This section includes the following content:
- Overview
- Configuration Notes
- Networking Requirements
- Configuration Roadmap
- Data Plan
- Procedure
- Configuration Files
Overview
If an IP phone sends packets with VLAN 0 or untagged packets, the PVID of an interface can be added to the voice packets. Then the priority of the voice packets is increased based on the VLAN ID. In versions earlier than V200R003C00, switches do not support OUI-based voice VLANs. If an IP phone can send only packets with VLAN 0 or untagged packets, the IP phone can access the switch in this mode.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to Switches.
Configuration Notes
- This example applies to all versions of all S series switches.
If the IP phone cannot go online, rectify the fault according to Appendix 1: Common Causes for IP Phones' Login Failures and Workaround.
Networking Requirements
In Figure 2-14, to save investment costs, the customer requires that IP phones connect to the network through VoIP. IP phones cannot obtain voice VLAN IDs and can send only untagged voice packets. The network plan should meet the following requirements:
- The priority of voice packets is increased to ensure communication quality of IP phones.
- Voice packets are transmitted in VLAN 100.
- IP addresses of IP phones are dynamically allocated by the DHCP server, and are on a different network segment from that of the DHCP server.
- IP phones need to connect to switches through MAC address authentication.
Figure 2-14 Networking diagram of connecting switches to IP phones through the PVID of the voice VLAN ID
Configuration Roadmap
To implement interoperation between switches and IP phones through the PVID of the voice VLAN ID, you need to apply for IP addresses for IP phones, bring IP phones online after authentication, and conduct communication normally. Figure 2-15 shows the process for interoperation between switches and IP phones through the PVID of the voice VLAN ID.
The operations of applying for IP addresses and enabling IP phones to go online after authentication can be performed simultaneously.
Figure 2-15 Process for interoperation between switches and IP phones through the PVID of the voice VLAN ID
According to the preceding process, the configuration roadmap is as follows:
- Configure VLANs to IP phones through the PVID and enable the voice VLAN function to improve the packet priority.
- Configure the DHCP relay function and DHCP server to allocate IP addresses to IP phones.
- Configure the authentication server and enable IP phones to go online after authentication.
Data Plan
Table 2-14 Data plan for IP phones
Item | Value |
---|---|
Voice VLAN | VLAN 100 |
MAC address | 001b-d4c7-0001 0021-a08f-0002 |
Address segment | 10.20.20.1/24 |
Authentication mode | MAC address authentication |
Table 2-15 Data plan for communication
Item | Value |
---|---|
VLAN and IP address used by SwitchA to communicate with SwitchB | VLAN 200, 10.10.20.1/24 |
VLAN and IP address used by SwitchB to communicate with SwitchA | VLAN 200, 10.10.20.2/24 |
IP address of SwitchA | 192.168.100.200 |
MAC access profile name | ipphone |
IP address of the RADIUS authentication and accounting server | 192.168.100.182 |
Port number of the RADIUS authentication server | 1812 |
Port number of the RADIUS accounting server | 1813 |
RADIUS shared key | Huawei2012 |
Procedure
- Add an interface on SwitchA to a VLAN.
# Create voice VLAN 100
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100
# Add an interface to VLAN 100 in untagged mode.
[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later versions, the default link type of an interface is not hybrid, and needs to be manually configured. [SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100 //Packets sent by IP phones do not carry tags, so the interface must be join VLAN 100 in untagged mode. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type hybrid [SwitchA-GigabitEthernet1/0/2] port hybrid untagged vlan 100 [SwitchA-GigabitEthernet1/0/2] quit
- Enable the voice VLAN function on an interface of SwitchA and set the PVID of the interface to the voice VLAN ID.
[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable //Enable the voice VLAN function on the interface. [SwitchA-GigabitEthernet1/0/1] voice-vlan remark-mode mac-address //In V200R003 and later versions, the interface needs to be configured to identify voice packets based on MAC addresses. This configuration is not required in earlier versions of V200R003. [SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 100 //Configure the PVID. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] voice-vlan 100 enable [SwitchA-GigabitEthernet1/0/2] voice-vlan remark-mode mac-address [SwitchA-GigabitEthernet1/0/2] port hybrid pvid vlan 100 [SwitchA-GigabitEthernet1/0/2] quit [SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 [SwitchA] voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
- Configure the DHCP relay function and DHCP server.
- Configure the DHCP relay function on SwitchA.
# Configure the DHCP relay function on an interface.
[SwitchA] dhcp enable //Enable DHCP globally. By default, DHCP is disabled. [SwitchA] interface Vlanif 100 [SwitchA-Vlanif100] ip address 10.20.20.1 255.255.255.0 //Assign an IP address to VLANIF 100. [SwitchA-Vlanif100] dhcp select relay //Enable the DHCP relay function on VLANIF 100. [SwitchA-Vlanif100] dhcp relay server-ip 10.10.20.2 //Configure the DHCP server address on the DHCP relay agent. [SwitchA-Vlanif100] quit
# Create VLANIF 200.
[SwitchA] vlan batch 200 [SwitchA] interface Vlanif 200 [SwitchA-Vlanif200] ip address 10.10.20.1 255.255.255.0 //Configure an IP address for VLANIF 200 for communication with SwitchB. [SwitchA-Vlanif200] quit
# Add the uplink interface to VLAN 200.
[SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type access [SwitchA-GigabitEthernet1/0/3] port default vlan 200 [SwitchA-GigabitEthernet1/0/3] quit
# Configure a default static route.
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 //The next hop address of the route corresponds to the IP address of VLANIF 200 on SwitchB.
