01-01 Interoperation Between Huawei Switches and IP Phones

S2700, S3700, S5700, S6700, S7700, and S9700 Series
Switches
Interoperation and Replacement Guide 1 Interoperation Between Huawei Switches and IP Phones
1 Interoperation Between Huawei Switches

and IP Phones
About This Chapter
1.1 Overview of Interoperation Between Switches and IP Phones

1.2 IP Phone Interoperation Solution
1.3 (Recommended) Interoperation Between Switches and IP Phones Through LLDP
1.4 (Recommended) Interoperation Between Switches and IP Phones Through the OUI-based
Voice VLAN
1.5 (Recommended) Interoperation Between Switches and Cisco IP Phones Using HDP
1.6 Interoperation Between Switches and IP Phones Through LLDP-MED
1.7 Interoperation Between Switches and IP Phones Through MAC Address-based VLAN
Assignment
1.8 Interoperation Between Switches and IP Phones Through the PVID of the Voice VLAN
ID
1.9 Interoperation Between Switches and IP Phones Through an ACL
1.10 Interoperation Between Switches and IP Phones Through a Simplified Traffic Policy
1.11 Appendix 1: Common Causes for IP Phones' Login Failures and Workaround
1.12 Appendix 2: Guide for Configuring Cisco RADIUS Authentication Server
1.1 Overview of Interoperation Between Switches and IP

Phones
On a VoIP network, an IP phone needs to connect to a switch to transmit voice traffic. In this
situation, both voice and data flows are transmitted on the VoIP network. How to
preferentially transmit voice traffic to ensure communication quality is the key for
interworking between the IP phone and switch.
Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 1

Switches
Basic Concepts
Currently, the switch identifies voice traffic through MAC addresses or voice VLAN IDs of
IP phones. Before introducing the IP phone interoperation solutions, you need to understand
the following basic concepts:
l OUI
An Organizationally Unique Identifier (OUI) is the first 24 bits of a MAC address, and is
a unique identifier assigned by the Institute of Electrical and Electronics Engineers
(IEEE) to a device vendor.
Each device vendor needs to request a MAC address from the IEEE. Generally, the IEEE
allocates a 24-bit address segment, from which a device vendor allocates addresses.
During packet forwarding, a switch can identify voice devices based on OUIs and then
can determine voice packets.
l Voice VLAN
A voice VLAN is used to forward voice packets. A Huawei switch only allows a VLAN
to be specified as a voice VLAN, but cannot allocate the voice VLAN ID to voice
devices. Protocols such as LLDP and DHCP need to be used to allocate a specified voice
VLAN ID to voice devices.
l VLAN Tag
802.1Q defines the format of a VLAN tag.
PRI (3 bits) CFI (1 bit) VLAN ID (12 bits)
A VLAN tag consists of 16 bits. The PRI (also called CoS or 802.1p priority) occupies 3
bits, CFI occupies 1 bit, and VID occupies 12 bits.
Packet types are defined based on VLAN tags as follows:
a. Untagged packets: Packets do not carry VLAN tags.
b. Packets tagged with VLAN 0: Packets carry tags with VLAN 0.
c. Tagged packets: Packets carry non-0 tags.
A high priority specified by the CoS value (usually 5) needs to be set for voice packets
so that they can be forwarded preferentially. Generally, IP phones of mainstream vendors
(for example, Cisco 7962) send tagged voice packets in which the default CoS value is 5.
There are many types of IP phones, and CoS values of some IP phones cannot be set to
5.
The method for connecting IP phones to switches varies according to the VLAN tags of
packets and the configured CoS values. The following table lists the categories of
packets sent by IP phones.
Table 1-1 Categories of packets sent by IP phones
No. Packet Description

Characteristics
1 The packets carry After IP phones connect to a switch, the

VLAN tags in which priority of packets does not need to be
the CoS value is 5. increased.

Switches
No. Packet Description

Characteristics
2 The packets carry After IP phones connect to a switch, the switch

VLAN tags in which needs to identify the priority of packets and
the CoS value is 0. increase the packet priority.

VLAN tags in which needs to identify voice packets based on the
the VLAN ID is 0 OUI, add the voice VLAN ID, and the priority
and the CoS value is of packets does not need to be increased.
5.

VLAN tags in which needs to identify voice packets based on the
the VLAN ID is 0 OUI, add the voice VLAN ID, and set a high
and the CoS value is priority.
0.
5 The packets do not After IP phones connect to a switch, the switch

carry VLAN tags. needs to identify voice packets based on the
OUI, add the voice VLAN ID, and set a high
priority.
NOTE
A Huawei switch processes packets tagged with VLAN 0 in the same manner as untagged packets; that
is, an interface adds the VLAN tag specified by the PVID to the packets. For voice packets, the switch
needs to identify them based on the OUI and add the voice VLAN ID to the voice packets so that the
voice packets can be forwarded in the voice VLAN.
Physical Connection of an IP Phone for Interworking

Cisco 7962 is used as an example. Figure 1-1 shows the internal structure of the IP phone.
The IP phone integrates a three-port switching chip:
l P1 port connects to an uplink switch or another data communication device.
l P2 connects to the internal ASIC to transmit voice traffic.
l P3 connects to a PC or another data communication device.
Figure 1-1 Internal structure of the IP phone
Cisco IP Phone 7962
Phone
ASIC
P2
P1 3-port P3
switch

Switches
In Figure 1-1, the IP phone provides two interfaces to connect to an uplink switch and a PC,
respectively. When the IP phone and PC are deployed simultaneously, there are two methods:
l The downstream PC connects to the IP phone, as shown in Figure 1-2. Only one
interface on a switch is occupied. That is, one network interface provides both voice and
data services.
Figure 1-2 Connecting a downstream PC to an IP phone
l The PC and IP phone connect to the switch separately, as shown in Figure 1-3. Voice
and data flows are deployed separately, facilitating management and maintenance.
Figure 1-3 Connecting the PC and IP phone to the switch separately
1.2 IP Phone Interoperation Solution

NOTE
Huawei PoE switches can supply power to IP phones. For details, see 2.1 Power Supply Guide for
Interoperation Between Huawei PoE Switches and IP Phones.
Different solutions are available for connecting IP phones with different attributes to different
device models. For details, see List of IP Phone Models That Can Be Connected to
Switches. The following table provides detailed configuration guidance for the interoperation
solutions. You can select a solution based on the device model, version, and applicable
scenario.

Switches
Table 1-2 Summary of solutions for connecting switches to IP phones

Interoperation Applicable Scenario Applicable S Series Switch
Solution and Version
1.3 l IP phones can obtain voice All versions and all models
(Recommended) VLAN IDs through LLDP. except the S2700SI and S2710SI.
Interoperation l Switches that are enabled with
Between the voice VLAN function can
Switches and IP identify voice packets based
Phones Through on voice VLAN IDs and
LLDP increase the packet priority.
l MAC address authentication
is configured for IP phones,
and 802.1X authentication is
configured for the PC.
1.4 l IP phones cannot obtain voice All models of V200R003C00 and

(Recommended) VLAN IDs through any later versions.
Interoperation protocol, and voice packets
Between are forwarded in the VLAN
Switches and IP specified through the voice
Phones Through VLAN function.
the OUI-based l Switches that are enabled with
Voice VLAN the voice VLAN function can
identify voice packets based
on MAC addresses and
increase the packet priority.
is configured for IP phones.
1.5 l IP phones can obtain voice All versions and all models.
(Recommended) VLAN IDs through CDP.
Interoperation l Switches that are enabled with
Between the voice VLAN function can
Switches and identify voice packets based
Cisco IP Phones on voice VLAN IDs and
Using HDP increase the packet priority.
l 802.1X authentication is
configured for IP phones.
1.6 l IP phones can obtain voice All models of V200R002 and

Interoperation VLAN IDs based on the later versions.
Between network-policy TLV field of
Switches and IP LLDP.
Phones Through l The packet priority is high,
LLDP-MED and switches do not need to
l 802.1X authentication and
MAC address authentication
are configured for IP phones.

