[All About Switches] Example for Connecting IP Phones to Switches Through NAC Authentication and Voice VLAN Highlighted

Latest reply: May 2, 2018 05:38:57 2750 2 0 1










Example for Connecting IP Phones to Switches Through NAC Authentication and Voice VLAN


Data, voice, and video services are often transmitted simultaneously over a network. Packet loss and delay seriously affect voice communication quality in particular, which requires a higher forwarding priority than data or video services. Voice data must be given transmission preference when bandwidth is limited. A voice VLAN is used to transmit voice data flows. You can configure a voice VLAN on the switch so that voice flows are transmitted in the voice VLAN. QoS can be configured in the voice VLAN so that voice flows are transmitted preferentially when congestion occurs.

NAC authentication controls access users and provides end-to-end security guarantee.

Configuration Notes

This example applies to all versions of all S series switches.

Networking Requirements

In Figure 1-1, the switch connects to IP phones and a PC, and transmits voice and data packets in VLAN 200 and VLAN 100 respectively. IP phone A and PC A connect to the switch in inline mode, and IP phone B connects to the switch. IP phones support 802.1x and obtain voice VLAN information on the switch through LLDP. Voice data flows must be transmitted with a high priority to ensure the VoIP call quality that users demand.

Figure 1-1 Connecting IP phones to switches through NAC authentication and voice VLAN



Configuration Roadmap

The configuration roadmap is as follows:

1.         Create VLANs on the switch and add interfaces to VLANs to implement Layer 2 connectivity. Configure VLAN 200 as the voice VLAN, and VLAN 100 as the data VLAN and default VLAN of GE1/0/1.

2.         Configure the voice VLAN function.

3.         Enable LLDP so that IP phones can obtain voice VLAN information through LLDP.

4.         Configure 802.1x authentication and AAA.

5.         Configure the RADIUS server, for example, user names and passwords of PCs and IP phones. (If authentication is not required, ignore this step.)


l  This example uses Avaya 9620 as the IP phone and Cisco Secure ACS as the RADIUS server.

l  When the timer of the Avaya IP phone expires, the IP phone may fail to be connected. The value of VLAN TEST on the IP phone needs to be set to 0, which indicates that the timer will not time out. Modify the value of the VLAN TEST timer of the IP phone: Press the star key (*) and enter the password to access the menu. Select VLAN TEST and change the default value to 0.

l  Ensure that the RADIUS server address and shared key in the RADIUS server template are the same as the settings on the RADIUS server.

l  The configuration of Switch1 is similar to the configuration of the switch.


                               Step 1     Configure VLANs and interfaces on the switch.

# Create VLANs.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200

# Set the PVID and VLAN allowed by GE1/0/1.

[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type hybrid
[Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet1/0/1] quit

                               Step 2     Configure the voice VLAN and OUI. The configuration of GE1/0/2 is similar to the configuration of GE1/0/1.

[Switch] voice-vlan mac-address 0004-0D00-0000 mask ffff-ff00-0000   //It refers to the IP phone's MAC address corresponding to the OUI.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] voice-vlan 200 enable  //Configure voice VLAN 200.
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 200
[Switch-GigabitEthernet1/0/1] voice-vlan remark-mode mac-address  //Configure the switch to identify voice packets in the voice VLAN based on MAC addresses of IP phones.
[Switch-GigabitEthernet1/0/1] voice-vlan security enable  //Configure the secure mode. The interface discards packets of which the MAC addresses do not match the OUIs.
[Switch-GigabitEthernet1/0/1] quit

                               Step 3     Enable LLDP.

[Switch] lldp enable

                               Step 4     Configure 802.1x authentication and AAA.

# Switch the NAC mode to traditional mode.

[Switch] undo authentication unified-mode
[Switch] quit
<Switch> save

The system asks you to save the configuration to the device and whether to continue the operation. Enter y.

# Restart the device.

<Switch> reboot

The system displays a message indicating that the system will restart and asks you whether to continue the operation. Enter y.


