(Recommended) Interoperation Between Switches and Cisco IP Phones Using HDP

57 0 0 0

This section includes the following content:

Overview

A Cisco IP phone can obtain a voice VLAN ID through the Cisco Discovery Protocol (CDP) only. A Huawei switch provides the Huawei Discovery Protocol (HDP) to allocate a voice VLAN ID to the Cisco phone. To provide the HDP function, enable CDP-compatible LLDP on the interface.

For applicable IP phones, see List of IP Phone Models That Can Be Connected to Switches.

Configuration Notes

This example applies to all versions of all S series switches.

Networking Requirements

In Figure 2-8, to save investment costs, the customer requires that IP phones connect to the network through VoIP. Cisco IP phones are deployed and can obtain voice VLAN IDs through CDP only. The network plan should meet the following requirements:

  • The priority of voice packets sent by IP phones is low and needs to be increased to ensure communication quality.
  • Voice packets are transmitted in VLAN 100.
  • IP addresses of IP phones are dynamically allocated by the DHCP server, and are on a different network segment from that of the DHCP server.
  • IP phones need to connect to switches through 802.1X authentication.

Figure 2-8  Networking diagram of connecting switches to Cisco IP phones using HDP 
imgDownload?uuid=1dc22efc8faf44fdacca677

Configuration Roadmap

To implement interoperation between switches and IP phones using HDP, IP phones need to obtain the voice VLAN, apply for IP addresses, go online after authentication, and send packets. Figure 2-9 shows the process for interoperation between switches and Cisco IP phones using HDP.

The operations of obtaining the voice VLAN, applying for IP addresses, and enabling IP phones to go online after authentication can be performed simultaneously.

Figure 2-9  Process for interoperation between switches and Cisco IP phones using HDP 
imgDownload?uuid=e8608818d8e0490f8755d79
According to the preceding process, the configuration roadmap is as follows:

  • Enable the CDP-compatible LLDP function to allocate voice VLAN IDs to Cisco IP phones.
  • Enable the voice VLAN function to increase the packet priority.
  • Configure the DHCP relay function and DHCP server to allocate IP addresses to IP phones.
  • Configure the authentication server and enable IP phones to go online after authentication.

Data Plan

Table 2-8  Data plan for IP phones

Item

Value

Voice VLAN

VLAN 100

MAC address

001b-d4c7-0001

0021-a08f-0002

Address segment

10.20.20.1/24

Authentication mode

802.1X authentication

Table 2-9  Data plan for communication

Item

Value

VLAN and IP address used by SwitchA to communicate with SwitchB

VLAN 200, 10.10.20.1/24

VLAN and IP address used by SwitchB to communicate with SwitchA

VLAN 200, 10.10.20.2/24

IP address of SwitchA

192.168.100.200

802.1X access profile name

ipphone

IP address of the RADIUS authentication and accounting server

192.168.100.182

Port number of the RADIUS authentication server

1812

Port number of the RADIUS accounting server

1813

RADIUS shared key

Huawei2012

Procedure

  1. Enable the voice VLAN function on SwitchA.

    # Create voice VLAN 100.

    <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 

    # Add interfaces to the voice VLAN.

    [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type hybrid   //In V200R005C00 and later versions, the default link type of an interface is not hybrid, and needs to be manually configured. [SwitchA-GigabitEthernet1/0/1] port hybrid tagged vlan 100  //Add the interface to voice VLAN 100 in tagged mode. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type hybrid [SwitchA-GigabitEthernet1/0/2] port hybrid tagged vlan 100 [SwitchA-GigabitEthernet1/0/2] quit 

    # Enable the voice VLAN function on the interface.

    [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] voice-vlan 100 enable [SwitchA-GigabitEthernet1/0/2] quit [SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000  //In earlier versions of V200R003, the OUI needs to be configured. The OUI corresponds to the IP phone's MAC address. In V200R003 and later versions, the OUI does not need to be configured. [SwitchA] voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000

  2. Enable CDP-compatible LLDP on SwitchA.

    [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] voice-vlan legacy enable [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] voice-vlan legacy enable [SwitchA-GigabitEthernet1/0/2] quit 

  3. Configure the DHCP relay function and DHCP server.
    1. Configure the DHCP relay function on SwitchA.

      # Configure the DHCP relay function on an interface.

      [SwitchA] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled. [SwitchA] interface Vlanif 100 [SwitchA-Vlanif100] ip address 10.20.20.1 255.255.255.0  //Assign an IP address to VLANIF 100. [SwitchA-Vlanif100] dhcp select relay  //Enable the DHCP relay function on VLANIF 100. [SwitchA-Vlanif100] dhcp relay server-ip 10.10.20.2  //Configure the DHCP server address on the DHCP relay agent. [SwitchA-Vlanif100] quit 

      # Create VLANIF 200.

      [SwitchA] vlan batch 200 [SwitchA] interface Vlanif 200 [SwitchA-Vlanif200] ip address 10.10.20.1 255.255.255.0  //Configure an IP address for VLANIF 200 for communication with SwitchB. [SwitchA-Vlanif200] quit 

      # Add the uplink interface to VLAN 200.

      [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type access [SwitchA-GigabitEthernet1/0/3] port default vlan 200 [SwitchA-GigabitEthernet1/0/3] quit 

      # Configure a default static route.

      [SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2  //The next hop address of the route corresponds to the IP address of VLANIF 200 on SwitchB. 

    2. Configure SwitchB as the DHCP server to allocate IP addresses to IP phones.

      # Configure an address pool.

      <HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] ip pool ip-phone  //Create an address pool to allocate IP addresses to IP phones. [SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1  //Configure the gateway address on the DHCP server. [SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0  //Configure allocatable IP addresses in the IP address pool. [SwitchB-ip-pool-ip-phone] quit 

      # Configure the DHCP server function.

      [SwitchB] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled. [SwitchB] vlan batch 200 [SwitchB] interface Vlanif 200  //Create VLANIF 200. [SwitchB-Vlanif200] ip address 10.10.20.2 255.255.255.0  //Assign an IP address to VLANIF 200. [SwitchB-Vlanif200] dhcp select global  //Configure SwitchB to allocate IP addresses from the global IP address pool to the IP phone. [SwitchB-Vlanif200] quit 

      # Add the downlink interface to VLAN 200.

      [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port link-type access [SwitchB-GigabitEthernet1/0/3] port default vlan 200 [SwitchB-GigabitEthernet1/0/3] quit

      # Configure a return route.

      [SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1

  4. Configure an AAA domain and 802.1X authentication for IP phones.
    1. Configure an AAA domain.

      # Create and configure a RADIUS server template.

      [SwitchA] radius-server template ipphone  //Create a RADIUS server template named ipphone. [SwitchA-radius-ipphone] radius-server authentication 192.168.100.182 1812  //Configure the IP address and port number of the RADIUS authentication server. [SwitchA-radius-ipphone] radius-server accounting 192.168.100.182 1813  //Configure the IP address and port number of the RADIUS accounting server. [SwitchA-radius-ipphone] radius-server shared-key cipher Huawei2012  //Configure the shared key of the RADIUS server. [SwitchA-radius-ipphone] quit 

      # Configure an authentication scheme.

      [SwitchA] aaa [SwitchA-aaa] authentication-scheme radius  //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-radius] authentication-mode radius  //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-radius] quit 

      # Create an AAA domain and bind the RADIUS server template and authentication scheme to the AAA domain.

      [SwitchA-aaa] domain default  //Configure a domain named default. [SwitchA-aaa-domain-default] authentication-scheme radius  //Bind the authentication scheme radius to the domain. [SwitchA-aaa-domain-default] radius-server ipphone  //Bind the RADIUS server template ipphone to the domain. [SwitchA-aaa-domain-default] quit [SwitchA-aaa] quit 

    2. Configure 802.1X authentication for IP phones.

      • V200R007C00 and earlier versions, and V200R008C00

        # Set the NAC mode to unified.

        [SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

        # Enable 802.1X authentication on an interface.

        [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] authentication dot1x  //Enable 802.1X authentication. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] authentication dot1x [SwitchA-GigabitEthernet1/0/2] quit 
      • V200R009C00 and later versions

        # Set the NAC mode to unified.

        [SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

        # Configure access profiles.

        [SwitchA] dot1x-access-profile name ipphone  //Create an 802.1X access profile named ipphone. [SwitchA-dot1x-access-profile-ipphone] quit

        # Configure an authentication profile.

        [SwitchA] authentication-profile name ipphone  //Configure an authentication profile. [SwitchA-authen-profile-ipphone] dot1x-access-profile ipphone  //Bind the 802.1X access profile ipphone to the authentication profile. [SwitchA-authen-profile-ipphone] quit

        # Apply the authentication profile to interfaces.

        [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] authentication-profile ipphone  //Bind the 802.1X authentication profile and enable 802.1X authentication. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] authentication-profile ipphone [SwitchA-GigabitEthernet1/0/2] quit 

    3. Configure the Agile Controller. The display of the Agile Controller varies by version. V100R003C60 is used as an example.

      1. Log in to the Agile Controller.
      2. Add a common account.
        1. Choose Resource > User > User Management.
        2. Click Add in the operation area on the right, and create an 802.1X account. Click Common account and enter the user name and password. The configured user name and password must be the same as those configured on the IP phone, and the account is configured to be the same as the user name.
          imgDownload?uuid=61f756b647ed43f7a6556b4
        3. Click OK to complete the configuration. Be aware that the account belongs to the user group named ROOT.
      3. Add SwitchA to the Agile Controller.
        1. Choose Resource > Device > Device Management.