Switches

1.7 l IP phones cannot obtain voice All versions and all models.
Interoperation VLAN IDs through any
Between protocol, and voice packets
Switches and IP are forwarded in the VLAN
Phones Through specified through MAC
MAC Address- address-based VLAN
based VLAN assignment.
Assignment l Switches that are enabled with
the MAC address-based
assignment function can
l IP phones can go online
directly without
authentication.
1.8 l IP phones cannot obtain voice All versions and all models.
Interoperation VLAN IDs through any
Between protocol, and voice packets
Phones Through specified through the PVID of
the PVID of the the interface.
Voice VLAN ID l Switches that are enabled with
the voice VLAN function can
is configured for IP phones.
1.9 l IP phones cannot obtain voice All modular switches and the
Interoperation VLAN IDs through any following fixed switches:
Between protocol, and voice packets l S2700 series: S2752EI
Phones Through specified through an ACL. l S3700 series: all models
an ACL l Switches that are configured l S5700 series: S5700EI,
with ACLs can identify voice S5700HI, S5710EI, S5720EI,
packets based on MAC S5710HI, S5720HI, and
addresses and increase the S5730HI
packet priority. l S6700 series: S6700EI,
l 802.1X authentication is S6720EI, S6720S-EI, and
configured for IP phones. S6720HI

Switches

1.10 l IP phones cannot obtain voice All versions and models of fixed
Interoperation VLAN IDs through any switches.
Between protocol, and voice packets All modular switches of
Switches and IP are forwarded in the VLAN V200R005C00 and later
Phones Through specified through a traffic versions.
a Simplified policy.
Traffic Policy l Switches that are configured
with traffic policies can
l 802.1X authentication is
configured for IP phones.
1.3 (Recommended) Interoperation Between Switches and

IP Phones Through LLDP
This section includes the following content:
l Overview
l Configuration Notes
l Networking Requirements
l Configuration Roadmap
l Data Plan
l Procedure
l Configuration Files
Overview
If an IP phone supports LLDP, you can enable LLDP and voice VLAN on the switch to
provide VoIP access. Then the switch uses LLDP to deliver the voice VLAN ID to the IP
phone and increases the packet priority through the voice VLAN.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to
Switches.
Configuration Notes
l Except for the S2700SI and S2710SI, all models of all versions support this
configuration.
l If the IP phone cannot go online, rectify the fault according to 1.11 Appendix 1:
Common Causes for IP Phones' Login Failures and Workaround.

Switches
Networking Requirements
In Figure 1-4, to save investment costs, the customer requires that IP phones and PCs connect
to the network through VoIP. IP phones support LLDP and can obtain voice VLAN IDs
through LLDP. The network plan should meet the following requirements:
l The priority of voice packets sent by IP phones is low and needs to be increased to
ensure communication quality.
l Voice packets are transmitted in VLAN 100, and data packets from PCs are transmitted
in VLAN 101.
l IP addresses of IP phones and PC are dynamically allocated by the DHCP server, and are
on a different network segment from that of the DHCP server.
l IP phones need to connect to switches through MAC address authentication and PC need
to connect to switches through 802.1X authentication.
Figure 1-4 Networking diagram of connecting switches to IP phones through LLDP

Authentication
server
Intranet
DHCP server Switch B

GE1/0/3
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
IP phone A
IP phone B
PC
Configuration Roadmap
To implement interoperation between switches and IP phones through LLDP, IP phones need
to obtain the voice VLAN, apply for IP addresses, go online after authentication, and send
packets. Figure 1-5 shows the process for interoperation between switches and IP phones
through LLDP.
The operations of obtaining the voice VLAN, applying for IP addresses, and enabling IP
phones to go online after authentication can be performed simultaneously. The PC connected

Switches
to the IP phone does not need to obtain VLAN information. Instead, you only need to apply
for an IP address and enable the PC to go online after authentication.
Figure 1-5 Process for interoperation between switches and IP phones through LLDP
DHCP relay DHCP server Authentication server
IP phone
(SwitchA) (SwitchB) (Agile Controller)
Obtain the 1. Power on the IP phone and

voice VLAN turn the switch interface to Up.
ID 2. Enable LLDP on the switch.
3. Send an LLDP packet containing

the voice VLAN ID.
4. Obtain the voice VLAN ID.
Apply for an
IP address 1. Send a DHCP message.
2. Apply for an IP address.
3. Assign the IP address.
Go online
after 1. Send an authentication request to
authentication the authentication server.
2. Send the authentication success message
and the IP phone goes online successfully.
Send
1. Send a packet carrying VLAN tags. 2. Identify the voice packet
packets
and improve the packet
priority.
According to the preceding process, the configuration roadmap is as follows:

l Enable LLDP to allocate a voice VLAN to IP phones.
l Enable the voice VLAN function to increase the packet priority.
l Configure the DHCP relay function and DHCP server to allocate IP addresses to IP
phones and the PC.
l Configure the authentication server and enable IP phones to go online after
authentication.

Switches
Data Plan
Table 1-3 Data plan for IP phones
Item Value
Voice VLAN VLAN 100
MAC address 001b-d4c7-0001

0021-a08f-0002
Address segment 10.20.20.1/24
Authentication mode MAC address authentication
Table 1-4 Data plan for the PC
Item Value
Data VLAN VLAN 101
Authentication mode 802.1X authentication
Table 1-5 Data plan for communication
Item Value
VLAN and IP address used by SwitchA to VLAN 200; 10.10.20.1/24

communicate with SwitchB
VLAN and IP address used by SwitchB to VLAN 200; 10.10.20.2/24

communicate with SwitchA
IP address of SwitchA 192.168.100.200
802.1X access profile name ipphone
MAC access profile name ipphone
IP address of the RADIUS authentication 192.168.100.182

and accounting server
Port number of the RADIUS authentication 1812

server
Port number of the RADIUS accounting 1813

server
RADIUS shared key Huawei2012

Switches
Procedure
Step 1 Enable LLDP on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] lldp enable //Enable LLDP globally. By default, LLDP is enabled on an
interface.
Step 2 Enable the voice VLAN function on SwitchA.

# Create voice VLAN 100.
[SwitchA] vlan batch 100
# Add interfaces to the voice VLAN.

[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later
versions, the default link type of an interface is not hybrid, and needs to be
manually configured.
[SwitchA-GigabitEthernet1/0/1] port hybrid tagged vlan 100 //Add the interface
to voice VLAN 100 in tagged mode.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA-GigabitEthernet1/0/2] port link-type hybrid
[SwitchA-GigabitEthernet1/0/2] port hybrid tagged vlan 100
# Enable the voice VLAN function on the interface.

[SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable
[SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 //In
versions earlier than V200R003, the OUI needs to be configured. The OUI
corresponds to the MAC address of the IP phone. In V200R003 and later versions,
the OUI does not need to be configured.
[SwitchA] voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
Step 3 Configure SwitchA to forward data flows.

[SwitchA] vlan batch 101 //Data flows are transmitted in VLAN 101.
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 101 //Set the PVID of the
interface to VLAN 101.
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 101 //Add the interface
to VLAN 101 in untagged mode.
Step 4 Configure the DHCP relay function and DHCP server.

1. Configure the DHCP relay function on SwitchA.
# Configure the DHCP relay function on an interface.
[SwitchA] dhcp enable //Enable DHCP globally. By default, DHCP is disabled.
[SwitchA] interface Vlanif 100
[SwitchA-Vlanif100] ip address 10.20.20.1 255.255.255.0 //Assign an IP
address to VLANIF 100.
[SwitchA-Vlanif100] dhcp select relay //Enable the DHCP relay function on
VLANIF 100.
[SwitchA-Vlanif100] dhcp relay server-ip 10.10.20.2 //Configure the DHCP
server address on the DHCP relay agent.
[SwitchA-Vlanif100] quit

Switches

VLANIF 101.
# Create VLANIF 200.

[SwitchA-Vlanif200] ip address 10.10.20.1 255.255.255.0 //Configure an IP
address for VLANIF 200 for communication with SwitchB.
# Add the uplink interface to VLAN 200.

[SwitchA-GigabitEthernet1/0/3] port link-type access
[SwitchA-GigabitEthernet1/0/3] port default vlan 200
# Configure a default static route.

[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 //The next hop address
of the route corresponds to the IP address of VLANIF 200 on SwitchB.
2. Configure SwitchB as the DHCP server to allocate IP addresses to IP phones and PC.
# Configure an address pool.
[HUAWEI] sysname SwitchB
[SwitchB] ip pool ip-phone //Create an address pool to allocate IP addresses
to IP phones.
[SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1 //Configure a gateway
addresses for IP phones.
[SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0 //Configure
allocatable IP addresses in the IP address pool.
[SwitchB-ip-pool-ip-phone] quit
[SwitchB] ip pool ip-pc //Create an address pool to allocate IP addresses to
PC.
[SwitchB-ip-pool-ip-pc] gateway-list 10.20.30.1 //Configure a gateway
address for the PC.
[SwitchB-ip-pool-ip-pc] network 10.20.30.0 mask 255.255.255.0 //Configure
[SwitchB-ip-pool-ip-pc] quit
# Configure the DHCP server function.

[SwitchB] dhcp enable //Enable DHCP globally. By default, DHCP is disabled.
[SwitchB] vlan batch 200
[SwitchB] interface Vlanif 200
[SwitchB-Vlanif200] ip address 10.10.20.2 255.255.255.0 //Assign an IP
[SwitchB-Vlanif200] dhcp select global //Configure SwitchB to allocate IP
addresses from the global IP address pool to the IP phone.
[SwitchB-Vlanif200] quit
# Add the downlink interface to VLAN 200.

