Professional Documents
Culture Documents
Switches
Interoperation and Replacement Guide 1 Interoperation Between Huawei Switches and IP Phones
Basic Concepts
Currently, the switch identifies voice traffic through MAC addresses or voice VLAN IDs of
IP phones. Before introducing the IP phone interoperation solutions, you need to understand
the following basic concepts:
l OUI
An Organizationally Unique Identifier (OUI) is the first 24 bits of a MAC address, and is
a unique identifier assigned by the Institute of Electrical and Electronics Engineers
(IEEE) to a device vendor.
Each device vendor needs to request a MAC address from the IEEE. Generally, the IEEE
allocates a 24-bit address segment, from which a device vendor allocates addresses.
During packet forwarding, a switch can identify voice devices based on OUIs and then
can determine voice packets.
l Voice VLAN
A voice VLAN is used to forward voice packets. A Huawei switch only allows a VLAN
to be specified as a voice VLAN, but cannot allocate the voice VLAN ID to voice
devices. Protocols such as LLDP and DHCP need to be used to allocate a specified voice
VLAN ID to voice devices.
l VLAN Tag
802.1Q defines the format of a VLAN tag.
A VLAN tag consists of 16 bits. The PRI (also called CoS or 802.1p priority) occupies 3
bits, CFI occupies 1 bit, and VID occupies 12 bits.
Packet types are defined based on VLAN tags as follows:
a. Untagged packets: Packets do not carry VLAN tags.
b. Packets tagged with VLAN 0: Packets carry tags with VLAN 0.
c. Tagged packets: Packets carry non-0 tags.
A high priority specified by the CoS value (usually 5) needs to be set for voice packets
so that they can be forwarded preferentially. Generally, IP phones of mainstream vendors
(for example, Cisco 7962) send tagged voice packets in which the default CoS value is 5.
There are many types of IP phones, and CoS values of some IP phones cannot be set to
5.
The method for connecting IP phones to switches varies according to the VLAN tags of
packets and the configured CoS values. The following table lists the categories of
packets sent by IP phones.
NOTE
A Huawei switch processes packets tagged with VLAN 0 in the same manner as untagged packets; that
is, an interface adds the VLAN tag specified by the PVID to the packets. For voice packets, the switch
needs to identify them based on the OUI and add the voice VLAN ID to the voice packets so that the
voice packets can be forwarded in the voice VLAN.
Phone
ASIC
P2
P1 3-port P3
switch
In Figure 1-1, the IP phone provides two interfaces to connect to an uplink switch and a PC,
respectively. When the IP phone and PC are deployed simultaneously, there are two methods:
l The downstream PC connects to the IP phone, as shown in Figure 1-2. Only one
interface on a switch is occupied. That is, one network interface provides both voice and
data services.
l The PC and IP phone connect to the switch separately, as shown in Figure 1-3. Voice
and data flows are deployed separately, facilitating management and maintenance.
Huawei PoE switches can supply power to IP phones. For details, see 2.1 Power Supply Guide for
Interoperation Between Huawei PoE Switches and IP Phones.
Different solutions are available for connecting IP phones with different attributes to different
device models. For details, see List of IP Phone Models That Can Be Connected to
Switches. The following table provides detailed configuration guidance for the interoperation
solutions. You can select a solution based on the device model, version, and applicable
scenario.
1.3 l IP phones can obtain voice All versions and all models
(Recommended) VLAN IDs through LLDP. except the S2700SI and S2710SI.
Interoperation l Switches that are enabled with
Between the voice VLAN function can
Switches and IP identify voice packets based
Phones Through on voice VLAN IDs and
LLDP increase the packet priority.
l MAC address authentication
is configured for IP phones,
and 802.1X authentication is
configured for the PC.
1.5 l IP phones can obtain voice All versions and all models.
(Recommended) VLAN IDs through CDP.
Interoperation l Switches that are enabled with
Between the voice VLAN function can
Switches and identify voice packets based
Cisco IP Phones on voice VLAN IDs and
Using HDP increase the packet priority.
l 802.1X authentication is
configured for IP phones.
1.7 l IP phones cannot obtain voice All versions and all models.
Interoperation VLAN IDs through any
Between protocol, and voice packets
Switches and IP are forwarded in the VLAN
Phones Through specified through MAC
MAC Address- address-based VLAN
based VLAN assignment.
Assignment l Switches that are enabled with
the MAC address-based
assignment function can
identify voice packets based
on MAC addresses and
increase the packet priority.
l IP phones can go online
directly without
authentication.
1.8 l IP phones cannot obtain voice All versions and all models.
Interoperation VLAN IDs through any
Between protocol, and voice packets
Switches and IP are forwarded in the VLAN
Phones Through specified through the PVID of
the PVID of the the interface.
Voice VLAN ID l Switches that are enabled with
the voice VLAN function can
identify voice packets based
on MAC addresses and
increase the packet priority.
l MAC address authentication
is configured for IP phones.
1.9 l IP phones cannot obtain voice All modular switches and the
Interoperation VLAN IDs through any following fixed switches:
Between protocol, and voice packets l S2700 series: S2752EI
Switches and IP are forwarded in the VLAN
Phones Through specified through an ACL. l S3700 series: all models
an ACL l Switches that are configured l S5700 series: S5700EI,
with ACLs can identify voice S5700HI, S5710EI, S5720EI,
packets based on MAC S5710HI, S5720HI, and
addresses and increase the S5730HI
packet priority. l S6700 series: S6700EI,
l 802.1X authentication is S6720EI, S6720S-EI, and
configured for IP phones. S6720HI
1.10 l IP phones cannot obtain voice All versions and models of fixed
Interoperation VLAN IDs through any switches.
Between protocol, and voice packets All modular switches of
Switches and IP are forwarded in the VLAN V200R005C00 and later
Phones Through specified through a traffic versions.
a Simplified policy.
Traffic Policy l Switches that are configured
with traffic policies can
identify voice packets based
on MAC addresses and
increase the packet priority.
l 802.1X authentication is
configured for IP phones.
Overview
If an IP phone supports LLDP, you can enable LLDP and voice VLAN on the switch to
provide VoIP access. Then the switch uses LLDP to deliver the voice VLAN ID to the IP
phone and increases the packet priority through the voice VLAN.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to
Switches.
Configuration Notes
l Except for the S2700SI and S2710SI, all models of all versions support this
configuration.
l If the IP phone cannot go online, rectify the fault according to 1.11 Appendix 1:
Common Causes for IP Phones' Login Failures and Workaround.
