acl 4000 vlan 100 remark-8021p 6  //Configure ACL 4000. The swith tags VLAN 100 to the packets that match ACL 4000 and changes the 802.1p priority to 6.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2  //The configuration of GE1/0/2 is similar to the configuration of GE1/0/1.
[SwitchA-GigabitEthernet1/0/2] port add-tag acl 4000 vlan 100 remark-8021p 6
[SwitchA-GigabitEthernet1/0/2] quit

Step3  Configure the DHCP relay function and DHCP server.

1. Configure the DHCP relay function on SwitchA.

# Configure the DHCP relay function on an interface.

[SwitchA] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled.
[SwitchA] interface Vlanif 100  //Create VLANIF 100.
[SwitchA-Vlanif100] ip address 10.20.20.1 255.255.255.0  //Assign an IP address to VLANIF 100.
[SwitchA-Vlanif100] dhcp select relay  //Enable the DHCP relay function on VLANIF 100.
[SwitchA-Vlanif100] dhcp relay server-ip 10.10.20.2  //Configure the DHCP server address on the DHCP relay agent.
[SwitchA-Vlanif100] quit

# Create VLANIF 200.

[SwitchA] vlan batch 200
[SwitchA] interface Vlanif 200
[SwitchA-Vlanif200] ip address 10.10.20.1 255.255.255.0  //Configure an IP address for VLANIF 200 for communication with SwitchB.
[SwitchA-Vlanif200] quit

# Add the uplink interface to VLAN 200.

[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type hybrid
[SwitchA-GigabitEthernet1/0/3] port hybrid pvid vlan 200
[SwitchA-GigabitEthernet1/0/3] port hybrid untagged vlan 200
[SwitchA-GigabitEthernet1/0/3] quit

# Configure a default static route.

[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2  //The next hop address of the route corresponds to the IP address of VLANIF 200 on SwitchB.

2. Configure SwitchB as the DHCP server to allocate IP addresses to IP phones.

# Configure an address pool.

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] ip pool ip-phone  //Create an address pool.
[SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1  //Configure the gateway address on the DHCP server.
[SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0  //Configure allocatable IP addresses in the IP address pool.
[SwitchB-ip-pool-ip-phone] quit

# Configure the DHCP server function.

[SwitchB] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled.
[SwitchB] vlan batch 200
[SwitchB] interface Vlanif 200  //Create VLANIF 200.
[SwitchB-Vlanif200] ip address 10.10.20.2 255.255.255.0  //Assign an IP address to VLANIF 200.
[SwitchB-Vlanif200] dhcp select global  //Configure SwitchB to allocate IP addresses from the global IP address pool to the IP phone.
[SwitchB-Vlanif200] quit

# Add the downlink interface to VLAN 200.

[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] port link-type hybrid
[SwitchB-GigabitEthernet1/0/3] port hybrid pvid vlan 200
[SwitchB-GigabitEthernet1/0/3] port hybrid untagged vlan 200
[SwitchB-GigabitEthernet1/0/3] quit

# Configure a return route.

[SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1

Step4  Configure 802.1x authentication for IP phones.

1. Configure an authentication domain.

# Create and configure a RADIUS server template.

[SwitchA] radius-server template cisco  //Create a RADIUS server template named cisco.
[SwitchA-radius-cisco] radius-server authentication 192.168.6.182 1812  //Configure the IP address and port number of the RADIUS authentication server.
[SwitchA-radius-cisco] radius-server accounting 192.168.6.182 1813  //Configure the IP address and port number of the RADIUS accounting server.
[SwitchA-radius-cisco] quit

# Configure an authentication scheme.

[SwitchA] aaa
[SwitchA-aaa] authentication-scheme radius  //Create an authentication scheme named radius.
[SwitchA-aaa-authen-radius] authentication-mode radius  //Set the authentication mode to RADIUS.
[SwitchA-aaa-authen-radius] quit

# Create an authentication domain and bind the RADIUS server template and authentication scheme to the authentication domain.

[SwitchA-aaa] domain default  //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius  //Bind the authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server cisco  //Bind the RADIUS server template cisco to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit

2. Configure 802.1x authentication for IP phones.

           V200R007C00 and earlier versions, and V200R008C00

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

# Enable MAC address authentication on an interface.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] authentication dot1x  //Enable 802.1x authentication.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] authentication dot1x
[SwitchA-GigabitEthernet1/0/2] quit

           V200R009C00 and later versions

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

# Configure access profiles.

[SwitchA] dot1x-access-profile name cisco  //Create an 802.1x access profile named cisco.
[SwitchA-dot1x-access-profile-cisco] quit

# Configure an authentication profile.

[SwitchA] authentication-profile name cisco  //Configure an authentication profile.
[SwitchA-authen-profile-cisco] dot1x-access-profile cisco  //Bind the 802.1x access profile cisco to the authentication profile.
[SwitchA-authen-profile-cisco] quit

# Apply the authentication profile to the interface.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] authentication-profile cisco  //Bind the authentication profile and enable 802.1x authentication.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] authentication-profile cisco
[SwitchA-GigabitEthernet1/0/2] quit

3. Configure the Agile Controller. The display of the Agile Controller varies depending on versions. V100R002C10SPC401 is used as an example.

a.         Log in to the Agile Controller.

Open the Internet Explorer, enter the Agile Controller access address in the address bar, and press Enter.

Enter the administrator user name and password. If you log in to the Agile Controller for the first time, use the super administrator user name admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller cannot be used.

The following access modes of the Agile Controller can be used.

Access Mode

Description

https://Agile Controller-IP:8443

Agile Controller-IP specifies the IP address of the Agile Controller.

IP address of the Agile Controller

If port 80 is enabled during installation, you can access the Agile Controller by entering its IP address without the port number. The URL of the Agile Controller will automatically change to https://Agile Controller-IP:8443.

 

b.         Add a common account.

i.          Choose Resource > User > User Management.

ii.        Click Add in the operation area on the right to create a common account.

20170322102818077003.png

c.         Add SwitchA to the Agile Controller.

i.          Choose Resource > Device > Device Management.

ii.        Click Add. On the Add Device page, add SwitchA used to authenticate IP phones.

20170322102818525004.png

d.         Add an authentication rule.

Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule and click Add to create an authentication rule.

20170322102819387005.png

e.         Add an authorization result.

Choose Policy > Permission Control > Authentication & Authorization > Authorization Result and click Add to create an authorization result.

20170322102820894006.png

f.          Add an authorization rule.

After the check in the authentication phase is passed, the authorization phase starts. In the authorization phase, the Agile Controller assigns rights to users based on authorization rules.

Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule and click Add to create an authorization rule. Select Service type as Access, select voice-vlan 100 that is created in the preceding step.

20170322102821438007.png

Step5  Verify the configuration.

l   IP phones can obtain the voice VLAN ID and IP addresses.

l   The display access-user command output on SwitchA displays connection information about IP phones.

----End

Configuration Files

l   SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)

#
sysname SwitchA
#
vlan batch 100 200
#
dhcp enable
#
radius-server template cisco
 radius-server authentication 192.168.6.182 1812 weight 80
 radius-server accounting 192.168.6.182 1813 weight 80
#                                                                               
acl number 4000                                                                 
 rule 5 permit source-mac 001d-a21a-0000 ffff-ffff-0000
 rule 10 permit source-mac 0021-a08f-0000 ffff-ffff-0000
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain default
  authentication-scheme radius
  radius-server cisco
#
interface Vlanif100
 ip address 10.20.20.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
 ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1       
 port link-type hybrid
 port hybrid untagged vlan 100                                                   
 port add-tag acl 4000 vlan 100 remark-8021p 6
 authentication dot1x
#
interface GigabitEthernet1/0/2       
 port link-type hybrid
 port hybrid untagged vlan 100                                                  
 port add-tag acl 4000 vlan 100 remark-8021p 6
 authentication dot1x
#
interface GigabitEthernet1/0/3       
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return

l   SwitchA configuration file (V200R009C00 and later versions)

#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name cisco
 dot1x-access-profile cisco
#
dhcp enable
#
radius-server template cisco
 radius-server authentication 192.168.6.182 1812 weight 80
 radius-server accounting 192.168.6.182 1813 weight 80
#                                                                               
acl number 4000                                                                 
 rule 5 permit source-mac 001d-a21a-0000 ffff-ffff-0000
 rule 10 permit source-mac 0021-a08f-0000 ffff-ffff-0000
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain default
  authentication-scheme radius
  radius-server cisco
#
interface Vlanif100
 ip address 10.20.20.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
 ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1       
 port link-type hybrid
 port hybrid untagged vlan 100                                                   
 port add-tag acl 4000 vlan 100 remark-8021p 6
 authentication-profile cisco
#
interface GigabitEthernet1/0/2       
 port link-type hybrid
 port hybrid untagged vlan 100                                                   
 port add-tag acl 4000 vlan 100 remark-8021p 6
 authentication-profile cisco
#
interface GigabitEthernet1/0/3       
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
dot1x-access-profile name cisco
#
return

l   SwitchB configuration file

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-phone
 gateway-list 10.20.20.1 
 network 10.20.20.0 mask 255.255.255.0 
#
interface Vlanif200
 ip address 10.10.20.2 255.255.255.0
 dhcp select global
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return

 

  • x
  • convention:

user_2790689     Created Mar 22, 2017 13:38:53 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top