[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] port link-type access
[SwitchB-GigabitEthernet1/0/3] port default vlan 200
[SwitchB-GigabitEthernet1/0/3] quit
# Configure a return route.

[SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1 //Configure a
return route for IP phones.

Switches
[SwitchB] ip route-static 10.20.30.0 255.255.255.0 10.10.20.1 //Configure a

return route for the PC.
Step 5 Configure an AAA domain, and configure MAC address authentication for IP phones and
802.1X authentication for the PC.
1. Configure an AAA domain.
# Create and configure a RADIUS server template.
[SwitchA] radius-server template ipphone //Create a RADIUS server template
named ipphone.
[SwitchA-radius-ipphone] radius-server authentication 192.168.100.182 1812 //
Configure the IP address and port number of the RADIUS authentication server.
[SwitchA-radius-ipphone] radius-server accounting 192.168.100.182 1813 //
Configure the IP address and port number of the RADIUS accounting server.
[SwitchA-radius-ipphone] radius-server shared-key cipher Huawei2012 //
Configure the shared key of the RADIUS server.
[SwitchA-radius-ipphone] quit
# Configure an authentication scheme.

[SwitchA] aaa
[SwitchA-aaa] authentication-scheme radius //Create an authentication scheme
named radius.
[SwitchA-aaa-authen-radius] authentication-mode radius //Set the
authentication mode to RADIUS.
[SwitchA-aaa-authen-radius] quit
# Create an AAA domain and bind the RADIUS server template and authentication
scheme to the AAA domain.
[SwitchA-aaa] domain default //Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius //Bind the
authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server ipphone //Bind the RADIUS server
template ipphone to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit
2. Configure MAC address authentication for IP phones and 802.1X authentication for PC.
– V200R007C00 and earlier versions, and V200R008C00
# Set the NAC mode to unified.
[SwitchA] authentication unified-mode //By default, the switch uses the
unified mode. When the traditional and unified modes are switched, the
administrator must save the configuration and restart the switch to make
the configuration take effect.
# Enable MAC address authentication on an interface.

[SwitchA-GigabitEthernet1/0/1] authentication dot1x mac-authen //Enable
802.1X authentication and MAC address authentication.
[SwitchA-GigabitEthernet1/0/2] authentication mac-authen
– V200R009C00 and later versions

# Configure access profiles.

[SwitchA] dot1x-access-profile name ipphone //Create an 802.1X access
profile named ipphone.

Switches
[SwitchA-dot1x-access-profile-ipphone] quit
[SwitchA] mac-access-profile name ipphone //Create a MAC access profile
named ipphone. If no user name and password are specified in the MAC
access profile, both the user name and password are MAC addresses
without separators or colons.
[SwitchA-mac-access-profile-ipphone] quit
# Configure an authentication profile.

[SwitchA] authentication-profile name ipphone //Configure an
authentication profile.
[SwitchA-authen-profile-ipphone] dot1x-access-profile ipphone //Bind an
802.1X access profile.
[SwitchA-authen-profile-ipphone] mac-access-profile ipphone //Bind a
MAC access profile.
[SwitchA-authen-profile-ipphone] authentication dot1x-mac-bypass //
Enable MAC address bypass authentication.
[SwitchA-authen-profile-ipphone] quit
# Apply the authentication profile to interfaces.

[SwitchA-GigabitEthernet1/0/1] authentication-profile ipphone //Bind an
[SwitchA-GigabitEthernet1/0/2] authentication-profile ipphone
3. Configure the Agile Controller. The display of the Agile Controller varies by version.
V100R003C60 is used as an example.
a. Log in to the Agile Controller.
b. Create an 802.1X account used for PC authentication.
i. Choose Resource > User > User Management.
ii. Click Add in the operation area on the right. Click Common account and
enter the user name and password. The configured user name and password
must be the same as those configured on the PC, and the account is configured
to be the same as the user name. Be aware that the account belongs to the user
group ROOT.

Switches
iii. Click OK to complete the configuration.

c. Add SwitchA to the Agile Controller.
i. Choose Resource > Device > Device Management.
ii. Click Add in the operation area on the right. On the Add Device page that is
displayed, set Name to SwitchA and IP address to 192.168.100.200 (IP
address used by SwitchA to communicate with the Agile Controller). Select
Enable RADIUS, and set Authentication/Accounting key and
Authorization key to Huawei2012 (shared key configured on SwitchA). The
real-time accounting interval is not configured and accounting is performed
based on the time.

Switches

d. Add MAC address information of an IP phone to the Agile Controller. MAC
address information is added so that the MAC address can be used for
authentication when the 802.1X client times out. That is, the IP phone connects to
the switch using MAC address authentication.
i. Choose Resource > Terminal > Terminal List.
ii. Click Add in the operation area on the right. On the Add Device Group page
that is displayed, add an IP phone group ipphone.

Switches

iv. Click the device group in the navigation tree and select the created IP phone
group ipphone.
v. Click Add in the device list, add an IP phone, and enter the MAC address of
the IP phone.

Switches
vi. Click OK to complete the configuration.

vii. Click Add and add the MAC address of another IP phone.
viii. Click OK to complete the configuration.
e. Add an authentication rule. Two authentication rules need to be added: 802.1X
authentication rule for the PC and MAC address authentication rule for the IP
phone.

Switches
i. Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule.
ii. Click Add in the operation area on the right. On the Add Authentication Rule
page that is displayed, add an authentication rule for the PC. Set Name to PC,
click Access, set User group to ROOT, and select allowed authentication
protocols under Authentication Condition.

Switches

iv. Click Add again to add an authentication rule for the IP phone. Set Name to
ipphone, Service type to MAC bypass authentication, and Terminal group
to ipphone.

Switches
v. Click OK to complete the configuration.

f. Add an authorization result.
Authorization Result.
ii. Click Add in the operation area on the right and add an authorization result.
Set Name to voice vlan 100, Service type to MAC bypass authentication,
and VLAN under Authorization Parameter to 100.

Switches
iii. Click Add under customized authorization parameter to add authorization

information. Set Vendor/Standard attribute to Huawei, Attribute ID/name
to HW-Voice-Vlan(33), and Attribute type to Integer. If Attribute value is
set to 1, VLAN 100 is a voice VLAN.
iv. Click OK to complete the configuration, and the Add Authorization Result
page is displayed.
v. Add authorization information on the page.

Switches

g. Add two authorization rules: one authorization rule for the PC and the other for the
IP phone. After a user is authenticated, the Agile Controller grants the user access
rights based on the authorization rule.
authorization Rule.
ii. Click Add in the operation area on the right and add an authorization rule for
the PC. Set Name to PC, click Access, set User group to ROOT, and set
Authorization result to Permit Access.

Switches

Switches

iv. Click Add again to add an authorization rule for the IP phone. Set Name to
ipphone, click MAC bypass authentication, set Terminal Group to
ipphone, and set Authorization result to voice vlan 100.

Switches

Switches
Step 6 Verify the configuration.

l You can see that the IP phone can correctly obtain the voice VLAN ID and IP address
through the menu of the IP phone.
l The display access-user command output on SwitchA displays connection information
about IP phones and PC.
[SwitchA] display access-user
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
564 001bd4c71fa9 10.20.20.198 001b-d4c7-1fa9 Success

565 0021a08f2fa8 10.20.20.199 0021-a08f-2fa8 Success
566 3c970ecf1101 10.20.30.190 3c97-0ecf-1101 Success
------------------------------------------------------------------------------
Total: 3, printed: 3
----End
Configuration Files
l SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)

Switches
#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000
voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
#
vlan batch 100 to 101 200
#
lldp enable
#
dhcp enable
#
radius-server template ipphone
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K
%^%#
radius-server authentication 192.168.100.182 1812 weight 80
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
authentication-mode radius
domain default
radius-server ipphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif101
ip address 10.20.30.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
voice-vlan 100 enable
port hybrid pvid vlan
101
port hybrid tagged vlan

100
port hybrid untagged vlan 101

authentication dot1x mac-authen
#
port hybrid tagged vlan 100
authentication mac-authen
#
port link-type access
port default vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
l SwitchA configuration file (V200R009C00 and later versions)
#
sysname SwitchA
#
vlan batch 100 to 101 200
#

Switches
authentication-profile name
ipphone
dot1x-access-profile
ipphone
mac-access-profile
ipphone
authentication dot1x-mac-bypass
#
lldp enable
#
dhcp enable
#
%^%#
#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif101
ip address 10.20.30.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
101