Networking Requirements
In Figure 1-4, to save investment costs, the customer requires that IP phones and PCs connect
to the network through VoIP. IP phones support LLDP and can obtain voice VLAN IDs
through LLDP. The network plan should meet the following requirements:
l The priority of voice packets sent by IP phones is low and needs to be increased to
ensure communication quality.
l Voice packets are transmitted in VLAN 100, and data packets from PCs are transmitted
in VLAN 101.
l IP addresses of IP phones and PC are dynamically allocated by the DHCP server, and are
on a different network segment from that of the DHCP server.
l IP phones need to connect to switches through MAC address authentication and PC need
to connect to switches through 802.1X authentication.
Intranet
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
IP phone A
IP phone B
PC
Configuration Roadmap
To implement interoperation between switches and IP phones through LLDP, IP phones need
to obtain the voice VLAN, apply for IP addresses, go online after authentication, and send
packets. Figure 1-5 shows the process for interoperation between switches and IP phones
through LLDP.
The operations of obtaining the voice VLAN, applying for IP addresses, and enabling IP
phones to go online after authentication can be performed simultaneously. The PC connected
to the IP phone does not need to obtain VLAN information. Instead, you only need to apply
for an IP address and enable the PC to go online after authentication.
Figure 1-5 Process for interoperation between switches and IP phones through LLDP
DHCP relay DHCP server Authentication server
IP phone
(SwitchA) (SwitchB) (Agile Controller)
Apply for an
IP address 1. Send a DHCP message.
2. Apply for an IP address.
Go online
after 1. Send an authentication request to
authentication the authentication server.
2. Send the authentication success message
and the IP phone goes online successfully.
Send
1. Send a packet carrying VLAN tags. 2. Identify the voice packet
packets
and improve the packet
priority.
Data Plan
Item Value
Item Value
Item Value
Procedure
Step 1 Enable LLDP on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] lldp enable //Enable LLDP globally. By default, LLDP is enabled on an
interface.
2. Configure SwitchB as the DHCP server to allocate IP addresses to IP phones and PC.
# Configure an address pool.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] ip pool ip-phone //Create an address pool to allocate IP addresses
to IP phones.
[SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1 //Configure a gateway
addresses for IP phones.
[SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0 //Configure
allocatable IP addresses in the IP address pool.
[SwitchB-ip-pool-ip-phone] quit
[SwitchB] ip pool ip-pc //Create an address pool to allocate IP addresses to
PC.
[SwitchB-ip-pool-ip-pc] gateway-list 10.20.30.1 //Configure a gateway
address for the PC.
[SwitchB-ip-pool-ip-pc] network 10.20.30.0 mask 255.255.255.0 //Configure
allocatable IP addresses in the IP address pool.
[SwitchB-ip-pool-ip-pc] quit
Step 5 Configure an AAA domain, and configure MAC address authentication for IP phones and
802.1X authentication for the PC.
1. Configure an AAA domain.
# Create and configure a RADIUS server template.
[SwitchA] radius-server template ipphone //Create a RADIUS server template
named ipphone.
[SwitchA-radius-ipphone] radius-server authentication 192.168.100.182 1812 //
Configure the IP address and port number of the RADIUS authentication server.
[SwitchA-radius-ipphone] radius-server accounting 192.168.100.182 1813 //
Configure the IP address and port number of the RADIUS accounting server.
[SwitchA-radius-ipphone] radius-server shared-key cipher Huawei2012 //
Configure the shared key of the RADIUS server.
[SwitchA-radius-ipphone] quit
# Create an AAA domain and bind the RADIUS server template and authentication
scheme to the AAA domain.
[SwitchA-aaa] domain default //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius //Bind the
authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server ipphone //Bind the RADIUS server
template ipphone to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit
2. Configure MAC address authentication for IP phones and 802.1X authentication for PC.
– V200R007C00 and earlier versions, and V200R008C00
# Set the NAC mode to unified.
[SwitchA] authentication unified-mode //By default, the switch uses the
unified mode. When the traditional and unified modes are switched, the
administrator must save the configuration and restart the switch to make
the configuration take effect.
[SwitchA-dot1x-access-profile-ipphone] quit
[SwitchA] mac-access-profile name ipphone //Create a MAC access profile
named ipphone. If no user name and password are specified in the MAC
access profile, both the user name and password are MAC addresses
without separators or colons.
[SwitchA-mac-access-profile-ipphone] quit
3. Configure the Agile Controller. The display of the Agile Controller varies by version.
V100R003C60 is used as an example.
a. Log in to the Agile Controller.
b. Create an 802.1X account used for PC authentication.
i. Choose Resource > User > User Management.
ii. Click Add in the operation area on the right. Click Common account and
enter the user name and password. The configured user name and password
must be the same as those configured on the PC, and the account is configured
to be the same as the user name. Be aware that the account belongs to the user
group ROOT.
i. Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule.
ii. Click Add in the operation area on the right. On the Add Authentication Rule
page that is displayed, add an authentication rule for the PC. Set Name to PC,
click Access, set User group to ROOT, and select allowed authentication
protocols under Authentication Condition.
iv. Click OK to complete the configuration, and the Add Authorization Result
page is displayed.
v. Add authorization information on the page.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 3, printed: 3
----End
Configuration Files
l SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)
#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
#
vlan batch 100 to 101 200
#
lldp enable
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif101
ip address 10.20.30.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
voice-vlan 100 enable
port hybrid pvid vlan
101
authentication-profile name
ipphone
dot1x-access-profile
ipphone
mac-access-profile
ipphone
authentication dot1x-mac-bypass
#
lldp enable
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif101
ip address 10.20.30.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
voice-vlan 100 enable
port hybrid pvid vlan
101
dot1x-access-profile name
ipphone
gateway-list
10.20.20.1
ip pool ip-
pc
gateway-list
10.20.30.1
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
interface GigabitEthernet1/0/3
port link-type
access
l Configuration Files
Overview
If an IP phone sends packets with VLAN 0 or untagged packets, the switch can identify the
OUI of the untagged packet from the IP phone. Then the switch adds the voice VLAN ID to
the packet and increases the priority of the packet based on the voice VLAN ID.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to
Switches.
Configuration Notes
l This example applies to all models of V200R003C00 and later versions.
l For the fixed device (S5720EI, S6720EI, S6720S-EI), and modular device (excluding X
series cards), in V200R010 and later versions, run the voice-vlan vlan-id enable
include-tag0 command to enable the switch to identify packets with tag 0 as voice
packets and adds the voice VLAN ID to packets.
l When IP phones are connected in Voice-VLAN include-untagged mode, disable LLDP
on the interface or run the undo lldp tlv-enable med-tlv network-policy command to
disable the switch and IP phones from advertising the VLAN configuration. Otherwise,
the switch allocates the voice VLAN ID to IP phones through LLDP. Then IP phones
send tagged packets to the switch, whereas the switch forwards untagged packets to IP
phones. As a result, IP phones cannot go online.
l If Mitel 5212 phones cannot go online, rectify the fault by referring to Cause 6:
Customized Options Are Not Configured for a Switch Functioning as the DHCP
Server. As a Result, Mitel 5212 Phones Fail to Go Online.