        2. Click Add in the operation area on the right. On the Add Device page that is displayed, set Name to SwitchA and IP address to 192.168.100.200 (IP address used by SwitchA to communicate with the Agile Controller). Select Enable RADIUS, and set Authentication/Accounting key and Authorization key to Huawei2012 (shared key configured on SwitchA). The real-time accounting interval is not configured and accounting is performed based on the time.
          imgDownload?uuid=e5d2880c83314faa8d8ffcf
        3. Click OK to complete the configuration.
      4. Add an authentication rule.
        1. Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule.
        2. Click Add in the operation area on the right and add an authentication rule for the IP phone. Set Name to ipphone, click Access, set User group to ROOT, and select allowed authentication protocols under Authentication Rule.
          imgDownload?uuid=9efdbffcf4e34531a7efa64

          imgDownload?uuid=83674b013d064c98be2b261
        3. Click OK to complete the configuration.
      5. Add an authorization result.
        1. Choose Policy > Permission Control > Authentication & Authorization > Authorization Result.
        2. Click Add in the operation area on the right and add an authorization result. Set Name to voice vlan 100Service type to Access, and VLAN under Authorization Parameter to 100.
          imgDownload?uuid=18beb573ebac431ca7c16f4
        3. Click Add to add authorization information. Set Vendor/Standard attribute to HuaweiAttribute ID/name to HW-Voice-Vlan(33), and Attribute type to Integer. If Attribute value is set to 1, VLAN 100 is a voice VLAN.
          imgDownload?uuid=7f937754652344c4baac2cb
        4. Click OK to complete the configuration, and the Add Authorization Result page is displayed.
        5. Select the added authorization information.
          imgDownload?uuid=8e4216b562fa4993aede70e
        6. Click OK to complete the configuration.
      6. Add an authorization rule.

        After the check in the authentication phase is passed, the authorization phase starts. During this phase, the Agile Controller assigns rights to users based on authorization rules.

        1. Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule.
        2. Click Add in the operation area on the right and add an authorization rule for the IP phone. Set Name to ipphone, click Access, set User group to ROOT, and set Authorization result to voice vlan 100.
          imgDownload?uuid=4535e566a87f45eeb8c537e

          imgDownload?uuid=a88043bfdd2b4549a5fdbb5
        3. Click OK to complete the configuration.

  5. Verify the configuration.

    • You can see that the IP phone can correctly obtain the voice VLAN ID and IP address through the menu of the IP phone.
    • The display access-user command output on SwitchA displays connection information about IP phones.
      [SwitchA] display access-user  ------------------------------------------------------------------------------   UserID Username     IP address       MAC            Status            ------------------------------------------------------------------------------   564   001bd4c71fa9  10.20.20.198     001b-d4c7-1fa9 Success          565   0021a08f2fa8  10.20.20.199     0021-a08f-2fa8 Success           ------------------------------------------------------------------------------   Total: 2, printed: 2  

Configuration Files

  • SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)

    # sysname SwitchA # voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000 # vlan batch 100 200 # undo authentication unified-mode #   dhcp enable # radius-server template ipphone  radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%#  radius-server authentication 192.168.100.182 1812 weight 80  radius-server accounting 192.168.100.182 1813 weight 80 # aaa  authentication-scheme radius   authentication-mode radius  domain default   authentication-scheme radius   radius-server ipphone # interface Vlanif100  ip address 10.20.20.1 255.255.255.0  dhcp select relay  dhcp relay server-ip 10.10.20.2 # interface Vlanif200  ip address 10.10.20.1 255.255.255.0 # interface GigabitEthernet1/0/1         port link-type hybrid  voice-vlan 100 enable  voice-vlan legacy enable  port hybrid tagged vlan 100  authentication dot1x # interface GigabitEthernet1/0/2         port link-type hybrid  voice-vlan 100 enable  voice-vlan legacy enable  port hybrid tagged vlan 100  authentication dot1x # interface GigabitEthernet1/0/3         port link-type access  port default vlan 200 # ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 # return 
  • SwitchA configuration file (V200R009C00 and later versions)

    # sysname SwitchA # vlan batch 100 200 # authentication-profile name ipphone  dot1x-access-profile ipphone # dhcp enable # radius-server template ipphone  radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%#  radius-server authentication 192.168.100.182 1812 weight 80  radius-server accounting 192.168.100.182 1813 weight 80 # aaa  authentication-scheme radius   authentication-mode radius  domain default   authentication-scheme radius   radius-server ipphone # interface Vlanif100  ip address 10.20.20.1 255.255.255.0  dhcp select relay  dhcp relay server-ip 10.10.20.2 # interface Vlanif200  ip address 10.10.20.1 255.255.255.0 # interface GigabitEthernet1/0/1         port link-type hybrid  voice-vlan 100 enable  voice-vlan legacy enable  port hybrid tagged vlan 100  authentication-profile ipphone # interface GigabitEthernet1/0/2         port link-type hybrid  voice-vlan 100 enable  voice-vlan legacy enable  port hybrid tagged vlan 100  authentication-profile ipphone # interface GigabitEthernet1/0/3         port link-type access  port default vlan 200 # ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 # dot1x-access-profile name ipphone # return 
  • SwitchB configuration file
    # sysname SwitchB # vlan batch 200 # dhcp enable # ip pool ip-phone  gateway-list 10.20.20.1   network 10.20.20.0 mask 255.255.255.0  # interface Vlanif200  ip address 10.10.20.2 255.255.255.0  dhcp select global # interface GigabitEthernet1/0/3  port link-type access  port default vlan 200 # ip route-static 10.20.20.0 255.255.255.0 10.10.20.1 # return 

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login