100

authentication-profile ipphone
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
dot1x-access-profile name
ipphone

Switches
mac-access-profile name ipphone

#
return
l SwitchB configuration file

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-
phone
gateway-list
10.20.20.1
network 10.20.20.0 mask

255.255.255.0
ip pool ip-
pc
gateway-list
10.20.30.1
network 10.20.30.0 mask

255.255.255.0
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
port link-type
access

#
ip route-static 10.20.20.0 255.255.255.0
10.10.20.1
ip route-static 10.20.30.0 255.255.255.0 10.10.20.1

#
return

IP Phones Through the OUI-based Voice VLAN
l Overview
l Data Plan
l Procedure

Switches
Overview
If an IP phone sends packets with VLAN 0 or untagged packets, the switch can identify the
OUI of the untagged packet from the IP phone. Then the switch adds the voice VLAN ID to
the packet and increases the priority of the packet based on the voice VLAN ID.
Switches.
Configuration Notes
l This example applies to all models of V200R003C00 and later versions.
l For the fixed device (S5720EI, S6720EI, S6720S-EI), and modular device (excluding X
series cards), in V200R010 and later versions, run the voice-vlan vlan-id enable
include-tag0 command to enable the switch to identify packets with tag 0 as voice
packets and adds the voice VLAN ID to packets.
l When IP phones are connected in Voice-VLAN include-untagged mode, disable LLDP
on the interface or run the undo lldp tlv-enable med-tlv network-policy command to
disable the switch and IP phones from advertising the VLAN configuration. Otherwise,
the switch allocates the voice VLAN ID to IP phones through LLDP. Then IP phones
send tagged packets to the switch, whereas the switch forwards untagged packets to IP
phones. As a result, IP phones cannot go online.
l If Mitel 5212 phones cannot go online, rectify the fault by referring to Cause 6:
Customized Options Are Not Configured for a Switch Functioning as the DHCP
Server. As a Result, Mitel 5212 Phones Fail to Go Online.
In Figure 1-6, to save investment costs, the customer requires that IP phones connect to the
network through VoIP. IP phones cannot obtain voice VLAN IDs and can send only untagged
voice packets. The network plan should meet the following requirements:
l The priority of voice packets is increased to ensure communication quality of IP phones.
l Voice packets are transmitted in VLAN 100.
l IP addresses of IP phones are on a different network segment from that of the DHCP
server, and DHCP snooping is configured to improve network security.
l IP phones need to connect to switches through MAC address authentication.

Switches
Figure 1-6 Networking diagram of connecting switches to IP phones through the OUI-based
voice VLAN
Authentication
server
intranet

GE1/0/3
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
IP phone A IP phone B
To implement interoperation between switches and IP phones through the OUI-based voice
VLAN, you need to apply for IP addresses for IP phones, bring IP phones online after
authentication, and conduct communication normally. Figure 1-7 shows the process for
interoperation between switches and IP phones through the OUI-based voice VLAN.
The operations of applying for IP addresses and enabling IP phones to go online after
authentication can be performed simultaneously.

Switches
Figure 1-7 Process for interoperation between switches and IP phones through the OUI-based
voice VLAN
IP phone
Apply for an
Go online
Send
1. Send a packet without VLAN tags. 2. Match the MAC
packets
address and improve the
packet priority.

l Configure OUI-based voice VLANs, assign VLANs to IP phones, and increase the
priority.
phones.
authentication.
Data Plan
Item Value
Voice VLAN VLAN 100

0021-a08f-0002

Switches

Item Value
VLAN and IP address used by SwitchA to VLAN 200, 10.10.20.1/24

VLAN and IP address used by SwitchB to VLAN 200, 10.10.20.2/24



server

server
Procedure
Step 1 Add an interface on SwitchA to a VLAN.
# Create voice VLAN 100
# Add an interface to VLAN 100 in untagged mode.

[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100 //Packets sent by
IP phones do not carry tags, so the interface must be join VLAN 100 in untagged
mode.
[SwitchA-GigabitEthernet1/0/2] port hybrid untagged vlan 100
Step 2 On SwitchA, configure the interface to add the voice VLAN ID to untagged packets and
configure the OUI.
[SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable include-untagged //
Configure the interface to add the voice VALN ID to untagged packets. In V200R010
and later versions, run the voice-vlan vlan-id enable include-tag0 command to
enable the switch to process packets tagged with voice VLAN 0 for the S5720EI,
S6720EI, S6720S-EI, and modular switches (excluding swtiches using X series
cards).
[SwitchA-GigabitEthernet1/0/1] undo lldp enable //In V200R011C10 and later
versions, you need to manually disable LLDP.

Switches
[SwitchA-GigabitEthernet1/0/2] voice-vlan 100 enable include-untagged
[SwitchA-GigabitEthernet1/0/2] undo lldp enable
[SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 //When the
interface is configured to add the voice VLAN ID to untagged packets, this
command must be configured. The MAC address is the IP phone's MAC address.

VLANIF 100.



2. Configure SwitchB as the DHCP server to allocate IP addresses to IP phones.

to IP phones.
[SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1 //Configure the gateway
address on the DHCP server.

[SwitchB] interface Vlanif 200 //Create VLANIF 200.

Switches


[SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
Step 4 Configure DHCP snooping on SwitchA.

[SwitchA] dhcp snooping enable //Enable DHCP snooping globally. DHCP snooping is
disabled by default.
[SwitchA-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on
the interface.
[SwitchA-GigabitEthernet1/0/2] dhcp snooping enable
[SwitchA-GigabitEthernet1/0/3] dhcp snooping trusted //Configure the uplink
interface as the trusted interface.
Step 5 Configure an AAA domain and MAC address authentication for IP phones.

named ipphone.

[SwitchA] aaa
[SwitchA-aaa] authentication-scheme radius //Set the authentication mode to
RADIUS.
[SwitchA-aaa] quit
2. Configure MAC address authentication for IP phones.


Switches

[SwitchA-GigabitEthernet1/0/1] authentication mac-authen //Enable MAC
address authentication.

# Configure a MAC access profile.

named ipphone

[SwitchA-authen-profile-ipphone] mac-access-profile ipphone //Bind the
MAC access profile ipphone to the authentication profile.

[SwitchA-GigabitEthernet1/0/1] authentication-profile ipphone //Bind
the MAC address authentication profile and enable MAC address
authentication.
b. Add a MAC account based on the MAC address of the IP phone.
ii. Click Add in the operation area on the right. Account type select MAC
Address Account. Enter the MAC address of the IP phone and enter the
account name randomly.

Switches

based on the time.

Switches

d. Add MAC address information of an IP phone to the Agile Controller.

Switches

group ipphone.
the IP phone.


Switches

e. Add an authentication rule.
Authentication Rule
ii. Click Add in the operation area on the right and add an authentication rule for
the IP phone. Set Name to ipphone, Service type to MAC bypass
authentication, and Terminal group to ipphone.


Switches

page is displayed.

Switches

g. Add an authorization rule.
authorization Rule.
the IP phone. Set Name to ipphone, click MAC bypass authentication, set
Terminal Group to ipphone, and set Authorization result to voice vlan 100.

Switches

Switches

l You can see that the IP phone can correctly obtain IP address through the menu of the IP
phone.
about IP phones.
------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA

Switches
#
#
vlan batch 100 200
#
dhcp enable
#
dhcp snooping enable
#
%^%#
#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
voice-vlan 100 enable include-untagged
#
#
dhcp snooping trusted
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
l SwitchA configuration file (V200R009C00, V200R010C00, and V200R011C00)

#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-
ffff-0000
#
vlan batch 100 200
#
authentication-profile name ipphone
mac-access-profile ipphone
#
dhcp enable
#

Switches
#
%^%#
#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
#
return

#
sysname SwitchA
#
voice-vlan mac-address 001b-d4c7-0000 mask ffff-
ffff-0000
#
vlan batch 100 200
#
#
dhcp enable
#
#
%^%#
#

Switches
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
undo lldp enable
#
undo lldp enable
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
#
return

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-phone
gateway-list 10.20.20.1
network 10.20.20.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return

Switches

Cisco IP Phones Using HDP
l Overview
l Data Plan
l Procedure
Overview
A Cisco IP phone can obtain a voice VLAN ID through the Cisco Discovery Protocol (CDP)
only. A Huawei switch provides the Huawei Discovery Protocol (HDP) to allocate a voice
VLAN ID to the Cisco phone. To provide the HDP function, enable CDP-compatible LLDP
on the interface.
Switches.
Configuration Notes
This example applies to all versions of all S series switches.
network through VoIP. Cisco IP phones are deployed and can obtain voice VLAN IDs through
CDP only. The network plan should meet the following requirements:
l The priority of voice packets sent by IP phones is low and needs to be increased to
ensure communication quality.
l IP addresses of IP phones are dynamically allocated by the DHCP server, and are on a
different network segment from that of the DHCP server.
l IP phones need to connect to switches through 802.1X authentication.