Networking Requirements
In Figure 1-6, to save investment costs, the customer requires that IP phones connect to the
network through VoIP. IP phones cannot obtain voice VLAN IDs and can send only untagged
voice packets. The network plan should meet the following requirements:
l The priority of voice packets is increased to ensure communication quality of IP phones.
l Voice packets are transmitted in VLAN 100.
l IP addresses of IP phones are on a different network segment from that of the DHCP
server, and DHCP snooping is configured to improve network security.
l IP phones need to connect to switches through MAC address authentication.
Figure 1-6 Networking diagram of connecting switches to IP phones through the OUI-based
voice VLAN
Authentication
server
intranet
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
IP phone A IP phone B
Configuration Roadmap
To implement interoperation between switches and IP phones through the OUI-based voice
VLAN, you need to apply for IP addresses for IP phones, bring IP phones online after
authentication, and conduct communication normally. Figure 1-7 shows the process for
interoperation between switches and IP phones through the OUI-based voice VLAN.
The operations of applying for IP addresses and enabling IP phones to go online after
authentication can be performed simultaneously.
Figure 1-7 Process for interoperation between switches and IP phones through the OUI-based
voice VLAN
DHCP relay DHCP server Authentication server
IP phone
(SwitchA) (SwitchB) (Agile Controller)
Apply for an
IP address 1. Send a DHCP message.
2. Apply for an IP address.
Go online
after 1. Send an authentication request to
authentication the authentication server.
2. Send the authentication success message
and the IP phone goes online successfully.
Send
1. Send a packet without VLAN tags. 2. Match the MAC
packets
address and improve the
packet priority.
Data Plan
Item Value
Procedure
Step 1 Add an interface on SwitchA to a VLAN.
# Create voice VLAN 100
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
Step 2 On SwitchA, configure the interface to add the voice VLAN ID to untagged packets and
configure the OUI.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable include-untagged //
Configure the interface to add the voice VALN ID to untagged packets. In V200R010
and later versions, run the voice-vlan vlan-id enable include-tag0 command to
enable the switch to process packets tagged with voice VLAN 0 for the S5720EI,
S6720EI, S6720S-EI, and modular switches (excluding swtiches using X series
cards).
[SwitchA-GigabitEthernet1/0/1] undo lldp enable //In V200R011C10 and later
versions, you need to manually disable LLDP.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] voice-vlan 100 enable include-untagged
[SwitchA-GigabitEthernet1/0/2] undo lldp enable
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 //When the
interface is configured to add the voice VLAN ID to untagged packets, this
command must be configured. The MAC address is the IP phone's MAC address.
[SwitchA] voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
Step 5 Configure an AAA domain and MAC address authentication for IP phones.
1. Configure an AAA domain.
# Create an AAA domain and bind the RADIUS server template and authentication
scheme to the AAA domain.
[SwitchA-aaa] domain default //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius //Bind the
authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server ipphone //Bind the RADIUS server
template ipphone to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit
administrator must save the configuration and restart the switch to make
the configuration take effect.
3. Configure the Agile Controller. The display of the Agile Controller varies by version.
V100R003C60 is used as an example.
a. Log in to the Agile Controller.
b. Add a MAC account based on the MAC address of the IP phone.
i. Choose Resource > User > User Management.
ii. Click Add in the operation area on the right. Account type select MAC
Address Account. Enter the MAC address of the IP phone and enter the
account name randomly.
iv. Click OK to complete the configuration, and the Add Authorization Result
page is displayed.
v. Add authorization information on the page.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 2, printed: 2
----End
Configuration Files
l SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)
#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
#
vlan batch 100 200
#
dhcp enable
#
dhcp snooping enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
voice-vlan 100 enable include-untagged
port hybrid untagged vlan 100
authentication mac-authen
dhcp snooping enable
#
interface GigabitEthernet1/0/2
port link-type hybrid
voice-vlan 100 enable include-untagged
port hybrid untagged vlan 100
authentication mac-authen
dhcp snooping enable
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
dhcp snooping trusted
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
voice-vlan 100 enable include-untagged
port hybrid untagged vlan 100
authentication-profile ipphone
dhcp snooping enable
#
interface GigabitEthernet1/0/2
port link-type hybrid
voice-vlan 100 enable include-untagged
port hybrid untagged vlan 100
authentication-profile ipphone
dhcp snooping enable
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
dhcp snooping trusted
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
mac-access-profile name ipphone
#
return
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
voice-vlan 100 enable include-untagged
port hybrid untagged vlan 100
authentication-profile ipphone
undo lldp enable
dhcp snooping enable
#
interface GigabitEthernet1/0/2
port link-type hybrid
voice-vlan 100 enable include-untagged
port hybrid untagged vlan 100
authentication-profile ipphone
undo lldp enable
dhcp snooping enable
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
dhcp snooping trusted
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
mac-access-profile name ipphone
#
return
Overview
A Cisco IP phone can obtain a voice VLAN ID through the Cisco Discovery Protocol (CDP)
only. A Huawei switch provides the Huawei Discovery Protocol (HDP) to allocate a voice
VLAN ID to the Cisco phone. To provide the HDP function, enable CDP-compatible LLDP
on the interface.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to
Switches.
Configuration Notes
This example applies to all versions of all S series switches.
Networking Requirements
In Figure 1-8, to save investment costs, the customer requires that IP phones connect to the
network through VoIP. Cisco IP phones are deployed and can obtain voice VLAN IDs through
CDP only. The network plan should meet the following requirements:
l The priority of voice packets sent by IP phones is low and needs to be increased to
ensure communication quality.
l Voice packets are transmitted in VLAN 100.
l IP addresses of IP phones are dynamically allocated by the DHCP server, and are on a
different network segment from that of the DHCP server.
l IP phones need to connect to switches through 802.1X authentication.
Figure 1-8 Networking diagram of connecting switches to Cisco IP phones using HDP
Authentication
server
intranet
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
IP phone A IP phone B
Configuration Roadmap
To implement interoperation between switches and IP phones using HDP, IP phones need to
obtain the voice VLAN, apply for IP addresses, go online after authentication, and send
packets. Figure 1-9 shows the process for interoperation between switches and Cisco IP
phones using HDP.
The operations of obtaining the voice VLAN, applying for IP addresses, and enabling IP
phones to go online after authentication can be performed simultaneously.
Figure 1-9 Process for interoperation between switches and Cisco IP phones using HDP
DHCP relay DHCP server Authentication server
Cisco IP phone
(SwitchA) (SwitchB) (Agile Controller)
Apply for an
IP address 1. Send a DHCP message.