- Configure SwitchB as the DHCP server to allocate IP addresses to IP phones.
# Configure an address pool.
<HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] ip pool ip-phone //Create an address pool to allocate IP addresses to IP phones. [SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1 //Configure the gateway address on the DHCP server. [SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0 //Configure allocatable IP addresses in the IP address pool. [SwitchB-ip-pool-ip-phone] quit
# Configure the DHCP server function.
[SwitchB] dhcp enable //Enable DHCP globally. By default, DHCP is disabled. [SwitchB] vlan batch 200 [SwitchB] interface Vlanif 200 //Create VLANIF 200. [SwitchB-Vlanif200] ip address 10.10.20.2 255.255.255.0 //Assign an IP address to VLANIF 200. [SwitchB-Vlanif200] dhcp select global //Configure SwitchB to allocate IP addresses from the global IP address pool to the IP phone. [SwitchB-Vlanif200] quit
# Add the downlink interface to VLAN 200.
[SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port link-type access [SwitchB-GigabitEthernet1/0/3] port default vlan 200 [SwitchB-GigabitEthernet1/0/3] quit
# Configure a return route.
[SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
- Configure the DHCP relay function on SwitchA.
- Configure an AAA domain and MAC address authentication for IP phones.
- Configure an AAA domain.
# Create and configure a RADIUS server template.
[SwitchA] radius-server template ipphone //Create a RADIUS server template named ipphone. [SwitchA-radius-ipphone] radius-server authentication 192.168.100.182 1812 //Configure the IP address and port number of the RADIUS authentication server. [SwitchA-radius-ipphone] radius-server accounting 192.168.100.182 1813 //Configure the IP address and port number of the RADIUS accounting server. [SwitchA-radius-ipphone] radius-server shared-key cipher Huawei2012 //Configure the shared key of the RADIUS server. [SwitchA-radius-ipphone] quit
# Configure an authentication scheme.
[SwitchA] aaa [SwitchA-aaa] authentication-scheme radius //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-radius] authentication-mode radius //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-radius] quit
# Create an AAA domain and bind the RADIUS server template and authentication scheme to the AAA domain.
[SwitchA-aaa] domain default //Configure a domain named default. [SwitchA-aaa-domain-default] authentication-scheme radius //Bind the authentication scheme radius to the domain. [SwitchA-aaa-domain-default] radius-server ipphone //Bind the RADIUS server template ipphone to the domain. [SwitchA-aaa-domain-default] quit [SwitchA-aaa] quit
- Configure MAC address authentication for IP phones.
- V200R007C00 and earlier versions, and V200R008C00
# Set the NAC mode to unified.
[SwitchA] authentication unified-mode //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.
# Enable MAC address authentication on an interface.
[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] authentication mac-authen //Enable MAC address authentication. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] authentication mac-authen [SwitchA-GigabitEthernet1/0/2] quit
- V200R009C00 and later versions
# Set the NAC mode to unified.
[SwitchA] authentication unified-mode //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.
# Configure a MAC access profile.
[SwitchA] mac-access-profile name ipphone //Create a MAC access profile named ipphone [SwitchA-mac-access-profile-ipphone] quit
# Configure an authentication profile.
[SwitchA] authentication-profile name ipphone //Configure an authentication profile. [SwitchA-authen-profile-ipphone] mac-access-profile ipphone //Bind the MAC access profile ipphone to the authentication profile. [SwitchA-authen-profile-ipphone] quit
# Apply the authentication profile to interfaces.
[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] authentication-profile ipphone //Bind the MAC address authentication profile and enable MAC address authentication. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] authentication-profile ipphone [SwitchA-GigabitEthernet1/0/2] quit
- V200R007C00 and earlier versions, and V200R008C00
- Configure the Agile Controller. The display of the Agile Controller varies by version. V100R003C60 is used as an example.
- Log in to the Agile Controller.
- Add a MAC account based on the MAC address of the IP phone.
- Choose Resource > User > User Management.
- Click Add in the operation area on the right. Account type select MAC Address Account. Enter the MAC address of the IP phone and enter the account name randomly.
- Click OK to complete the configuration.
- Add SwitchA to the Agile Controller.
Choose Resource > Device > Device Management.
- Click Add in the operation area on the right. On the Add Device page that is displayed, set Name to SwitchA and IP address to 192.168.100.200 (IP address used by SwitchA to communicate with the Agile Controller). Select Enable RADIUS, and set Authentication/Accounting key and Authorization key to Huawei2012 (shared key configured on SwitchA). The real-time accounting interval is not configured and accounting is performed based on the time.
