Example for Connecting IP Phones to Switches Through the PVID of the Voice VLAN ID

Latest reply: Mar 22, 2017 05:38:40 2584 1 0 1

Overview

If a voice device sends packets with tag 0 or untagged packets, the PVID of an interface can be added to the voice packets. Then the priority of the voice packets is increased based on the VLAN ID.

Configuration Notes

l   This example applies to all versions of all S series switches.

l   Cisco 7912, Cisco 7940G, and Cisco 7960G phones are non-standard PDs. If a switch is required to provide PoE, run the poe legacy enable command on interfaces of the switch connected to IP phones to enable compatibility detection for PDs on the PSE.

l   Cisco SPA 303 and Linksys SPA 921 phones do not support PoE, so you need to connect Cisco SPA 303 and Linksys SPA 921 phones to external power supplies and then connect them to switches.

l   For Mitel 5212 phones, Option 128, Option 129, Option 130, and Option 131 need to be configured in the address pool of the DHCP server; otherwise, Mitel 5212 phones cannot identify DHCP Offer packets sent by the DHCP server or go online. The configuration on the switch is as follows:

<HUAWEI> system-view
[HUAWEI] ip pool ip-phone
[HUAWEI-ip-pool-ip-phone] option 128 ip-address 10.20.20.1
[HUAWEI-ip-pool-ip-phone] option 129 ip-address 11.20.20.1
[HUAWEI-ip-pool-ip-phone] option 130 ascii MITEL IP PHONE
[HUAWEI-ip-pool-ip-phone] option 131 ip-address 11.20.20.1

Applicable IP Phones

See "1.3 Interconnection Modes Supported by Different Models of IP phones".

Networking Requirements

In Figure 1-11:

l   IP phones can send only untagged voice packets.

l   The priority of voice packets needs to be increased to ensure communication quality.

l   Voice packets are transmitted in VLAN 100.

l   The IP addresses of IP phones and the DHCP server's IP address are on different network segments.

l   IP phones need to connect to switches through MAC address authentication.

Connecting IP phones to switches through the PVID of the voice VLAN ID

20170322102210588001.png

 

Configuration Roadmap

The configuration roadmap is as follows:

1.         Add an interface to a VLAN in untagged mode so that voice packets are forwarded in the VLAN.

2.         Enable the voice VLAN function on an interface and set the PVID of the interface to the voice VLAN ID.

3.         Configure the DHCP relay and DHCP server functions so that IP addresses are allocated to IP phones.

4.         Configure MAC address authentication for IP phones. (This step can be ignored if authentication is not required.)

Procedure

Step1  Add an interface on SwitchA to a VLAN.

# Create VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100  //Configure VLAN 100 in which voice traffic is transmitted.

# Add an interface to VLAN 100 in untagged mode.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid   //In V200R005C00 and later versions, the default link type of an interface is not hybrid, and needs to be manually configured.
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100  //Packets sent by IP phones do not carry tags, so the interface must be join VLAN 100 in untagged mode.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type hybrid
[SwitchA-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[SwitchA-GigabitEthernet1/0/2] quit

Step2  Enable the voice VLAN function on an interface of SwitchA and set the PVID of the interface to the voice VLAN ID.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable  //Enable the voice VLAN function on the interface.
[SwitchA-GigabitEthernet1/0/1] voice-vlan remark-mode mac-address  //In V200R003 and later versions, the interface needs to be configured to identify voice packets based on MAC addresses. This configuration is not required in earlier versions of V200R003.
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 100  //Configure the PVID.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2  //The configuration of GE1/0/2 is similar to the configuration of GE1/0/1.
[SwitchA-GigabitEthernet1/0/2] voice-vlan 100 enable
[SwitchA-GigabitEthernet1/0/2] voice-vlan remark-mode mac-address
[SwitchA-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
[SwitchA] voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000

Step3  Configure the DHCP relay function and DHCP server.