2. Apply for an IP address.
Go online
1. Send an authentication request to
after
the authentication server.
authentication
2. Send the authentication success message
and the IP phone goes online successfully.
Send
1. Send a packet carrying VLAN tags. 2. Identify the voice packet
packets
and improve the packet
priority.
Data Plan
Item Value
Item Value
Procedure
Step 1 Enable the voice VLAN function on SwitchA.
# Create voice VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
# Create an AAA domain and bind the RADIUS server template and authentication
scheme to the AAA domain.
[SwitchA-aaa] domain default //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius //Bind the
authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server ipphone //Bind the RADIUS server
template ipphone to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit
3. Configure the Agile Controller. The display of the Agile Controller varies by version.
V100R003C60 is used as an example.
a. Log in to the Agile Controller.
b. Add a common account.
i. Choose Resource > User > User Management.
ii. Click Add in the operation area on the right, and create an 802.1X account.
Click Common account and enter the user name and password. The
configured user name and password must be the same as those configured on
the IP phone, and the account is configured to be the same as the user name.
iii. Click OK to complete the configuration. Be aware that the account belongs to
the user group named ROOT.
c. Add SwitchA to the Agile Controller.
i. Choose Resource > Device > Device Management.
ii. Click Add in the operation area on the right. On the Add Device page that is
displayed, set Name to SwitchA and IP address to 192.168.100.200 (IP
address used by SwitchA to communicate with the Agile Controller). Select
Enable RADIUS, and set Authentication/Accounting key and
Authorization key to Huawei2012 (shared key configured on SwitchA). The
real-time accounting interval is not configured and accounting is performed
based on the time.
iv. Click OK to complete the configuration, and the Add Authorization Result
page is displayed.
v. Select the added authorization information.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 2, printed: 2
----End
Configuration Files
l SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)
#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
#
vlan batch 100 200
#
undo authentication unified-mode
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
voice-vlan 100 enable
voice-vlan legacy enable
port hybrid tagged vlan 100
authentication dot1x
#
interface GigabitEthernet1/0/2
port link-type hybrid
voice-vlan 100 enable
voice-vlan legacy enable
port hybrid tagged vlan 100
authentication dot1x
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
l SwitchA configuration file (V200R009C00 and later versions)
#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name ipphone
dot1x-access-profile ipphone
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
voice-vlan 100 enable
voice-vlan legacy enable
port hybrid tagged vlan 100
authentication-profile ipphone
#
interface GigabitEthernet1/0/2
port link-type hybrid
voice-vlan 100 enable
voice-vlan legacy enable
port hybrid tagged vlan 100
authentication-profile ipphone
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
dot1x-access-profile name ipphone
#
return
Overview
If an IP phone can obtain the voice VLAN through the network-policy TLV field of LLDP
and the voice packet sent by the IP phone has a higher priority, you can configure the lldp tlv-
enable med-tlv network-policy voice-vlan command on the switch to assign a voice VLAN
to the IP phone, and configure the trusted packet priority on the interface to connect the IP
phone to the network.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to
Switches.
Configuration Notes
l This example applies to all models of V200R002 and later versions.
l If the IP phone cannot go online, rectify the fault according to 1.11 Appendix 1:
Common Causes for IP Phones' Login Failures and Workaround.
Networking Requirements
In Figure 1-10, to save investment costs, the customer requires that IP phones connect to the
network through VoIP. IP phones can obtain voice VLAN IDs from the network-policy TLV
field of LLDP. The network plan should meet the following requirements:
l Voice packets sent by IP phones can carry VLAN tags and have a high priority, and only
the trusted packet priority needs to be configured on switches.
l Voice packets are transmitted in VLAN 100.
l IP addresses of IP phones are dynamically allocated by the DHCP server, and are on a
different network segment from that of the DHCP server.
l IP phones need to connect to switches through 802.1X authentication and MAC address
authentication.
intranet
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
IP phone A IP phone B
Configuration Roadmap
To implement interoperation between switches and IP phones through LLDP-MED, IP phones
need to obtain the voice VLAN, apply for IP addresses, go online after authentication, and
send packets. Figure 1-11 shows the process for interoperation between switches and IP
phones through LLDP-MED.
The operations of obtaining the voice VLAN, applying for IP addresses, and enabling IP
phones to go online after authentication can be performed simultaneously.
Figure 1-11 Process for interoperation between switches and IP phones through LLDP-MED
DHCP relay DHCP server Authentication server
IP phone
(SwitchA) (SwitchB) (Agile Controller)
Apply for an
IP address 1. Send a DHCP message.
Go online
after 1. Send an authentication request to
authentication the authentication server.
2. Send the authentication success message
and the IP phone goes online successfully.
Send
1. Send a packet carrying VLAN tags. 2. Enable the trusted
packets
packet priority and forward
the packet directly.
Data Plan
Item Value
Item Value
Procedure
Step 1 Enable LLDP on SwitchA and configure the network-policy TLV field on interfaces.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] lldp enable //After LLDP is enabled globally, LLDP is enabled on all
interfaces by default.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] lldp tlv-enable med-tlv network-policy voice-vlan
vlan 100 cos 6 dscp 60 //Configure the switch to use the network-policy TLV
field to allocate a voice VLAN ID and priority to IP phones.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] lldp tlv-enable med-tlv network-policy voice-vlan
vlan 100 cos 6 dscp 60
[SwitchA-GigabitEthernet1/0/2] quit
Step 5 Configure an AAA domain and configure 802.1X authentication and MAC address
authentication for IP phones.
1. Configure an AAA domain.
# Create and configure a RADIUS server template.
[SwitchA] radius-server template ipphone //Create a RADIUS server template
named ipphone.
[SwitchA-radius-ipphone] radius-server authentication 192.168.100.182 1812 //
Configure the IP address and port number of the RADIUS authentication server.
[SwitchA-radius-ipphone] radius-server accounting 192.168.100.182 1813 //
Configure the IP address and port number of the RADIUS accounting server.
[SwitchA-radius-ipphone] radius-server shared-key cipher Huawei2012 //
Configure the shared key of the RADIUS server.
[SwitchA-radius-ipphone] quit
# Create an AAA domain and bind the RADIUS server template and authentication
scheme to the AAA domain.
[SwitchA-aaa] domain default //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius //Bind the
authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server ipphone //Bind the RADIUS server
template ipphone to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit
3. Configure the Agile Controller. The display of the Agile Controller varies by version.
V100R003C60 is used as an example.
a. Log in to the Agile Controller.
b. Add a common account.
i. Choose Resource > User > User Management.
ii. Click Add in the operation area on the right, and create an 802.1X account.