Switches
Figure 1-8 Networking diagram of connecting switches to Cisco IP phones using HDP
Authentication
server
intranet

GE1/0/3
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
To implement interoperation between switches and IP phones using HDP, IP phones need to
obtain the voice VLAN, apply for IP addresses, go online after authentication, and send
packets. Figure 1-9 shows the process for interoperation between switches and Cisco IP
phones using HDP.
phones to go online after authentication can be performed simultaneously.

Switches
Figure 1-9 Process for interoperation between switches and Cisco IP phones using HDP
Cisco IP phone
Obtain the 1. Power on the IP phone, turn the switch

voice VLAN interface to Up, and send a CDP packet. 2. Enable the CDP-
ID compatible LLDP function
on the switch.
3. Send an HDP packet containing

the voice VLAN ID.
Apply for an
Go online
1. Send an authentication request to
after
the authentication server.
authentication
Send
1. Send a packet carrying VLAN tags. 2. Identify the voice packet
packets
and improve the packet
priority.

l Enable the CDP-compatible LLDP function to allocate voice VLAN IDs to Cisco IP
phones.
l Enable the voice VLAN function to increase the packet priority.
phones.
authentication.
Data Plan
Item Value
Voice VLAN VLAN 100

Switches
Item Value

0021-a08f-0002

Item Value




server

server
Procedure
Step 1 Enable the voice VLAN function on SwitchA.
# Create voice VLAN 100.
# Add interfaces to the voice VLAN.


Switches
# Enable the voice VLAN function on the interface.

[SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 //In earlier
versions of V200R003, the OUI needs to be configured. The OUI corresponds to the
IP phone's MAC address. In V200R003 and later versions, the OUI does not need to
be configured.
Step 2 Enable CDP-compatible LLDP on SwitchA.

[SwitchA-GigabitEthernet1/0/1] voice-vlan legacy enable
[SwitchA-GigabitEthernet1/0/2] voice-vlan legacy enable


VLANIF 100.




to IP phones.

Switches




Step 4 Configure an AAA domain and 802.1X authentication for IP phones.

named ipphone.

[SwitchA] aaa
RADIUS.
[SwitchA-aaa] quit
2. Configure 802.1X authentication for IP phones.


Switches
# Enable 802.1X authentication on an interface.

[SwitchA-GigabitEthernet1/0/1] authentication dot1x //Enable 802.1X
authentication.
[SwitchA-GigabitEthernet1/0/2] authentication dot1x



[SwitchA-authen-profile-ipphone] dot1x-access-profile ipphone //Bind
the 802.1X access profile ipphone to the authentication profile.

the 802.1X authentication profile and enable 802.1X authentication.
b. Add a common account.
ii. Click Add in the operation area on the right, and create an 802.1X account.
Click Common account and enter the user name and password. The
configured user name and password must be the same as those configured on
the IP phone, and the account is configured to be the same as the user name.

Switches
iii. Click OK to complete the configuration. Be aware that the account belongs to
the user group named ROOT.
based on the time.

Switches

d. Add an authentication rule.
the IP phone. Set Name to ipphone, click Access, set User group to ROOT,
and select allowed authentication protocols under Authentication Rule.

Switches

Switches

e. Add an authorization result.
Set Name to voice vlan 100, Service type to Access, and VLAN under
Authorization Parameter to 100.

Switches
iii. Click Add to add authorization information. Set Vendor/Standard attribute

to Huawei, Attribute ID/name to HW-Voice-Vlan(33), and Attribute type
to Integer. If Attribute value is set to 1, VLAN 100 is a voice VLAN.
page is displayed.
v. Select the added authorization information.

Switches

f. Add an authorization rule.
After the check in the authentication phase is passed, the authorization phase starts.
During this phase, the Agile Controller assigns rights to users based on
authorization rules.
Authorization Rule.
and set Authorization result to voice vlan 100.

Switches

Switches

about IP phones.
------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA

Switches
#
#
vlan batch 100 200
#
undo authentication unified-mode
#
dhcp enable
#
%^%#
#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
voice-vlan legacy enable
authentication dot1x
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
#
sysname SwitchA
#
vlan batch 100 200
#
dot1x-access-profile ipphone
#
dhcp enable
#
%^%#
#

Switches
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
dot1x-access-profile name ipphone
#
return

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-phone
network 10.20.20.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return

Switches
1.6 Interoperation Between Switches and IP Phones

Through LLDP-MED
l Overview
l Data Plan
l Procedure
Overview
If an IP phone can obtain the voice VLAN through the network-policy TLV field of LLDP
and the voice packet sent by the IP phone has a higher priority, you can configure the lldp tlv-
enable med-tlv network-policy voice-vlan command on the switch to assign a voice VLAN
to the IP phone, and configure the trusted packet priority on the interface to connect the IP
phone to the network.
Switches.
Configuration Notes
l This example applies to all models of V200R002 and later versions.
network through VoIP. IP phones can obtain voice VLAN IDs from the network-policy TLV
field of LLDP. The network plan should meet the following requirements:
l Voice packets sent by IP phones can carry VLAN tags and have a high priority, and only
the trusted packet priority needs to be configured on switches.
l IP phones need to connect to switches through 802.1X authentication and MAC address
authentication.

Switches
Figure 1-10 Networking diagram of connecting switches to IP phones through LLDP-MED

Authentication
server
intranet

GE1/0/3
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
To implement interoperation between switches and IP phones through LLDP-MED, IP phones
need to obtain the voice VLAN, apply for IP addresses, go online after authentication, and
send packets. Figure 1-11 shows the process for interoperation between switches and IP
phones through LLDP-MED.
phones to go online after authentication can be performed simultaneously.

Switches
Figure 1-11 Process for interoperation between switches and IP phones through LLDP-MED
IP phone
Obtain the 1. Power on the IP phone and

2. Enable LLDP on
voice VLAN turn the switch interface to Up.
the switch to send a
ID MED TLV message.
3. Send an LLDP packet containing

the voice VLAN ID.
Apply for an
Go online
Send
1. Send a packet carrying VLAN tags. 2. Enable the trusted
packets
packet priority and forward
the packet directly.

l Enable LLDP to allocate a voice VLAN to IP phones.
l Configure the trusted packet priority on the interface so that packets are forwarded based
on their original priorities.
phones.
authentication.
Data Plan
Item Value
Voice VLAN VLAN 100

Switches
Item Value

0021-a08f-0002
Authentication mode 802.1X authentication and MAC address

authentication. 802.1X authentication is
performed first. If the authentication fails,
MAC address authentication is performed.

Item Value




server

server
Procedure
Step 1 Enable LLDP on SwitchA and configure the network-policy TLV field on interfaces.
[SwitchA] lldp enable //After LLDP is enabled globally, LLDP is enabled on all
interfaces by default.
[SwitchA-GigabitEthernet1/0/1] lldp tlv-enable med-tlv network-policy voice-vlan
vlan 100 cos 6 dscp 60 //Configure the switch to use the network-policy TLV
field to allocate a voice VLAN ID and priority to IP phones.
[SwitchA-GigabitEthernet1/0/2] lldp tlv-enable med-tlv network-policy voice-vlan
vlan 100 cos 6 dscp 60

Switches

# Add interfaces to voice VLAN 100.

Step 3 Configure the interface to trust the packet priority.

[SwitchA-GigabitEthernet1/0/1] trust 8021p inner //The trust 8021p (inner)
command varies by device model.
[SwitchA-GigabitEthernet1/0/2] trust 8021p inner

VLANIF 100.





Switches

to IP phones.



Step 5 Configure an AAA domain and configure 802.1X authentication and MAC address
authentication for IP phones.
named ipphone.

[SwitchA] aaa
RADIUS.
[SwitchA-aaa] quit
2. Configure 802.1X authentication and MAC address authentication for IP phones.


Switches
# Set the NAC mode to traditional.

[SwitchA] undo authentication unified-mode //By default, the switch
uses the unified mode. When the traditional and unified modes are
switched, the administrator must save the configuration and restart the
switch to make the configuration take effect.
# Enable 802.1X authentication and MAC address authentication on interfaces.

[SwitchA-GigabitEthernet1/0/1] dot1x mac-bypass //Enable MAC address
bypass authentication. MAC address authentication is used when 802.1X
authentication fails.
[SwitchA-GigabitEthernet1/0/2] dot1x mac-bypass


named ipphone.

[SwitchA-authen-profile-ipphone] authentication dot1x-mac-bypass //
Enable MAC address bypass authentication.

the authentication profile.

Switches
based on the time.