- Click OK to complete the configuration.
- Add MAC address information of an IP phone to the Agile Controller.
- Choose Resource > Terminal > Terminal List.
- Click Add in the operation area on the right. On the Add Device Group page that is displayed, add an IP phone group ipphone.
- Click OK to complete the configuration.
- Click the device group in the navigation tree and select the created IP phone group ipphone.
- Click Add in the device list, add an IP phone, and enter the MAC address of the IP phone.
- Click OK to complete the configuration.
- Click Add and add the MAC address of another IP phone.
- Click OK to complete the configuration.
- Add an authentication rule.
- Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule
- Click Add in the operation area on the right and add an authentication rule for the IP phone. Set Name to ipphone, Service type to MAC bypass authentication, and Terminal group to ipphone.
- Click OK to complete the configuration.
- Add an authorization result.
- Choose Policy > Permission Control > Authentication & Authorization > Authorization Result.
- Click Add in the operation area on the right and add an authorization result. Set Name to voice vlan 100, Service type to MAC bypass authentication, and VLAN under Authorization Parameter to 100.
- Click Add under customized authorization parameter to add authorization information. Set Vendor/Standard attribute to Huawei, Attribute ID/name to HW-Voice-Vlan(33), and Attribute type to Integer. If Attribute value is set to 1, VLAN 100 is a voice VLAN.
- Click OK to complete the configuration, and the Add Authorization Result page is displayed.
- Add authorization information on the page.
- Click OK to complete the configuration.
- Add an authorization rule.
- Choose Policy > Permission Control > Authentication & Authorization > authorization Rule.
- Click Add in the operation area on the right and add an authorization rule for the IP phone. Set Name to ipphone, click MAC bypass authentication, set Terminal Group to ipphone, and set Authorization result to voice vlan 100.
- Click OK to complete the configuration.
- Configure an AAA domain.
- Verify the configuration.
- You can see that the IP phone can correctly obtain IP address through the menu of the IP phone.
- The display access-user command output on SwitchA displays connection information about IP phones.
[SwitchA] display access-user ------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------ 564 001bd4c71fa9 10.20.20.198 001b-d4c7-1fa9 Success 565 0021a08f2fa8 10.20.20.199 0021-a08f-2fa8 Success ------------------------------------------------------------------------------ Total: 2, printed: 2
Configuration Files
SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)
# sysname SwitchA # voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000 # vlan batch 100 200 # dhcp enable # radius-server template ipphone radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%# radius-server authentication 192.168.100.182 1812 weight 80 radius-server accounting 192.168.100.182 1813 weight 80 # aaa authentication-scheme radius authentication-mode radius domain default authentication-scheme radius radius-server ipphone # interface Vlanif100 ip address 10.20.20.1 255.255.255.0 dhcp select relay dhcp relay server-ip 10.10.20.2 # interface Vlanif200 ip address 10.10.20.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type hybrid voice-vlan 100 enable voice-vlan remark-mode mac-address port hybrid pvid vlan 100 port hybrid untagged vlan 100 authentication mac-authen # interface GigabitEthernet1/0/2 port link-type hybrid voice-vlan 100 enable voice-vlan remark-mode mac-address port hybrid pvid vlan 100 port hybrid untagged vlan 100 authentication mac-authen # interface GigabitEthernet1/0/3 port link-type access port default vlan 200 # ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 # return
SwitchA configuration file (V200R009C00 and later versions)
# sysname SwitchA # voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000 # vlan batch 100 200 # authentication-profile name ipphone mac-access-profile ipphone # dhcp enable # radius-server template ipphone radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%# radius-server authentication 192.168.100.182 1812 weight 80 radius-server accounting 192.168.100.182 1813 weight 80 # aaa authentication-scheme radius authentication-mode radius domain default authentication-scheme radius radius-server ipphone # interface Vlanif100 ip address 10.20.20.1 255.255.255.0 dhcp select relay dhcp relay server-ip 10.10.20.2 # interface Vlanif200 ip address 10.10.20.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type hybrid voice-vlan 100 enable voice-vlan remark-mode mac-address port hybrid pvid vlan 100 port hybrid untagged vlan 100 authentication-profile ipphone # interface GigabitEthernet1/0/2 port link-type hybrid voice-vlan 100 enable voice-vlan remark-mode mac-address port hybrid pvid vlan 100 port hybrid untagged vlan 100 authentication-profile ipphone # interface GigabitEthernet1/0/3 port link-type access port default vlan 200 # ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 # mac-access-profile name ipphone # return
- SwitchB configuration file
# sysname SwitchB # vlan batch 200 # dhcp enable # ip pool ip-phone gateway-list 10.20.20.1 network 10.20.20.0 mask 255.255.255.0 # interface Vlanif200 ip address 10.10.20.2 255.255.255.0 dhcp select global # interface GigabitEthernet1/0/3 port link-type access port default vlan 200 # ip route-static 10.20.20.0 255.255.255.0 10.10.20.1 # return
See more please click