Click Common account and enter the user name and password. The
configured user name and password must be the same as those configured on
the IP phone, and the account is configured to be the same as the user name.
iii. Click OK to complete the configuration. Be aware that the account belongs to
the user group named ROOT.
c. Add SwitchA to the Agile Controller.
i. Choose Resource > Device > Device Management.
ii. Click Add in the operation area on the right. On the Add Device page that is
displayed, set Name to SwitchA and IP address to 192.168.100.200 (IP
address used by SwitchA to communicate with the Agile Controller). Select
Enable RADIUS, and set Authentication/Accounting key and
Authorization key to Huawei2012 (shared key configured on SwitchA). The
real-time accounting interval is not configured and accounting is performed
based on the time.
ii. Click Add in the operation area on the right and add an authentication rule for
the IP phone using 802.1X authentication. Set Name to ipphone_8021x, click
Access, set User group to ROOT, and select allowed authentication protocols
under Authentication Rule.
iv. Click OK to complete the configuration, and the Add Authorization Result
page is displayed.
v. Add authorization information on the page.
ix. Click OK to complete the configuration, and the Add Authorization Result
page is displayed.
x. Add authorization information on the page.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 2, printed: 2
----End
Configuration Files
l SwitchA configuration file (V200R007C00 and V200R008C00)
#
sysname SwitchA
#
vlan batch 100 200
#
undo authentication unified-mode
#
lldp enable
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
service-scheme ipphone
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan
100
trust 8021p
inner
dot1x-access-profile
ipphone
mac-access-profile
ipphone
authentication dot1x-mac-bypass
#
lldp enable
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
service-scheme ipphone
domain default
authentication-scheme radius
service-scheme ipphone
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
authentication-profile ipphone
trust 8021p
inner
dot1x-access-profile name
dot1x_access_profile
dot1x-access-profile name
ipphone
mac-access-profile name
mac_access_profile
Overview
If an IP phone does not support LLDP or DHCP, a switch cannot allocate a voice VLAN ID to
it. You can configure MAC address-based VLAN assignment on the switch. Then the switch
identifies voice packets based on the MAC address of the IP phone and increases the priority
of voice packets.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to
Switches.
Configuration Notes
l This example applies to all versions of all S series switches.
l If the IP phone cannot go online, rectify the fault according to 1.11 Appendix 1:
Common Causes for IP Phones' Login Failures and Workaround.
Networking Requirements
In Figure 1-12, to save investment costs, the customer requires that IP phones connect to the
network through VoIP. IP phones cannot obtain voice VLAN IDs and can send only untagged
voice packets. The network plan should meet the following requirements:
l The priority of voice packets needs to be increased to ensure communication quality.
l Voice packets are transmitted in VLAN 100.
l IP addresses of IP phones are dynamically allocated by the DHCP server, and are on a
different network segment from that of the DHCP server.
l IP phones can go online without authentication because the network environment is
secure.
Figure 1-12 Networking diagram of connecting switches and IP phones through MAC
address-based VLAN assignment
Authentication
server
intranet
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
IP phone A IP phone B
Configuration Roadmap
To implement interoperation between switches and IP phones through MAC address-based
VLAN assignment, you need to apply for IP addresses for IP phones, bring IP phones online
without authentication, and conduct communication normally. Figure 1-13 shows the process
for interoperation between switches and IP phones through MAC address-based VLAN
assignment. In this mode, the authentication server does not need to be configured.
The operations of applying for IP addresses and enabling IP phones to go online without
authentication can be performed simultaneously.
Figure 1-13 Process for interoperation between switches and IP phones through MAC
address-based VLAN assignment
DHCP relay DHCP server Authentication server
IP phone
(SwitchA) (SwitchB) (Agile Controller)
Apply for an
IP address 1. Send a DHCP message.
2. Apply for an IP address.
Go online
after 1. Send an authentication request to
authentication the authentication server.
2. Bring the IP phone online without
authentication.
Send
1. Send a packet without VLAN tags. 2. Match the MAC
packets
address and improve the
packet priority.
Data Plan
Procedure
Step 1 Add an interface on SwitchA to a VLAN.
# Create voice VLAN 100
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
Step 4 Configure an AAA domain and configure voice terminals can go online without
authentication.
1. Configure an AAA domain.
# Create and configure a RADIUS server template.
[SwitchA] radius-server template ipphone //Create a RADIUS server template
named ipphone.
[SwitchA-radius-ipphone] radius-server authentication 192.168.100.182 1812 //
Configure the IP address and port number of the RADIUS authentication server.
[SwitchA-radius-ipphone] radius-server accounting 192.168.100.182 1813 //
Configure the IP address and port number of the RADIUS accounting server.
[SwitchA-radius-ipphone] radius-server shared-key cipher Huawei2012 //
Configure the shared key of the RADIUS server.
[SwitchA-radius-ipphone] quit
# Create an AAA domain and bind the RADIUS server template and authentication
scheme to the AAA domain.
[SwitchA-aaa] domain default //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius //Bind the
authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server ipphone //Bind the RADIUS server
template ipphone to the domain.
[SwitchA-aaa-domain-default] service-scheme ipphone //Bind the service
template ipphone to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit
2. Configure the switch to assign a network access policy to voice terminals through a
service scheme. The network access policy defines that voice terminals can go online
without authentication.
– V200R007C00 and V200R008C00
# Set the NAC mode to unified.
[SwitchA] authentication unified-mode //By default, the switch uses the
unified mode. When the traditional and unified modes are switched, the
administrator must save the configuration and restart the switch to make
the configuration take effect.
# Configure the switch to assign a network access policy to voice terminals through
a service scheme. The network access policy defines that voice terminals can go
online without authentication.
[SwitchA] authentication device-type voice authorize service-scheme
ipphone
administrator must save the configuration and restart the switch to make
the configuration take effect.
------------------------------------------------------------------------------
-
----End
Configuration Files
l SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)
#
sysname SwitchA
#
vlan batch 100 200
#
lldp enable
#
dhcp enable
#
vlan 100
mac-vlan mac-address 001b-d4c7-1fa9 ffff-ffff-0000 priority 6
mac-vlan mac-address 0021-a08f-0000 ffff-ffff-0000 priority 6
#
authentication device-type voice authorize service-scheme ipphone
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
service-scheme ipphone
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 100
mac-vlan enable
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid untagged vlan 100
mac-vlan enable
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
l SwitchA configuration file (V200R009C00 and later versions)
#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name ipphone
authentication device-type voice authorize service-scheme ipphone
#
vlan 100
mac-vlan mac-address 001b-d4c7-1fa9 ffff-ffff-0000 priority 6
mac-vlan mac-address 0021-a08f-0000 ffff-ffff-0000 priority 6
#
lldp enable
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
service-scheme ipphone
domain default
authentication-scheme radius
service-scheme ipphone
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
Overview
If an IP phone sends packets with VLAN 0 or untagged packets, the PVID of an interface can
be added to the voice packets. Then the priority of the voice packets is increased based on the
VLAN ID. In versions earlier than V200R003C00, switches do not support OUI-based voice
VLANs. If an IP phone can send only packets with VLAN 0 or untagged packets, the IP
phone can access the switch in this mode.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to
Switches.
Configuration Notes
l This example applies to all versions of all S series switches.
l If the IP phone cannot go online, rectify the fault according to 1.11 Appendix 1:
Common Causes for IP Phones' Login Failures and Workaround.
Networking Requirements
In Figure 1-14, to save investment costs, the customer requires that IP phones connect to the
network through VoIP. IP phones cannot obtain voice VLAN IDs and can send only untagged
voice packets. The network plan should meet the following requirements:
l The priority of voice packets is increased to ensure communication quality of IP phones.
l Voice packets are transmitted in VLAN 100.
l IP addresses of IP phones are dynamically allocated by the DHCP server, and are on a
different network segment from that of the DHCP server.
l IP phones need to connect to switches through MAC address authentication.
Figure 1-14 Networking diagram of connecting switches to IP phones through the PVID of
the voice VLAN ID
Authentication
server
intranet
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
IP phone A IP phone B
Configuration Roadmap
To implement interoperation between switches and IP phones through the PVID of the voice
VLAN ID, you need to apply for IP addresses for IP phones, bring IP phones online after
authentication, and conduct communication normally. Figure 1-15 shows the process for
interoperation between switches and IP phones through the PVID of the voice VLAN ID.
The operations of applying for IP addresses and enabling IP phones to go online after
authentication can be performed simultaneously.
Figure 1-15 Process for interoperation between switches and IP phones through the PVID of
the voice VLAN ID
DHCP relay DHCP server Authentication server
IP phone
(SwitchA) (SwitchB) (Agile Controller)
Apply for an
IP address 1. Send a DHCP message.
2. Apply for an IP address.
Go online
after 1. Send an authentication request to
authentication the authentication server.
2. Send the authentication success message
and the IP phone goes online successfully.
Data Plan
Procedure
Step 1 Add an interface on SwitchA to a VLAN.
# Create voice VLAN 100
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
Step 2 Enable the voice VLAN function on an interface of SwitchA and set the PVID of the interface
to the voice VLAN ID.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable //Enable the voice VLAN
function on the interface.
[SwitchA-GigabitEthernet1/0/1] voice-vlan remark-mode mac-address //In V200R003
and later versions, the interface needs to be configured to identify voice
packets based on MAC addresses. This configuration is not required in earlier
versions of V200R003.
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 100 //Configure the PVID.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] voice-vlan 100 enable
[SwitchA-GigabitEthernet1/0/2] voice-vlan remark-mode mac-address
[SwitchA-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
[SwitchA] voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
Step 4 Configure an AAA domain and MAC address authentication for IP phones.
1. Configure an AAA domain.
# Create and configure a RADIUS server template.
[SwitchA] radius-server template ipphone //Create a RADIUS server template
named ipphone.
[SwitchA-radius-ipphone] radius-server authentication 192.168.100.182 1812 //
Configure the IP address and port number of the RADIUS authentication server.
[SwitchA-radius-ipphone] radius-server accounting 192.168.100.182 1813 //
Configure the IP address and port number of the RADIUS accounting server.
[SwitchA-radius-ipphone] radius-server shared-key cipher Huawei2012 //
Configure the shared key of the RADIUS server.
[SwitchA-radius-ipphone] quit
# Create an AAA domain and bind the RADIUS server template and authentication
scheme to the AAA domain.
[SwitchA-aaa] domain default //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius //Bind the
authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server ipphone //Bind the RADIUS server
template ipphone to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit
3. Configure the Agile Controller. The display of the Agile Controller varies by version.
V100R003C60 is used as an example.
a. Log in to the Agile Controller.
b. Add a MAC account based on the MAC address of the IP phone.
i. Choose Resource > User > User Management.
ii. Click Add in the operation area on the right. Account type select MAC
Address Account. Enter the MAC address of the IP phone and enter the
account name randomly.
iv. Click OK to complete the configuration, and the Add Authorization Result
page is displayed.
v. Add authorization information on the page.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 2, printed: 2
----End
Configuration Files
l SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)
#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
#
vlan batch 100 200
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
voice-vlan 100 enable
voice-vlan remark-mode mac-address
port hybrid pvid vlan 100
port hybrid untagged vlan 100
authentication mac-authen
#
interface GigabitEthernet1/0/2
port link-type hybrid
voice-vlan 100 enable
voice-vlan remark-mode mac-address
port hybrid pvid vlan 100
port hybrid untagged vlan 100
authentication mac-authen
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
l SwitchA configuration file (V200R009C00 and later versions)
#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
#
vlan batch 100 200
#
authentication-profile name ipphone
mac-access-profile ipphone
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
Overview
If an IP phone does not support LLDP or DHCP, a switch cannot assign a voice VLAN ID to
the IP phone. In this case, the IP phone can interoperate with the switch through an ACL. That
is, you can run the port add-tag acl command on an interface to identify voice packets and
increase the priority of voice packets.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to
Switches.
Configuration Notes
l In this example, the port add-tag acl command is supported on all S series modular
switches and on the following S series fixed switches:
– S2700 series: S2752EI
– S3700 series: all models
– S5700 series: S5700EI, S5700HI, S5710EI, S5720EI, S5710HI, S5720HI, and
S5730HI
– S6700 series: S6700EI, S6720EI, S6720S-EI, and S6720HI
l If an IP phone sends tagged packets with VLAN 0, the switch does not add the voice
VLAN ID to the tagged packets. As a result, the IP phone cannot interoperate with the
switch. You can change the configuration of the IP phone or use other methods to
connect the IP phone to the switch.
l If the IP phone cannot go online, rectify the fault according to 1.11 Appendix 1:
Common Causes for IP Phones' Login Failures and Workaround.
Networking Requirements
In Figure 1-16, to save investment costs, the customer requires that IP phones connect to the
network through VoIP. IP phones cannot obtain voice VLAN IDs and can send only untagged
voice packets. The network plan should meet the following requirements:
l The priority of voice packets is increased to ensure communication quality of IP phones.
l Voice packets are transmitted in VLAN 100.
l IP addresses of IP phones are dynamically allocated by the DHCP server, and are on a
different network segment from that of the DHCP server.
intranet
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
IP phone A IP phone B
Configuration Roadmap
To implement interoperation between switches and IP phones through an ACL, you need to
apply for IP addresses for IP phones, bring IP phones online after authentication, and conduct
communication normally. Figure 1-17 shows the process for interoperation between switches
and IP phones through an ACL.
The operations of applying for IP addresses and enabling IP phones to go online after
authentication can be performed simultaneously.
Figure 1-17 Process for interoperation between switches and IP phones through an ACL
DHCP relay DHCP server Authentication server
IP phone
(SwitchA) (SwitchB) (Agile Controller)
Apply for an
IP address 1. Send a DHCP message.
2. Apply for an IP address.
Go online
after 1. Send an authentication request to
authentication the authentication server.
2. Send the authentication success message
and the IP phone goes online successfully.
Send
1. Send a packet without VLAN tags. 2. Match the voice packet
packets
through the ACL and improve
the packet priority.
Data Plan
Procedure
Step 1 Add an interface on SwitchA to a VLAN.
# Create voice VLAN 100
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
Step 2 Configure an ACL to identify voice packets, and add the voice VLAN ID to the voice packets
and increase the priority.
[SwitchA] acl 4000
[SwitchA-acl-L2-4000] rule permit source-mac 001d-a21a-0000 ffff-ffff-0000 //The
IP phone's MAC address uses the 24-bit mask.
[SwitchA-acl-L2-4000] rule permit source-mac 0021-a08f-0000 ffff-ffff-0000 //
This is the MAC address of another IP phone.
[SwitchA-acl-L2-4000] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port add-tag acl 4000 vlan 100 remark-8021p 6 //
Configure ACL 4000. The switch tags VLAN 100 to the packets that match ACL 4000
# Create an AAA domain and bind the RADIUS server template and authentication
scheme to the AAA domain.
[SwitchA-aaa] domain default //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius //Bind the
authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server ipphone //Bind the RADIUS server
template ipphone to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit
3. Configure the Agile Controller. The display of the Agile Controller varies by version.
V100R003C60 is used as an example.
a. Log in to the Agile Controller.
b. Add a common account.
i. Choose Resource > User > User Management.
ii. Click Add in the operation area on the right, and create an 802.1X account.
Click Common account and enter the user name and password. The
configured user name and password must be the same as those configured on
the IP phone, and the account is configured to be the same as the user name.
iii. Click OK to complete the configuration. Be aware that the account belongs to
the user group named ROOT.
c. Add SwitchA to the Agile Controller.
i. Choose Resource > Device > Device Management.
ii. Click Add in the operation area on the right. On the Add Device page that is
displayed, set Name to SwitchA and IP address to 192.168.100.200 (IP
address used by SwitchA to communicate with the Agile Controller). Select
Enable RADIUS, and set Authentication/Accounting key and
Authorization key to Huawei2012 (shared key configured on SwitchA). The
real-time accounting interval is not configured and accounting is performed
based on the time.
iv. Click OK to complete the configuration, and the Add Authorization Result
page is displayed.
v. Select the added authorization information.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 2, printed: 2
----End
Configuration Files
l SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)
#
sysname SwitchA
#
vlan batch 100 200
#
dhcp enable
#
radius-server template iphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
acl number
4000
rule 5 permit source-mac 001d-a21a-0000 ffff-ffff-0000
rule 10 permit source-mac 0021-a08f-0000 ffff-ffff-0000
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server iphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan
100
port add-tag acl 4000 vlan 100 remark-8021p 6
authentication dot1x
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid untagged vlan
100
port add-tag acl 4000 vlan 100 remark-8021p 6
authentication dot1x
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
l SwitchA configuration file (V200R009C00 and later versions)
#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name iphone
dot1x-access-profile iphone
#
dhcp enable
#
radius-server template iphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
acl number
4000
rule 5 permit source-mac 001d-a21a-0000 ffff-ffff-0000
rule 10 permit source-mac 0021-a08f-0000 ffff-ffff-0000
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server iphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan
100
port add-tag acl 4000 vlan 100 remark-8021p 6
authentication-profile iphone
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid untagged vlan
100
port add-tag acl 4000 vlan 100 remark-8021p 6
authentication-profile iphone
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
dot1x-access-profile name iphone
#
return
Overview
If an IP phone does not support LLDP or DHCP, a switch cannot assign a voice VLAN ID to
the IP phone. In this case, the IP phone can interoperate with the switch through an ACL-
based simplified traffic policy. That is, you can run the traffic-remark inbound acl
command on an interface to identify voice packets and increase the priority of voice packets.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to
Switches.
Configuration Notes
l This example applies to all versions and models of fixed switches.
l This example applies to all models of modular switches of V200R005C00 and later
versions.
l If the IP phone cannot go online, rectify the fault according to 1.11 Appendix 1:
Common Causes for IP Phones' Login Failures and Workaround.
Networking Requirements
In Figure 1-18, to save investment costs, the customer requires that IP phones connect to the
network through VoIP. IP phones cannot obtain voice VLAN IDs and can send only untagged
voice packets. The network plan should meet the following requirements:
l The priority of voice packets needs to be increased to ensure communication quality.
l Voice packets are transmitted in VLAN 100.
l IP addresses of IP phones are dynamically allocated by the DHCP server, and are on a
different network segment from that of the DHCP server.
l IP phones need to connect to switches through 802.1X authentication.
intranet
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
IP phone A IP phone B
Configuration Roadmap
To implement interoperation between switches and IP phones through a simplified traffic
policy, you need to apply for IP addresses for IP phones, bring IP phones online after
authentication, and conduct communication normally. Figure 1-19 shows the process for
interoperation between switched and IP phones through a simplified traffic policy.
The operations of applying for IP addresses and enabling IP phones to go online after
authentication can be performed simultaneously.
Figure 1-19 Process for interoperation between switches and IP phones through a simplified
traffic policy
DHCP relay DHCP server Authentication server
IP phone
(SwitchA) (SwitchB) (Agile Controller)
Apply for an
IP address 1. Send a DHCP message.
2. Apply for an IP address.
Go online
after 1. Send an authentication request to
authentication the authentication server.
2. Send the authentication success message
and the IP phone goes online successfully.
Send
1. Send a packet without VLAN tags. 2. Identify the voice packet
packets
through the traffic policy and
improve the packet priority.
Data Plan
Item Value
Procedure
Step 1 Add an interface on SwitchA to a VLAN.
# Create voice VLAN 100
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
Step 2 Configure an ACL to identify voice packets, and add the voice VLAN ID to the voice packets
and increase the priority.
[SwitchA] acl 4000
[SwitchA-acl-L2-4000] rule permit source-mac 001d-a21a-0000 ffff-ffff-0000 //The
IP phone's MAC address uses the 24-bit mask.
[SwitchA-acl-L2-4000] rule permit source-mac 0021-a08f-0000 ffff-ffff-0000 //
This is the MAC address of another IP phone.
[SwitchA-acl-L2-4000] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 100 //The interface tags
the PVID of 100 to received untagged packets.