Switches

d. Add MAC address information of an IP phone to the Agile Controller. If 802.1X
authentication fails, MAC address authentication is performed.

Switches

group ipphone.
the IP phone.

Switches

Authentication Rule

Switches
the IP phone using 802.1X authentication. Set Name to ipphone_8021x, click
Access, set User group to ROOT, and select allowed authentication protocols
under Authentication Rule.

Switches

iv. Click Add again and add an authentication rule for the IP phone using MAC
address authentication. Set Name to ipphone_mac, Service type to MAC
bypass authentication, and Terminal group to ipphone.

Switches

ii. Click Add in the operation area on the right and add an authorization result
after 802.1X authentication. Set Name to 8021X_voice vlan 100, Service type
to Access, and VLAN under Authorization Parameter to 100.

Switches

page is displayed.

Switches

vii. Click Add again and add an authorization result after MAC address
authentication. Set Name to mac_voice vlan 100, Service type to MAC
bypass authentication, and VLAN under Authorization Parameter to 100.

Switches
viii. Click Add under customized authorization parameter to add authorization

ix. Click OK to complete the configuration, and the Add Authorization Result
page is displayed.
x. Add authorization information on the page.

Switches
xi. Click OK to complete the configuration.

Authorization Rule.
the IP phone using 802.1X authentication. Set Name to ipphone_8021X, click
Access, set User group to ROOT, and set Authorization result to
8021X_voice vlan 100.

Switches

Switches

iv. Click Add again and add an authorization rule for the IP phone using MAC
address authentication. Set Name to ipphone_mac, click MAC bypass
authentication, set Terminal Group to ipphone, and set Authorization
result to mac_voice vlan 100.

Switches

Switches

about IP phones.
------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
----End
Configuration Files
l SwitchA configuration file (V200R007C00 and V200R008C00)
#
sysname SwitchA

Switches
#
vlan batch 100 200
#
undo authentication unified-mode
#
lldp enable
#
dhcp enable
#
%^%#
#
aaa
service-scheme ipphone
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
100
trust 8021p
inner
lldp tlv-enable med-tlv network-policy voice-vlan vlan 100 cos 6 dscp 60

dot1x mac-bypass
#
trust 8021p
inner

dot1x mac-bypass
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return

#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name
ipphone
dot1x-access-profile
ipphone

Switches
mac-access-profile
ipphone
authentication dot1x-mac-bypass
#
lldp enable
#
dhcp enable
#
%^%#
#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
trust 8021p
inner

#
trust 8021p
inner

#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
dot1x_access_profile
ipphone
mac-access-profile name
mac_access_profile

Switches

#
return

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-phone
network 10.20.20.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return

Through MAC Address-based VLAN Assignment
l Overview
l Data Plan
l Procedure
Overview
If an IP phone does not support LLDP or DHCP, a switch cannot allocate a voice VLAN ID to
it. You can configure MAC address-based VLAN assignment on the switch. Then the switch
identifies voice packets based on the MAC address of the IP phone and increases the priority
of voice packets.
Switches.
Configuration Notes
l This example applies to all versions of all S series switches.

Switches
l The priority of voice packets needs to be increased to ensure communication quality.
l IP phones can go online without authentication because the network environment is
secure.
Figure 1-12 Networking diagram of connecting switches and IP phones through MAC
address-based VLAN assignment
Authentication
server
intranet

GE1/0/3
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
To implement interoperation between switches and IP phones through MAC address-based
VLAN assignment, you need to apply for IP addresses for IP phones, bring IP phones online
without authentication, and conduct communication normally. Figure 1-13 shows the process
for interoperation between switches and IP phones through MAC address-based VLAN
assignment. In this mode, the authentication server does not need to be configured.
The operations of applying for IP addresses and enabling IP phones to go online without

Switches
Figure 1-13 Process for interoperation between switches and IP phones through MAC
address-based VLAN assignment
IP phone
Apply for an
Go online
2. Bring the IP phone online without
authentication.
Send
1. Send a packet without VLAN tags. 2. Match the MAC
packets
address and improve the
packet priority.

l Configure MAC address-based VLANs, assign VLANs to IP phones, and increase the
priority.
phones.
l Configure IP phones to go online without authentication.
Data Plan

Item Value
Voice VLAN VLAN 100

0021-a08f-0002
Authentication mode Non-authentication

Switches

Item Value




server

server
Procedure

mode.
Step 2 Enable MAC address-based VLAN assignment.

[SwitchA] vlan 100
[SwitchA-vlan100] mac-vlan mac-address 001b-d4c7-1fa9 ffff-ffff-0000 priority
6 //The MAC address corresponds to the MAC address of the IP phone. The mask can
be used. This command adds VLAN 100 to untagged packets with the source MAC
address starting from 001b-d4c7 and changes the 802.1p priority to 6.
[SwitchA-vlan100] mac-vlan mac-address 0021-a08f-0000 ffff-ffff-0000 priority 6
[SwitchA-vlan100] quit
[SwitchA-GigabitEthernet1/0/1] mac-vlan enable //Enable MAC address-based VLAN
assignment on an interface. When the interface receives untagged packets, the
packets are processed based on the binding between MAC addresses and VLANs.

Switches
[SwitchA-GigabitEthernet1/0/2] mac-vlan enable


VLANIF 100.




to IP phones.



Switches

Step 4 Configure an AAA domain and configure voice terminals can go online without
authentication.
named ipphone.
# Configure a service scheme and an authentication scheme.

[SwitchA] aaa
[SwitchA-aaa] service-scheme ipphone //Create a service scheme named ipphone.
[SwitchA-aaa-service-ipphone] quit
RADIUS.
[SwitchA-aaa-domain-default] service-scheme ipphone //Bind the service
[SwitchA-aaa] quit
2. Configure the switch to assign a network access policy to voice terminals through a
service scheme. The network access policy defines that voice terminals can go online
without authentication.
– V200R007C00 and V200R008C00
# Configure the switch to assign a network access policy to voice terminals through
a service scheme. The network access policy defines that voice terminals can go
online without authentication.
[SwitchA] authentication device-type voice authorize service-scheme
ipphone


Switches

[SwitchA] authentication-profile name ipphone //Create an
authentication profile named ipphone.
[SwitchA-authen-profile-ipphone] authentication device-type voice
authorize service-scheme ipphone //Configure voice terminals can go
online without authentication.

the authentication profile to the interface.

l You can see that the IP phone can correctly obtain the IP address through the menu of the
IP phone.
l The display mac-address vlan 100 command output on SwitchA displays connection
information about IP phones.
[SwitchA] display mac-address vlan 100
------------------------------------------------------------------------------
-
MAC Address VLAN/VSI Learned-From
Type
------------------------------------------------------------------------------
-
001b-d4c7-1fa9 100/- GE1/0/1
dynamic
0021-a08f-2fa8 100/- GE1/0/2
dynamic
------------------------------------------------------------------------------
-
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
lldp enable
#
dhcp enable
#
vlan 100
mac-vlan mac-address 001b-d4c7-1fa9 ffff-ffff-0000 priority 6
mac-vlan mac-address 0021-a08f-0000 ffff-ffff-0000 priority 6
#
authentication device-type voice authorize service-scheme ipphone
#
%^%#

Switches
#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
mac-vlan enable
#
mac-vlan enable
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
#
sysname SwitchA
#
vlan batch 100 200
#
authentication device-type voice authorize service-scheme ipphone
#
vlan 100
mac-vlan mac-address 001b-d4c7-1fa9 ffff-ffff-0000 priority 6
mac-vlan mac-address 0021-a08f-0000 ffff-ffff-0000 priority 6
#
lldp enable
#
dhcp enable
#
%^%#
#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay

Switches

#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
mac-vlan enable
#
mac-vlan enable
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-phone
network 10.20.20.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return

Through the PVID of the Voice VLAN ID
l Overview
l Data Plan
l Procedure

Switches
Overview
If an IP phone sends packets with VLAN 0 or untagged packets, the PVID of an interface can
be added to the voice packets. Then the priority of the voice packets is increased based on the
VLAN ID. In versions earlier than V200R003C00, switches do not support OUI-based voice
VLANs. If an IP phone can send only packets with VLAN 0 or untagged packets, the IP
phone can access the switch in this mode.
Switches.
Configuration Notes
l This example applies to all versions of all S series switches.
l IP phones need to connect to switches through MAC address authentication.
Figure 1-14 Networking diagram of connecting switches to IP phones through the PVID of
the voice VLAN ID
Authentication
server
intranet

GE1/0/3
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2

Switches
To implement interoperation between switches and IP phones through the PVID of the voice
VLAN ID, you need to apply for IP addresses for IP phones, bring IP phones online after
interoperation between switches and IP phones through the PVID of the voice VLAN ID.
Figure 1-15 Process for interoperation between switches and IP phones through the PVID of
the voice VLAN ID
IP phone
Apply for an
Go online
Send 2. Match the MAC

1. Send a packet without VLAN tags.
packets address and improve the
packet priority.

l Configure VLANs to IP phones through the PVID and enable the voice VLAN function
to improve the packet priority.
phones.
authentication.

Switches
Data Plan

Item Value
Voice VLAN VLAN 100

0021-a08f-0002

Item Value




server

server
Procedure


Switches

mode.
Step 2 Enable the voice VLAN function on an interface of SwitchA and set the PVID of the interface
to the voice VLAN ID.
[SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable //Enable the voice VLAN
function on the interface.
[SwitchA-GigabitEthernet1/0/1] voice-vlan remark-mode mac-address //In V200R003
and later versions, the interface needs to be configured to identify voice
packets based on MAC addresses. This configuration is not required in earlier
versions of V200R003.
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 100 //Configure the PVID.
[SwitchA-GigabitEthernet1/0/2] voice-vlan remark-mode mac-address
[SwitchA-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000

VLANIF 100.





Switches

to IP phones.



Step 4 Configure an AAA domain and MAC address authentication for IP phones.
named ipphone.

[SwitchA] aaa
RADIUS.
[SwitchA-aaa] quit
2. Configure MAC address authentication for IP phones.


Switches


[SwitchA-GigabitEthernet1/0/1] authentication mac-authen //Enable MAC
address authentication.

# Configure a MAC access profile.

named ipphone


the MAC address authentication profile and enable MAC address
authentication.
b. Add a MAC account based on the MAC address of the IP phone.
ii. Click Add in the operation area on the right. Account type select MAC
Address Account. Enter the MAC address of the IP phone and enter the
account name randomly.

Switches

based on the time.

Switches

d. Add MAC address information of an IP phone to the Agile Controller.

Switches

group ipphone.
the IP phone.


Switches

Authentication Rule
the IP phone. Set Name to ipphone, Service type to MAC bypass
authentication, and Terminal group to ipphone.


Switches

page is displayed.

Switches

authorization Rule.
the IP phone. Set Name to ipphone, click MAC bypass authentication, set
Terminal Group to ipphone, and set Authorization result to voice vlan 100.

Switches

Switches

phone.
about IP phones.
------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA

Switches
#
#
vlan batch 100 200
#
dhcp enable
#
%^%#
#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
voice-vlan remark-mode mac-address
port hybrid pvid vlan 100
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
#
sysname SwitchA
#
#
vlan batch 100 200
#
#
dhcp enable
#
%^%#

Switches

#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
#
return

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-phone
network 10.20.20.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return

Switches

Through an ACL
l Overview
l Data Plan
l Procedure
Overview
If an IP phone does not support LLDP or DHCP, a switch cannot assign a voice VLAN ID to
the IP phone. In this case, the IP phone can interoperate with the switch through an ACL. That
is, you can run the port add-tag acl command on an interface to identify voice packets and
increase the priority of voice packets.
Switches.
Configuration Notes
l In this example, the port add-tag acl command is supported on all S series modular
switches and on the following S series fixed switches:
– S2700 series: S2752EI
– S3700 series: all models
– S5700 series: S5700EI, S5700HI, S5710EI, S5720EI, S5710HI, S5720HI, and
S5730HI
– S6700 series: S6700EI, S6720EI, S6720S-EI, and S6720HI
l If an IP phone sends tagged packets with VLAN 0, the switch does not add the voice
VLAN ID to the tagged packets. As a result, the IP phone cannot interoperate with the
switch. You can change the configuration of the IP phone or use other methods to
connect the IP phone to the switch.

Switches
Figure 1-16 Networking diagram of connecting switches to IP phones through an ACL

Authentication
server
intranet

GE1/0/3
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
To implement interoperation between switches and IP phones through an ACL, you need to
apply for IP addresses for IP phones, bring IP phones online after authentication, and conduct
communication normally. Figure 1-17 shows the process for interoperation between switches
and IP phones through an ACL.

Switches
Figure 1-17 Process for interoperation between switches and IP phones through an ACL
IP phone
Apply for an
Go online
Send
1. Send a packet without VLAN tags. 2. Match the voice packet
packets
through the ACL and improve
the packet priority.

l Configure an ACL to identify voice packets, add the voice VLAN ID to the voice
packets, and increase the priority.
phones.
authentication.
Data Plan

Item Value
Voice VLAN VLAN 100

0021-a08f-0002

Switches

Item Value




server

server
Procedure

mode.
Step 2 Configure an ACL to identify voice packets, and add the voice VLAN ID to the voice packets
and increase the priority.
[SwitchA] acl 4000
[SwitchA-acl-L2-4000] rule permit source-mac 001d-a21a-0000 ffff-ffff-0000 //The
IP phone's MAC address uses the 24-bit mask.
[SwitchA-acl-L2-4000] rule permit source-mac 0021-a08f-0000 ffff-ffff-0000 //
This is the MAC address of another IP phone.
[SwitchA-acl-L2-4000] quit
[SwitchA-GigabitEthernet1/0/1] port add-tag acl 4000 vlan 100 remark-8021p 6 //
Configure ACL 4000. The switch tags VLAN 100 to the packets that match ACL 4000

Switches
and changes the 802.1p priority to 6.

[SwitchA-GigabitEthernet1/0/2] port add-tag acl 4000 vlan 100 remark-8021p 6

VLANIF 100.




to IP phones.



Switches



named ipphone.

[SwitchA] aaa
RADIUS.
[SwitchA-aaa] quit


authentication.


Switches




Switches
based on the time.

Switches


Switches

Switches


Switches

page is displayed.

Switches

Authorization Rule.

Switches

Switches

phone.
about IP phones.
------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA

Switches
#
vlan batch 100 200
#
dhcp enable
#
radius-server template iphone
%^%#
#
acl number
4000
rule 5 permit source-mac 001d-a21a-0000 ffff-ffff-0000
rule 10 permit source-mac 0021-a08f-0000 ffff-ffff-0000
#
aaa
domain default
radius-server iphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
port hybrid untagged vlan
100
port add-tag acl 4000 vlan 100 remark-8021p 6
#
100
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name iphone
dot1x-access-profile iphone
#
dhcp enable
#
radius-server template iphone
%^%#

Switches
acl number
4000
#
aaa
domain default
radius-server iphone
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
100
authentication-profile iphone
#
100
authentication-profile iphone
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
dot1x-access-profile name iphone
#
return

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool ip-phone
network 10.20.20.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return

Switches

Through a Simplified Traffic Policy
l Overview
l Data Plan
l Procedure
Overview
If an IP phone does not support LLDP or DHCP, a switch cannot assign a voice VLAN ID to
the IP phone. In this case, the IP phone can interoperate with the switch through an ACL-
based simplified traffic policy. That is, you can run the traffic-remark inbound acl
command on an interface to identify voice packets and increase the priority of voice packets.
Switches.
Configuration Notes
l This example applies to all versions and models of fixed switches.
l This example applies to all models of modular switches of V200R005C00 and later
versions.
l The priority of voice packets needs to be increased to ensure communication quality.

Switches
Figure 1-18 Networking diagram of connecting switches to IP phones through a simplified

traffic policy
Authentication
server
intranet

GE1/0/3
GE1/0/3
DHCP relay Switch A
GE1/0/1 GE1/0/2
To implement interoperation between switches and IP phones through a simplified traffic
policy, you need to apply for IP addresses for IP phones, bring IP phones online after
interoperation between switched and IP phones through a simplified traffic policy.

Switches
Figure 1-19 Process for interoperation between switches and IP phones through a simplified
traffic policy
IP phone
Apply for an
Go online
Send
1. Send a packet without VLAN tags. 2. Identify the voice packet
packets
through the traffic policy and
improve the packet priority.

l Configure an ACL-based simplified traffic policy to identify voice packets, add the voice
VLAN ID to the voice packets, and increase the priority.
phones.
authentication.
Data Plan
Item Value
Voice VLAN VLAN 100

0021-a08f-0002

Switches

Item Value




server

server
Procedure

mode.
Step 2 Configure an ACL to identify voice packets, and add the voice VLAN ID to the voice packets
and increase the priority.
[SwitchA] acl 4000
[SwitchA-acl-L2-4000] rule permit source-mac 001d-a21a-0000 ffff-ffff-0000 //The
IP phone's MAC address uses the 24-bit mask.
[SwitchA-acl-L2-4000] rule permit source-mac 0021-a08f-0000 ffff-ffff-0000 //
This is the MAC address of another IP phone.
[SwitchA-acl-L2-4000] quit
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 100 //The interface tags
the PVID of 100 to received untagged packets.