This configuration is mandatory for V200R005C00 and later versions. After the unified mode is changed to traditional mode, restart the device to make the configuration take effect.

# Enable 802.1x authentication.

<Switch> system-view
[Switch] dot1x enable
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] dot1x enable
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] dot1x enable
[Switch-GigabitEthernet1/0/2] quit

# Configure the RADIUS server template.

[Switch] radius-server template cmn  //Create a RADIUS server template named cmn.
[Switch-radius-cmn] radius-server authentication 1812  //Configure the IP address and port number of the RADIUS authentication server.
[Switch-radius-cmn] radius-server accounting 1813  //Configure the IP address and port number of the RADIUS accounting server.
[Switch-radius-cmn] quit

# Configure AAA.

[Switch] aaa
[Switch-aaa] authentication-scheme cmn  //Create an authentication scheme named cmn.
[Switch-aaa-authen-cmn] authentication-mode radius  //Set the authentication mode to RADIUS.
[Switch-aaa-authen-cmn] quit
[Switch-aaa] accounting-scheme cmn  //Create accounting scheme named ancmn.
[Switch-aaa-accounting-cmn] accounting-mode radius  //Set the accounting mode to RADIUS.
[Switch-aaa-accounting-cmn] quit
[Switch-aaa] domain default  //Configure the authentication and accounting schemes of the default domain and the RADIUS server.
[Switch-aaa-domain-default] authentication-scheme cmn
[Switch-aaa-domain-default] accounting-scheme cmn
[Switch-aaa-domain-default] radius-server cmn
[Switch-aaa-domain-default] quit
[Switch-aaa] quit

                               Step 5     Configure the RADIUS server. When hosts are connected to IP phones in inline mode, bind user names and passwords of IP phones to the voice VLAN on the RADIUS server, as shown in Figure 1-2.

Figure 1-2 Networking of the RADIUS server



V200R006 provides the following optimization:

l   In earlier versions of V200R006, the voice VLAN attribute (device-traffic-class=voice) is configured on the RADIUS server to identify the voice VLAN and authenticate voice services, as shown in Figure 1-3.

In V200R006 and later versions, the voice VLAN attribute (device-traffic-class=voice) does not need to be configured. The voice-vlan X enable command is configured on the switch to identify the voice VLAN and authenticate voice services.

Figure 1-3 Configuring the voice VLAN attribute (device-traffic-class=voice) on the RADIUS server



l   In earlier versions of V200R006, data and voice services for a VLAN on an interface can be authenticated simultaneously. In V200R006 and later versions, authentication is performed one at a time.

                               Step 6     Verify the configuration.

IP phones can go online and implement voice communication.

PCs can go online.


Configuration Files

Switch configuration file

sysname Switch
voice-vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000
vlan batch 100 200
undo authentication unified-mode
dot1x enable
lldp enable
radius-server template cmn                     
 radius-server authentication 1812 weight 80
 radius-server accounting 1813 weight 80
 authentication-scheme cmn                     
  authentication-mode radius                   
 accounting-scheme cmn                         
  accounting-mode radius                       
 domain default                                 
  authentication-scheme cmn                    
  accounting-scheme cmn                        
  radius-server cmn   
interface GigabitEthernet1/0/1
 port link-type hybrid
 voice-vlan 200 enable
 voice-vlan remark-mode mac-address
 voice-vlan security enable
 port hybrid pvid vlan 100     
 port hybrid tagged vlan 200
 port hybrid untagged vlan 100    
 dot1x enable 
interface GigabitEthernet1/0/2
 port link-type hybrid
 voice-vlan 200 enable
 voice-vlan remark-mode mac-address
 voice-vlan security enable
 port hybrid tagged vlan 200
 dot1x enable 

  • x
  • convention:

Admin Created Jun 26, 2017 01:12:17 Helpful(0) Helpful(0)

  • x
  • convention:

Come on!
MVE Created May 2, 2018 05:38:57 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:



You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits