Example for Connecting IP Phones to Switches Through the MED TLV Highlighted

Latest reply: Mar 22, 2017 02:01:48 4063 1 2 0

Overview

If a voice device supports LLDP and the network-policy TLV field can be used to obtain the voice VLAN ID, configure the lldp tlv-enable med-tlv network-policy voice-vlan command on the switch to assign a voice VLAN ID to the voice device. Then the switch increases the packet priority through the voice VLAN.

Configuration Notes

l   This example applies to all models of V200R002 and later versions.

l   After the Avaya phone fails to obtain an IP address through DHCP within 60s and the timer expires, the Avaya phone sends packets tagged with VLAN 0 continuously. The switch processes packets tagged with VLAN 0 in the same manner as untagged packets. That is, the switch processes packets tagged with VLAN 0 in the VLAN specified by the PVID of an interface, and such packets are not processed in the voice VLAN. As a result, the Avaya phone fails to be authenticated and cannot connect to the switch.

You can use either of the following methods to solve the problem:

           In V200R003C00 and later versions, Voice-VLAN include-untagged is recommended. For details, see 1.11 Example for Connecting IP Phones to Switches Through the OUI-based voice VLAN. In V200R010 and later versions, run the voice-vlan vlan-id enable include-tag0 command to enabled the switch to process packets tagged with voice VLAN 0 for the S5720EI, S5720HI, S6720EI, S6720S-EI, and modular devices.

           Modify the value of the VLAN TEST timer of the IP phone: Press the asterisk key and enter the password to access the menu. Select VLAN TEST and change the default value to 0. After the Avaya phone restarts, the timer settings are ineffective and need to be reconfigured.

l   Only V200R0007 and later versions allow voice devices to go online without authentication.

l   For Mitel 5212 phones, Option 128, Option 129, Option 130, and Option 131 need to be configured in the address pool of the DHCP server; otherwise, Mitel 5212 phones cannot identify DHCP Offer packets sent by the DHCP server or go online. The configuration on the switch is as follows:

<HUAWEI> system-view
[HUAWEI] ip pool ip-phone
[HUAWEI-ip-pool-ip-phone] option 128 ip-address 10.20.20.1
[HUAWEI-ip-pool-ip-phone] option 129 ip-address 11.20.20.1
[HUAWEI-ip-pool-ip-phone] option 130 ascii MITEL IP PHONE
[HUAWEI-ip-pool-ip-phone] option 131 ip-address 11.20.20.1

Applicable IP Phones

See "1.3 Interconnection Modes Supported by Different Models of IP phones".

Networking Requirements

In Figure 1-6:

l   IP phones support LLDP, and the voice VLAN ID and packet priority can be obtained from the network-policy TLV field.

l   Voice packets sent by IP phones can carry VLAN tags. The priority of the voice packets is high, so the switch does not need to increase the priority of voice packets.

l   Voice packets are transmitted in VLAN 100.

l   The IP addresses of IP phones and the DHCP server's IP address are on different network segments.

l   IP phones can go online without authentication.

Connecting IP phones to switches through the MED TLV

20170321171648906001.png

 

Configuration Roadmap

The configuration roadmap is as follows:

1.         Enable LLDP globally and on interfaces, and configure the network-policy TLV field that carries the voice VLAN ID and priority for an interface.

2.         Add an interface to a VLAN so that voice packets are forwarded in the VLAN.

3.         Configure interfaces to trust the packet priority because the priority of voice packets sent by IP phones is high.

4.         Configure the DHCP relay and DHCP server functions so that IP addresses are allocated to IP phones.

5.         Configure an authentication domain for management of IP phones; configure the switch to assign a network access policy to voice terminals through a service scheme. The network access policy defines that voice terminals can go online without authentication.

Procedure

Step1  Enable LLDP on SwitchA and configure the network-policy TLV field on interfaces.

                            # Enable LLDP globally.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] lldp enable  //After LLDP is enabled globally, LLDP is enabled on all interfaces by default.

                            # Configure the network-policy TLV field on interfaces.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] lldp tlv-enable med-tlv network-policy voice-vlan vlan 100 cos 6 dscp 60  //Configure the switch to use the network-policy TLV field to allocate a voice VLAN ID and priority to IP phones.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] lldp tlv-enable med-tlv network-policy voice-vlan vlan 100 cos 6 dscp 60  //Configure the switch to use the network-policy TLV field to allocate a voice VLAN ID and priority to IP phones.
[SwitchA-GigabitEthernet1/0/2] quit

                       Step2  Add interfaces on SwitchA to a VLAN.

