Interoperation Between Switches and IP Phones Through MAC Address-based VLAN Assignment

Created Feb 28, 2019 14:25:17 5 0 0 0

This section includes the following content:

Overview

If an IP phone does not support LLDP or DHCP, a switch cannot allocate a voice VLAN ID to it. You can configure MAC address-based VLAN assignment on the switch. Then the switch identifies voice packets based on the MAC address of the IP phone and increases the priority of voice packets.

For applicable IP phones, see List of IP Phone Models That Can Be Connected to Switches.

Configuration Notes

Networking Requirements

In Figure 2-12, to save investment costs, the customer requires that IP phones connect to the network through VoIP. IP phones cannot obtain voice VLAN IDs and can send only untagged voice packets. The network plan should meet the following requirements:

  • The priority of voice packets needs to be increased to ensure communication quality.
  • Voice packets are transmitted in VLAN 100.
  • IP addresses of IP phones are dynamically allocated by the DHCP server, and are on a different network segment from that of the DHCP server.
  • IP phones can go online without authentication because the network environment is secure.

Figure 2-12  Networking diagram of connecting switches and IP phones through MAC address-based VLAN assignment 
imgDownload?uuid=6abbea21e4ca4ff39d0f105

Configuration Roadmap

To implement interoperation between switches and IP phones through MAC address-based VLAN assignment, you need to apply for IP addresses for IP phones, bring IP phones online without authentication, and conduct communication normally. Figure 2-13 shows the process for interoperation between switches and IP phones through MAC address-based VLAN assignment. In this mode, the authentication server does not need to be configured.

The operations of applying for IP addresses and enabling IP phones to go online without authentication can be performed simultaneously.

Figure 2-13  Process for interoperation between switches and IP phones through MAC address-based VLAN assignment 
imgDownload?uuid=c5efd98597ce4fcf9f59026
According to the preceding process, the configuration roadmap is as follows:

  • Configure MAC address-based VLANs, assign VLANs to IP phones, and increase the priority.
  • Configure the DHCP relay function and DHCP server to allocate IP addresses to IP phones.
  • Configure IP phones to go online without authentication.

Data Plan

Table 2-12  Data plan for IP phones

Item

Value

Voice VLAN

VLAN 100

MAC address

001b-d4c7-0001

0021-a08f-0002

Address segment

10.20.20.1/24

Authentication mode

Non-authentication

Table 2-13  Data plan for communication

Item

Value

VLAN and IP address used by SwitchA to communicate with SwitchB

VLAN 200; 10.10.20.1/24

VLAN and IP address used by SwitchB to communicate with SwitchA

VLAN 200; 10.10.20.2/24

IP address of SwitchA

192.168.100.200

IP address of the RADIUS authentication and accounting server

192.168.100.182

Port number of the RADIUS authentication server

1812

Port number of the RADIUS accounting server

1813

RADIUS shared key

Huawei2012

Procedure

  1. Add an interface on SwitchA to a VLAN.

    # Create voice VLAN 100

    <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 

    # Add an interface to VLAN 100 in untagged mode.

    [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type hybrid   //In V200R005C00 and later versions, the default link type of an interface is not hybrid, and needs to be manually configured. [SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100  //Packets sent by IP phones do not carry tags, so the interface must be join VLAN 100 in untagged mode. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type hybrid [SwitchA-GigabitEthernet1/0/2] port hybrid untagged vlan 100 [SwitchA-GigabitEthernet1/0/2] quit 

  2. Enable MAC address-based VLAN assignment.

    [SwitchA] vlan 100 [SwitchA-vlan100] mac-vlan mac-address 001b-d4c7-1fa9 ffff-ffff-0000 priority 6  //The MAC address corresponds to the MAC address of the IP phone. The mask can be used. This command adds VLAN 100 to untagged packets with the source MAC address starting from 001b-d4c7 and changes the 802.1p priority to 6. [SwitchA-vlan100] mac-vlan mac-address 0021-a08f-0000 ffff-ffff-0000 priority 6 [SwitchA-vlan100] quit [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] mac-vlan enable  //Enable MAC address-based VLAN assignment on an interface. When the interface receives untagged packets, the packets are processed based on the binding between MAC addresses and VLANs. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] mac-vlan enable [SwitchA-GigabitEthernet1/0/2] quit 

  3. Configure the DHCP relay function and DHCP server.
    1. Configure the DHCP relay function on SwitchA.

      # Configure the DHCP relay function on an interface.

      [SwitchA] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled. [SwitchA] interface Vlanif 100 [SwitchA-Vlanif100] ip address 10.20.20.1 255.255.255.0  //Assign an IP address to VLANIF 100. [SwitchA-Vlanif100] dhcp select relay  //Enable the DHCP relay function on VLANIF 100. [SwitchA-Vlanif100] dhcp relay server-ip 10.10.20.2  //Configure the DHCP server address on the DHCP relay agent. [SwitchA-Vlanif100] quit 

      # Create VLANIF 200.

      [SwitchA] vlan batch 200 [SwitchA] interface Vlanif 200 [SwitchA-Vlanif200] ip address 10.10.20.1 255.255.255.0  //Configure an IP address for VLANIF 200 for communication with SwitchB. [SwitchA-Vlanif200] quit 

      # Add the uplink interface to VLAN 200.

      [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type access [SwitchA-GigabitEthernet1/0/3] port default vlan 200 [SwitchA-GigabitEthernet1/0/3] quit 

      # Configure a default static route.

      [SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2  //The next hop address of the route corresponds to the IP address of VLANIF 200 on SwitchB. 

    2. Configure SwitchB as the DHCP server to allocate IP addresses to IP phones.

      # Configure an address pool.

      <HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] ip pool ip-phone  //Create an address pool to allocate IP addresses to IP phones. [SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1  //Configure the gateway address on the DHCP server. [SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0  //Configure allocatable IP addresses in the IP address pool. [SwitchB-ip-pool-ip-phone] quit 

      # Configure the DHCP server function.

      [SwitchB] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled. [SwitchB] vlan batch 200 [SwitchB] interface Vlanif 200  //Create VLANIF 200. [SwitchB-Vlanif200] ip address 10.10.20.2 255.255.255.0  //Assign an IP address to VLANIF 200. [SwitchB-Vlanif200] dhcp select global  //Configure SwitchB to allocate IP addresses from the global IP address pool to the IP phone. [SwitchB-Vlanif200] quit 

      # Add the downlink interface to VLAN 200.

      [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port link-type access [SwitchB-GigabitEthernet1/0/3] port default vlan 200 [SwitchB-GigabitEthernet1/0/3] quit

      # Configure a return route.

      [SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1

  4. Configure an AAA domain and configure voice terminals can go online without authentication.
    1. Configure an AAA domain.

      # Create and configure a RADIUS server template.

      [SwitchA] radius-server template ipphone  //Create a RADIUS server template named ipphone. [SwitchA-radius-ipphone] radius-server authentication 192.168.100.182 1812  //Configure the IP address and port number of the RADIUS authentication server. [SwitchA-radius-ipphone] radius-server accounting 192.168.100.182 1813  //Configure the IP address and port number of the RADIUS accounting server. [SwitchA-radius-ipphone] radius-server shared-key cipher Huawei2012  //Configure the shared key of the RADIUS server. [SwitchA-radius-ipphone] quit 

      # Configure a service scheme and an authentication scheme.

      [SwitchA] aaa [SwitchA-aaa] service-scheme ipphone  //Create a service scheme named ipphone. [SwitchA-aaa-service-ipphone] quit [SwitchA-aaa] authentication-scheme radius  //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-radius] authentication-mode radius  //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-radius] quit

      # Create an AAA domain and bind the RADIUS server template and authentication scheme to the AAA domain.

      [SwitchA-aaa] domain default  //Configure a domain named default. [SwitchA-aaa-domain-default] authentication-scheme radius  //Bind the authentication scheme radius to the domain. [SwitchA-aaa-domain-default] radius-server ipphone  //Bind the RADIUS server template ipphone to the domain. [SwitchA-aaa-domain-default] service-scheme ipphone  //Bind the service template ipphone to the domain. [SwitchA-aaa-domain-default] quit [SwitchA-aaa] quit 

    2. Configure the switch to assign a network access policy to voice terminals through a service scheme. The network access policy defines that voice terminals can go online without authentication.

      • V200R007C00 and V200R008C00

        # Set the NAC mode to unified.

        [SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

        # Configure the switch to assign a network access policy to voice terminals through a service scheme. The network access policy defines that voice terminals can go online without authentication.

        [SwitchA] authentication device-type voice authorize service-scheme ipphone 
      • V200R009C00 and later versions

        # Set the NAC mode to unified.

        [SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

        # Configure an authentication profile.

        [SwitchA] authentication-profile name ipphone  //Create an authentication profile named ipphone. [SwitchA-authen-profile-ipphone] authentication device-type voice authorize service-scheme ipphone  //Configure voice terminals can go online without authentication. [SwitchA-authen-profile-ipphone] quit

        # Apply the authentication profile to interfaces.

        [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] authentication-profile ipphone  //Bind the authentication profile to the interface. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] authentication-profile ipphone [SwitchA-GigabitEthernet1/0/2] quit 

  5. Verify the configuration.

    • You can see that the IP phone can correctly obtain the IP address through the menu of the IP phone.
    • The display mac-address vlan 100 command output on SwitchA displays connection information about IP phones.
      [SwitchA] display mac-address vlan 100 -------------------------------------------------------------------------------                                                      MAC Address    VLAN/VSI                       Learned-From        Type                                                            -------------------------------------------------------------------------------                                                      001b-d4c7-1fa9 100/-                          GE1/0/1             dynamic                                                          0021-a08f-2fa8 100/-                          GE1/0/2             dynamic                                                                                                                                                                                               -------------------------------------------------------------------------------

Configuration Files

  • SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)

    # sysname SwitchA # vlan batch 100 200 # lldp enable # dhcp enable # vlan 100  mac-vlan mac-address 001b-d4c7-1fa9 ffff-ffff-0000 priority 6  mac-vlan mac-address 0021-a08f-0000 ffff-ffff-0000 priority 6 # authentication device-type voice authorize service-scheme ipphone # radius-server template ipphone  radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%#  radius-server authentication 192.168.100.182 1812 weight 80  radius-server accounting 192.168.100.182 1813 weight 80 # aaa  authentication-scheme radius   authentication-mode radius  service-scheme ipphone    domain default   authentication-scheme radius   radius-server ipphone # interface Vlanif100  ip address 10.20.20.1 255.255.255.0  dhcp select relay  dhcp relay server-ip 10.10.20.2 # interface Vlanif200  ip address 10.10.20.1 255.255.255.0 # interface GigabitEthernet1/0/1         port link-type hybrid  port hybrid untagged vlan 100  mac-vlan enable # interface GigabitEthernet1/0/2         port link-type hybrid  port hybrid untagged vlan 100  mac-vlan enable # interface GigabitEthernet1/0/3         port link-type access  port default vlan 200 # ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 # return 
  • SwitchA configuration file (V200R009C00 and later versions)

    # sysname SwitchA # vlan batch 100 200 # authentication-profile name ipphone  authentication device-type voice authorize service-scheme ipphone # vlan 100  mac-vlan mac-address 001b-d4c7-1fa9 ffff-ffff-0000 priority 6  mac-vlan mac-address 0021-a08f-0000 ffff-ffff-0000 priority 6 # lldp enable # dhcp enable # radius-server template ipphone  radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%#  radius-server authentication 192.168.100.182 1812 weight 80  radius-server accounting 192.168.100.182 1813 weight 80 # aaa  authentication-scheme radius   authentication-mode radius  service-scheme ipphone  domain default   authentication-scheme radius   service-scheme ipphone    radius-server ipphone # interface Vlanif100  ip address 10.20.20.1 255.255.255.0  dhcp select relay  dhcp relay server-ip 10.10.20.2 # interface Vlanif200  ip address 10.10.20.1 255.255.255.0 # interface GigabitEthernet1/0/1         port link-type hybrid  port hybrid untagged vlan 100  mac-vlan enable # interface GigabitEthernet1/0/2         port link-type hybrid  port hybrid untagged vlan 100  mac-vlan enable # interface GigabitEthernet1/0/3         port link-type access  port default vlan 200 # ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 # return 
  • SwitchB configuration file
    # sysname SwitchB # vlan batch 200 # dhcp enable # ip pool ip-phone  gateway-list 10.20.20.1   network 10.20.20.0 mask 255.255.255.0  # interface Vlanif200  ip address 10.10.20.2 255.255.255.0  dhcp select global # interface GigabitEthernet1/0/3  port link-type access  port default vlan 200 # ip route-static 10.20.20.0 255.255.255.0 10.10.20.1 # return 

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top