1. Configure the DHCP relay function on SwitchA.

# Configure the DHCP relay function on an interface.

[SwitchA] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled.
[SwitchA] interface Vlanif 100  //Create VLANIF 100.
[SwitchA-Vlanif100] ip address 10.20.20.1 255.255.255.0  //Assign an IP address to VLANIF 100.
[SwitchA-Vlanif100] dhcp select relay  //Enable the DHCP relay function on VLANIF 100.
[SwitchA-Vlanif100] dhcp relay server-ip 10.10.20.2  //Configure the DHCP server address on the DHCP relay agent.
[SwitchA-Vlanif100] quit

# Create VLANIF 200.

[SwitchA] vlan batch 200
[SwitchA] interface Vlanif 200
[SwitchA-Vlanif200] ip address 10.10.20.1 255.255.255.0  //Configure an IP address for VLANIF 200 for communication with SwitchB.
[SwitchA-Vlanif200] quit

# Add the uplink interface to VLAN 200.

[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type hybrid
[SwitchA-GigabitEthernet1/0/3] port hybrid pvid vlan 200
[SwitchA-GigabitEthernet1/0/3] port hybrid untagged vlan 200
[SwitchA-GigabitEthernet1/0/3] quit

# Configure a default static route.

[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2  //The next hop address of the route corresponds to the IP address of VLANIF 200 on SwitchB.

2. Configure SwitchB as the DHCP server to allocate IP addresses to IP phones.

# Configure an address pool.

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] ip pool ip-phone  //Create an address pool.
[SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1  //Configure the gateway address on the DHCP server.
[SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0  //Configure allocatable IP addresses in the IP address pool.
[SwitchB-ip-pool-ip-phone] quit

# Configure the DHCP server function.

[SwitchB] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled.
[SwitchB] vlan batch 200
[SwitchB] interface Vlanif 200  //Create VLANIF 200.
[SwitchB-Vlanif200] ip address 10.10.20.2 255.255.255.0  //Assign an IP address to VLANIF 200.
[SwitchB-Vlanif200] dhcp select global  //Configure SwitchB to allocate IP addresses from the global IP address pool to the IP phone.
[SwitchB-Vlanif200] quit

# Add the downlink interface to VLAN 200.

[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] port link-type hybrid
[SwitchB-GigabitEthernet1/0/3] port hybrid pvid vlan 200
[SwitchB-GigabitEthernet1/0/3] port hybrid untagged vlan 200
[SwitchB-GigabitEthernet1/0/3] quit

# Configure a return route.

[SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1

Step4  Configure an authentication domain and MAC address authentication for IP phones.

1. Configure an authentication domain.

# Create and configure a RADIUS server template.

[SwitchA] radius-server template cisco  //Create a RADIUS server template named cisco.
[SwitchA-radius-cisco] radius-server authentication 192.168.6.182 1812  //Configure the IP address and port number of the RADIUS authentication server.
[SwitchA-radius-cisco] radius-server accounting 192.168.6.182 1813  //Configure the IP address and port number of the RADIUS accounting server.
[SwitchA-radius-cisco] quit

# Configure an authentication scheme.

[SwitchA] aaa
[SwitchA-aaa] authentication-scheme radius  //Create an authentication scheme named radius.
[SwitchA-aaa-authen-radius] authentication-mode radius  //Set the authentication mode to RADIUS.
[SwitchA-aaa-authen-radius] quit

# Create an authentication domain and bind the RADIUS server template and authentication scheme to the authentication domain.

[SwitchA-aaa] domain default  //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius  //Bind the authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server cisco  //Bind the RADIUS server template cisco to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit

2. Configure MAC address authentication for IP phones and PC .

           V200R007C00 and earlier versions, and V200R008C00

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

# Enable MAC address authentication on an interface.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] authentication mac-authen  //Enable MAC address authentication.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] authentication mac-authen
[SwitchA-GigabitEthernet1/0/2] quit

           V200R009C00 and later versions

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

# Configure a MAC access profile.

[SwitchA] mac-access-profile name cisco  //Create a MAC access profile named cisco.
[SwitchA-mac-access-profile-cisco] quit

# Configure an authentication profile.

[SwitchA] authentication-profile name cisco  //Configure an authentication profile.
[SwitchA-authen-profile-cisco] mac-access-profile cisco  //Bind the MAC access profile cisco to the authentication profile.
[SwitchA-authen-profile-cisco] quit

# Apply the authentication profile to the interface.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] authentication-profile cisco  //Bind the authentication profile and enable MAC address authentication.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] authentication-profile cisco
[SwitchA-GigabitEthernet1/0/2] quit

3. Configure the Agile Controller. The display of the Agile Controller varies depending on versions. V100R002C10SPC401 is used as an example.

a.         Log in to the Agile Controller.