                            # Create VLAN 100.

[SwitchA] vlan batch 100  //Configure VLAN 100 in which voice traffic is transmitted.

                            # Add interfaces to VLAN 100.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid   //In V200R005C00 and later versions, the default link type of an interface is not hybrid, and needs to be manually configured.
[SwitchA-GigabitEthernet1/0/1] port hybrid tagged vlan 100  //Add the interface to voice VLAN 100 in tagged mode.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type hybrid
[SwitchA-GigabitEthernet1/0/2] port hybrid tagged vlan 100
[SwitchA-GigabitEthernet1/0/2] quit

                         Step3  Configure the interface to trust the packet priority.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] trust 8021p inner  //The trust 8021p (inner) command varies depending on the device model.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] trust 8021p inner  //The trust 8021p (inner) command varies depending on the device model.
[SwitchA-GigabitEthernet1/0/2] quit


 

Step4  Configure the DHCP relay function and DHCP server.

1.         Configure the DHCP relay function on SwitchA.

# Configure the DHCP relay function on an interface.

[SwitchA] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled.
[SwitchA] interface Vlanif 100  //Create VLANIF 100.
[SwitchA-Vlanif100] ip address 10.20.20.1 255.255.255.0  //Assign an IP address to VLANIF 100.
[SwitchA-Vlanif100] dhcp select relay  //Enable the DHCP relay function on VLANIF 100.
[SwitchA-Vlanif100] dhcp relay server-ip 10.10.20.2  //Configure the DHCP server address on the DHCP relay agent.
[SwitchA-Vlanif100] quit

# Create VLANIF 200.

[SwitchA] vlan batch 200
[SwitchA] interface Vlanif 200
[SwitchA-Vlanif200] ip address 10.10.20.1 255.255.255.0  //Configure an IP address for VLANIF 200 for communication with SwitchB.
[SwitchA-Vlanif200] quit

# Add the uplink interface to VLAN 200.

[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type hybrid
[SwitchA-GigabitEthernet1/0/3] port hybrid pvid vlan 200
[SwitchA-GigabitEthernet1/0/3] port hybrid untagged vlan 200
[SwitchA-GigabitEthernet1/0/3] quit

# Configure a default static route.

[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2  //The next hop address of the route corresponds to the IP address of VLANIF 200 on SwitchB.

2.         Configure SwitchB as the DHCP server to allocate IP addresses to IP phones.

# Configure an address pool.

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] ip pool ip-phone  //Create an address pool.
[SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1  //Configure the gateway address on the DHCP server.
[SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0  //Configure allocatable IP addresses in the IP address pool.
[SwitchB-ip-pool-ip-phone] quit

# Configure the DHCP server function.

[SwitchB] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled.
[SwitchB] vlan batch 200
[SwitchB] interface Vlanif 200  //Create VLANIF 200.
[SwitchB-Vlanif200] ip address 10.10.20.2 255.255.255.0  //Assign an IP address to VLANIF 200.
[SwitchB-Vlanif200] dhcp select global  //Configure SwitchB to allocate IP addresses from the global IP address pool to the IP phone.
[SwitchB-Vlanif200] quit

# Add the downlink interface to VLAN 200.

[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] port link-type hybrid
[SwitchB-GigabitEthernet1/0/3] port hybrid pvid vlan 200
[SwitchB-GigabitEthernet1/0/3] port hybrid untagged vlan 200
[SwitchB-GigabitEthernet1/0/3] quit

# Configure a return route.

[SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1

Step5  Configure an authentication domain, and configure the switch to assign a network access policy to voice terminals through a service scheme. The network access policy defines that voice terminals can go online without authentication.

1.         Configure an authentication domain.

# Create and configure a RADIUS server template.

[SwitchA] radius-server template cisco  //Create a RADIUS server template named cisco.
[SwitchA-radius-cisco] radius-server authentication 192.168.6.182 1812  //Configure the IP address and port number of the RADIUS authentication server.
[SwitchA-radius-cisco] radius-server accounting 192.168.6.182 1813  //Configure the IP address and port number of the RADIUS accounting server.
[SwitchA-radius-cisco] quit

# Configure an service scheme and an authentication scheme.

[SwitchA] aaa
[SwitchA-aaa] service-scheme cisco  //Create an service scheme named cisco.
[SwitchA-aaa-service-cisco] quit
[SwitchA-aaa] authentication-scheme radius  //Set the authentication mode to RADIUS.
[SwitchA-aaa-authen-radius] authentication-mode radius  //Set the authentication mode to RADIUS.
[SwitchA-aaa-authen-radius] quit

# Create an authentication domain and bind the RADIUS server template and authentication scheme to the authentication domain.

[SwitchA-aaa] domain default  //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius  //Bind the authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server cisco  //Bind the RADIUS server template cisco to the domain.
[SwitchA-aaa-domain-default] service-scheme cisco  //Bind the service template cisco to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit

2.         Configure the switch to assign a network access policy to voice terminals through a service scheme. The network access policy defines that voice terminals can go online without authentication.

           V200R007C00 and V200R008C00

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

# Configure the switch to assign a network access policy to voice terminals through a service scheme. The network access policy defines that voice terminals can go online without authentication.

[SwitchA] authentication device-type voice authorize service-scheme cisco

           V200R009C00 and later versions

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

# Configure an authentication profile.

[SwitchA] authentication-profile name cisco  //Create an authentication profile named cisco.
[SwitchA-authen-profile-cisco] authentication device-type voice authorize service-scheme cisco  //Configure the switch to assign a network access policy to voice terminals through a service scheme. The network access policy defines that voice terminals can go online without authentication.
[SwitchA-authen-profile-cisco] quit

# Apply the authentication profile to the interface.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] authentication-profile cisco  //Bind the authentication profile to the interface.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] authentication-profile cisco
[SwitchA-GigabitEthernet1/0/2] quit

Step6  Verify the configuration.

l   IP phones can obtain the voice VLAN ID and IP addresses.

l   The display mac-address vlan 100 command output on SwitchA displays connection information about IP phones.

----End

Configuration Files

l   SwitchA configuration file (V200R007C00 and V200R008C00)

#
sysname SwitchA
#
vlan batch 100 200
#
lldp enable
#
dhcp enable
#
authentication device-type voice authorize service-scheme cisco
#
radius-server template cisco
 radius-server authentication 192.168.6.182 1812 weight 80
 radius-server accounting 192.168.6.182 1813 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 service-scheme cisco  
 domain default
  authentication-scheme radius
  radius-server cisco
#
interface Vlanif100
 ip address 10.20.20.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
 ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1       
 port link-type hybrid
 port hybrid tagged vlan 100                                                                                                        
 trust 8021p inner                                                                                                                   
 lldp tlv-enable med-tlv network-policy voice-vlan vlan 100 cos 6 dscp 60
#
interface GigabitEthernet1/0/2       
 port link-type hybrid
 port hybrid tagged vlan 100
 trust 8021p inner                                                                                                                  
 lldp tlv-enable med-tlv network-policy voice-vlan vlan 100 cos 6 dscp 60
#
interface GigabitEthernet1/0/3        
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return

l   SwitchA configuration file (V200R009C00 and later versions)

#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name cisco
 authentication device-type voice authorize service-scheme cisco
#
lldp enable
#
dhcp enable
#
radius-server template cisco
 radius-server authentication 192.168.6.182 1812 weight 80
 radius-server accounting 192.168.6.182 1813 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 service-scheme cisco
 domain default
  authentication-scheme radius
  service-scheme cisco 
  radius-server cisco
#
interface Vlanif100
 ip address 10.20.20.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
 ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1       
 port link-type hybrid
 port hybrid tagged vlan 100
 authentication-profile cisco
 trust 8021p inner                                                                                                                  
 lldp tlv-enable med-tlv network-policy voice-vlan vlan 100 cos 6 dscp 60
#
interface GigabitEthernet1/0/2       
 port link-type hybrid
 port hybrid tagged vlan 100
 authentication-profile cisco
 trust 8021p inner                                                                                                                  
 lldp tlv-enable med-tlv network-policy voice-vlan vlan 100 cos 6 dscp 60
#
interface GigabitEthernet1/0/3       
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return

l   SwitchB configuration file

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-phone
 gateway-list 10.20.20.1 
 network 10.20.20.0 mask 255.255.255.0 
#
interface Vlanif200
 ip address 10.10.20.2 255.255.255.0
 dhcp select global
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return

 

  • x
  • convention:

gululu
Admin Created Mar 22, 2017 02:01:48 Helpful(0) Helpful(0)

thanks for sharing
  • x
  • convention:

Come on!

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login