# Create an AAA domain and bind the RADIUS server template and authentication
scheme to the AAA domain.
[SwitchA-aaa] domain default //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius //Bind the
authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server ipphone //Bind the RADIUS server
template ipphone to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit
3. Configure the Agile Controller. The display of the Agile Controller varies by version.
V100R003C60 is used as an example.
a. Log in to the Agile Controller.
b. Add a common account.
i. Choose Resource > User > User Management.
ii. Click Add in the operation area on the right, and create an 802.1X account.
Click Common account and enter the user name and password. The
configured user name and password must be the same as those configured on
the IP phone, and the account is configured to be the same as the user name.
iii. Click OK to complete the configuration. Be aware that the account belongs to
the user group named ROOT.
c. Add SwitchA to the Agile Controller.
i. Choose Resource > Device > Device Management.
ii. Click Add in the operation area on the right. On the Add Device page that is
displayed, set Name to SwitchA and IP address to 192.168.100.200 (IP
address used by SwitchA to communicate with the Agile Controller). Select
Enable RADIUS, and set Authentication/Accounting key and
Authorization key to Huawei2012 (shared key configured on SwitchA). The
real-time accounting interval is not configured and accounting is performed
based on the time.
iv. Click OK to complete the configuration, and the Add Authorization Result
page is displayed.
v. Select the added authorization information.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 2, printed: 2
----End
Configuration Files
l SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)
#
sysname SwitchA
#
vlan batch 100 200
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
acl number
4000
rule 5 permit source-mac 001d-a21a-0000 ffff-ffff-0000
rule 10 permit source-mac 0021-a08f-0000 ffff-ffff-0000
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan
100
port hybrid untagged vlan
100
traffic-remark inbound acl 4000 8021p
6
traffic-remark inbound acl 4000 dscp ef
authentication dot1x
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan
100
port hybrid untagged vlan
100
traffic-remark inbound acl 4000 8021p
6
traffic-remark inbound acl 4000 dscp ef
authentication dot1x
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
l SwitchA configuration file (V200R009C00 and later versions)
#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name ipphone
dot1x-access-profile ipphone
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
acl number
4000
rule 5 permit source-mac 001d-a21a-0000 ffff-ffff-0000
rule 10 permit source-mac 0021-a08f-0000 ffff-ffff-0000
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
authentication-scheme radius
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan
100
port hybrid untagged vlan
100
traffic-remark inbound acl 4000 8021p
6
traffic-remark inbound acl 4000 dscp ef
authentication-profile ipphone
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan
100
port hybrid untagged vlan
100
traffic-remark inbound acl 4000 8021p
6
traffic-remark inbound acl 4000 dscp ef
authentication-profile ipphone
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
dot1x-access-profile name ipphone
#
return
ip pool ip-phone
gateway-list 10.20.20.1
network 10.20.20.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 200
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return
enable include-tag0 command to enable the voice VLAN for packets tagged with
VLAN 0 in V200R010 and later versions.
l Method 2: Modify the value of the VLAN TEST timer of the IP phone: Press the star key
(*) and enter the password to access the menu. Select VLAN TEST and change the
default value to 0 (no timeout). After the Avaya phone restarts, the timer settings are no
longer effective and must be reconfigured.
5. Use the voice VLAN for 5. Use the voice VLAN for
communication. The login fails. communication. The login fails.
Workaround
l Method 1: In V200R003C00 and later versions, you are advised to configure the OUI-
based voice VLAN. For details, see 1.4 (Recommended) Interoperation Between
Switches and IP Phones Through the OUI-based Voice VLAN.
l Method 2: In V200R010 and later versions, MAC address migration can be enabled so
that IP phones can be authenticated based on the PVID and voice VLAN ID.
<HUAWEI> system-view
[HUAWEI] authentication mac-move enable vlan 10 100 //Assume that the PVID
of the interface is VLAN 10 and the voice VLAN ID is VLAN 100.
l Method 3: Configure the blacklist so that the switch discards the packets that come from
the IP phone and are forwarded based on the PVID. In this case, the authenticated VLAN
and voice VLAN of the IP phone are the same.
a. Configure an ACL rule to match the MAC address of the IP phone and PVID of the
interface.
<HUAWEI> system-view
[HUAWEI] acl number 4000
[HUAWEI-acl-L2-4000] rule 5 permit source-mac ac44-f211-df8e vlan-id
1 //Assume that the MAC address of the IP phone is ac44-f211-df8e and
the PVID is VLAN 1.
[HUAWEI-acl-L2-4000] quit
c. Authorize the voice VLAN through the server. Set the authorization VLAN ID to
the voice VLAN ID and set Attribute ID/name to HW-Voice-vlan(33). The Agile
Controller is used as an example.
Choose Policy > Permission Control > Authentication & Authorization >
Authorization Result and click Add to create an authorization result.
Cause 5: The IP Phone Goes Online and Offline Frequently Because It Does Not
Respond to ARP Offline Probe Packets Sent by the Switch
To ensure normal online status of the IP phone, the switch sends ARP offline probe packets
with the source IP address of 255.255.255.255 to the IP phone. If the IP phone does not
support response to ARP offline probe packets with the source IP address of 255.255.255.255,
the switch considers the IP phone offline and disconnects the IP phone. In this case, the IP
phone may go online and offline frequently. Check ARP detect fail.
Run the display aaa offline-record all command to check the cause for logout of the IP
phone.
<HUAWEI> display aaa offline-record all
-------------------------------------------------------------------
User name : test@rds
Domain name : default
User MAC : 0021-9746-b67c
User access type : MAC
User access interface : GigabitEthernet0/0/2
Qinq vlan/User vlan : 0/1
User IP address : 192.168.2.2
User IPV6 address : -
User ID : 19
User login time : 2016/10/01 04:49:39
User offline time : 2016/10/01 04:59:43
User offline reason : ARP detect fail
-------------------------------------------------------------------
Are you sure to display some information?(y/n)[y]:
Workaround
l Method 1: Configure the default source IP address of ARP offline detection packets.
<HUAWEI> system-view
[HUAWEI] access-user arp-detect default ip-address 0.0.0.0 //Configure the
default source address of ARP offline probe packets as 0.0.0.0.
l Method 2: Configure the source IP address and source MAC address of ARP offline
detection packets in the specified VLAN.
<HUAWEI> system-view
[HUAWEI] access-user arp-detect vlan 10 ip-address 192.168.1.1 mac-address
2222-1111-1234 //Configure the source IP address of ARP offline probe
packets as 192.168.1.1 and the source MAC address as 2222-1111-1234.
l In earlier versions of S Switch V200R006, data and voice services for a VLAN on an
interface can be authenticated simultaneously. In V200R006 and later versions,
authentication is performed one at a time.