Open the Internet Explorer, enter the Agile Controller access address in the address bar, and press Enter.

Enter the administrator user name and password. If you log in to the Agile Controller for the first time, use the super administrator user name admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller cannot be used.

The following access modes of the Agile Controller can be used.

Access Mode

Description

https://Agile Controller-IP:8443

Agile Controller-IP specifies the IP address of the Agile Controller.

IP address of the Agile Controller

If port 80 is enabled during installation, you can access the Agile Controller by entering its IP address without the port number. The URL of the Agile Controller will automatically change to https://Agile Controller-IP:8443.

 

b.         Add a MAC address.

i.          Choose Resource > User > User Management.

ii.        Select All Accounts.

iii.      Click Add to create a MAC account. The value of MAC Account is the IP phone's MAC address.

20170322102211796002.png

c.         Add SwitchA to the Agile Controller.

i.          Choose Resource > Device > Device Management.

ii.        Click Add. On the Add Device page, add SwitchA used to authenticate IP phones.

20170322102212706003.png

d.         Add an IP phone to the Agile Controller.

i.          Choose Resource > Terminal > Terminal List.

ii.        Click Add to access the Add Device Group page.

iii.      On the Add Device Group page, add an IP phone group.

20170322102213020004.png

iv.       Click a device group, select cisco_ipphone, select Device List, and click Add to add an IP phone.

20170322102214493005.png

e.         Add an authentication rule.

Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule and click Add to create an authentication rule.

20170322102214400006.png

f.          Add an authorization result.

Choose  Policy > Permission Control > Authentication & Authorization > Authorization Rule and click Add to create an authorization result.

20170322102215346007.png

Step5  Verify the configuration.

l   IP phones can obtain the voice VLAN ID and IP addresses.

l   The display access-user command output on SwitchA displays connection information about IP phones.

----End

Configuration Files

l   SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)

#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
#
vlan batch 100 200
#
dhcp enable
#
radius-server template cisco
 radius-server authentication 192.168.6.182 1812 weight 80
 radius-server accounting 192.168.6.182 1813 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain default
  authentication-scheme radius
  radius-server cisco
#
interface Vlanif100
 ip address 10.20.20.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
 ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1       
 port link-type hybrid
 voice-vlan 100 enable
 voice-vlan remark-mode mac-address
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
 authentication mac-authen
#
interface GigabitEthernet1/0/2       
 port link-type hybrid
 voice-vlan 100 enable
 voice-vlan remark-mode mac-address
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
 authentication mac-authen
#
interface GigabitEthernet1/0/3       
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return

l   SwitchA configuration file (V200R009C00 and later versions)

#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
#
vlan batch 100 200
#
authentication-profile name cisco
 mac-access-profile cisco
#
dhcp enable
#
radius-server template cisco
 radius-server authentication 192.168.6.182 1812 weight 80
 radius-server accounting 192.168.6.182 1813 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain default
  authentication-scheme radius
  radius-server cisco
#
interface Vlanif100
 ip address 10.20.20.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
 ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1       
 port link-type hybrid
 voice-vlan 100 enable
 voice-vlan remark-mode mac-address
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
 authentication-profile cisco
#
interface GigabitEthernet1/0/2       
 port link-type hybrid
 voice-vlan 100 enable
 voice-vlan remark-mode mac-address
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
 authentication-profile cisco
#
interface GigabitEthernet1/0/3       
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
mac-access-profile name cisco
#
return

l   SwitchB configuration file

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-phone
 gateway-list 10.20.20.1 
 network 10.20.20.0 mask 255.255.255.0 
#
interface Vlanif200
 ip address 10.10.20.2 255.255.255.0
 dhcp select global
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return

 

  • x
  • convention:

user_2790689
Created Mar 22, 2017 05:38:40 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login