Switches
[SwitchA-GigabitEthernet1/0/1] traffic-remark inbound acl 4000 8021p 6 //

Configure ACL-based re-marking on the interface, and change the 802.1p priority
of packets matching ACL 4000 to 6.
[SwitchA-GigabitEthernet1/0/1] traffic-remark inbound acl 4000 dscp 46 //Change
the DSCP priority of packets matching ACL 4000 to 46.
[SwitchA-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[SwitchA-GigabitEthernet1/0/2] traffic-remark inbound acl 4000 8021p 6
[SwitchA-GigabitEthernet1/0/2] traffic-remark inbound acl 4000 dscp 46

VLANIF 100.




to IP phones.


Switches




named ipphone.

[SwitchA] aaa
RADIUS.
[SwitchA-aaa] quit


authentication.

Switches





Switches
based on the time.

Switches


Switches

Switches


Switches

page is displayed.

Switches

Authorization Rule.

Switches

Switches

phone.
about IP phones.
------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA

Switches
#
vlan batch 100 200
#
dhcp enable
#
%^%#
#
acl number
4000
#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
100
100
traffic-remark inbound acl 4000 8021p
6
traffic-remark inbound acl 4000 dscp ef
#
100
100
6
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
#
sysname SwitchA
#
vlan batch 100 200
#
dot1x-access-profile ipphone

Switches
#
dhcp enable
#
%^%#
#
acl number
4000
#
aaa
domain default
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
100
100
6
#
100
100
6
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
dot1x-access-profile name ipphone
#
return

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#

Switches
ip pool ip-phone
network 10.20.20.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return
1.11 Appendix 1: Common Causes for IP Phones' Login

Failures and Workaround
The following describes common causes.
l Cause 1: An Avaya Phone Cannot Go Online Because It Cannot Obtain an IP
Address Within 60s
l Cause 2: An Avaya Phone Cannot Go Online When It Uses MAC Address
Authentication and the Switch of an Earlier Version of V200R003C00 Is Enabled
with MAC Address Bypass Authentication
l Cause 3: An IP Phone Cannot Go Online Because the VLANs for Authentication
and Forwarding Voice Flows Are Different
l Cause 4: An IP Phone Is Enabled with 802.1X Authentication and the Switch Is
Configured with MAC Address Bypass Authentication. When 802.1X
Authentication of the IP Phone Fails, the Switch Does Not Perform MAC Address
Authentication. Consequently, the IP Phone Cannot Go Online
l Cause 5: The IP Phone Goes Online and Offline Frequently Because It Does Not
Respond to ARP Offline Probe Packets Sent by the Switch
l Cause 6: Customized Options Are Not Configured for a Switch Functioning as the
DHCP Server. As a Result, Mitel 5212 Phones Fail to Go Online
Cause 1: An Avaya Phone Cannot Go Online Because It Cannot Obtain an IP

Address Within 60s
The Avaya phone fails to obtain an IP address through DHCP within 60s due to the network
delay or other causes. After the timer expires, the Avaya phone sends packets tagged with
VLAN 0 repeatedly. The switch processes packets tagged with VLAN 0 in the same manner
as untagged packets, that is, in the VLAN specified by the PVID of an interface. Such packets
are not processed in the voice VLAN. As a result, the Avaya phone fails to be authenticated
and cannot connect to the switch.
Workaround
l Method 1: In V200R003C00 and later versions, you are advised to configure the OUI-
based voice VLAN. The switch then adds the voice VLAN ID to untagged packets so
that the packets can be forwarded in the voice VLAN. For details, see 1.4
(Recommended) Interoperation Between Switches and IP Phones Through the
OUI-based Voice VLAN. For the fixed switches (S5720EI, S6720EI, S6720S-EI), and
modular switches (excluding X series cards), you can also use the voice-vlan vlan-id

Switches
enable include-tag0 command to enable the voice VLAN for packets tagged with
VLAN 0 in V200R010 and later versions.
l Method 2: Modify the value of the VLAN TEST timer of the IP phone: Press the star key
(*) and enter the password to access the menu. Select VLAN TEST and change the
default value to 0 (no timeout). After the Avaya phone restarts, the timer settings are no
longer effective and must be reconfigured.
Cause 2: An Avaya Phone Cannot Go Online When It Uses MAC Address

Authentication and the Switch of an Earlier Version of V200R003C00 Is Enabled
with MAC Address Bypass Authentication
The switch enabled with MAC address bypass authentication performs MAC address
authentication only when the timeout interval of the 802.1X client is exceeded. In earlier
versions of V200R003C00, the timeout interval of the 802.1X client is 30s. That is, MAC
address authentication is performed after 30s. The value of the timer of the Avaya phone is
60s. If the Avaya phone fails to be authenticated within 30s, it sends only packets tagged with
VLAN 0. As a result, the Avaya phone cannot go online.
Workaround
[HUAWEI] dot1x timer client-timeout 5 //Change the authentication timeout
interval of the client to 5s to increase the MAC address authentication time.
Cause 3: An IP Phone Cannot Go Online Because the VLANs for Authentication

and Forwarding Voice Flows Are Different
An IP phone cannot go online because the VLANs for authentication and forwarding voice
flows are different. The root cause is that the switch forwards only packets from the
authenticated VLAN but discards packets from the non-authenticated VLAN.
Figure 1-20 shows the scenario where the IP phone cannot go online.
Figure 1-20 IP phone cannot go online
Scenario 2: The IP phone

Scenario 1: An IP phone
that sends packets tagged
cannot go online using
IP phone 802.1x authentication. Switch with VLAN 0 or untagged
IP phone Switch
packets cannot go online.
1. Send DHCP Discover
messages tagged with VLAN 0
2. Forward or untagged DHCP Discover
1. Send untagged EAP packets. 2. The packets
authentication messages.
tagged with VLAN
packets in 0 or untagged
VLAN packets are
3. Use the PVID for authentication. specified by 3. Use the PVID for authentication. forwarded in the
PVID. VLAN specified by
the PVID.
4. Obtain voice VLAN ID through 4. Obtain voice VLAN ID through
LLDP. The voice VLAN ID is LLDP. The voice VLAN ID is
different from the PVID. different from the PVID.
5. Use the voice VLAN for 5. Use the voice VLAN for
communication. The login fails. communication. The login fails.
Workaround

Switches
l Method 1: In V200R003C00 and later versions, you are advised to configure the OUI-
based voice VLAN. For details, see 1.4 (Recommended) Interoperation Between
Switches and IP Phones Through the OUI-based Voice VLAN.
l Method 2: In V200R010 and later versions, MAC address migration can be enabled so
that IP phones can be authenticated based on the PVID and voice VLAN ID.
[HUAWEI] authentication mac-move enable vlan 10 100 //Assume that the PVID
of the interface is VLAN 10 and the voice VLAN ID is VLAN 100.
l Method 3: Configure the blacklist so that the switch discards the packets that come from
the IP phone and are forwarded based on the PVID. In this case, the authenticated VLAN
and voice VLAN of the IP phone are the same.
a. Configure an ACL rule to match the MAC address of the IP phone and PVID of the
interface.
[HUAWEI] acl number 4000
[HUAWEI-acl-L2-4000] rule 5 permit source-mac ac44-f211-df8e vlan-id
1 //Assume that the MAC address of the IP phone is ac44-f211-df8e and
the PVID is VLAN 1.
[HUAWEI-acl-L2-4000] quit
b. Configure an attack defense policy.

[HUAWEI] cpu-defend policy p1
[HUAWEI-cpu-defend-policy-p1] blacklist 1 acl 4000 //Configure the
blacklist.
[HUAWEI-cpu-defend-policy-p1] quit
c. Apply the attack defense policy globally.

[HUAWEI] cpu-defend-policy p1 global
l Method 4: Configure dynamic VLAN authorization. If different interfaces use different

voice VLAN IDs, configuring dynamic VLAN authorization cannot prevent the problem.
You can configure only the unified mode.
a. Configure the same user VLAN ID as the voice VLAN ID in the service scheme.
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme test //Create a service scheme named test.
[HUAWEI-aaa-service-test] user-vlan 100 //Configure a user VLAN. The
user VLAN ID is the voice VLAN ID.
[HUAWEI-aaa-service-test] voice-vlan //Enable the voice VLAN function.
[HUAWEI-aaa-service-test] quit
b. Apply the service scheme to the default domain.

[HUAWEI-aaa] domain default
[HUAWEI-aaa-domain-default] service-scheme test
[HUAWEI-aaa-domain-default] quit
[HUAWEI-aaa] quit
c. Authorize the voice VLAN through the server. Set the authorization VLAN ID to
the voice VLAN ID and set Attribute ID/name to HW-Voice-vlan(33). The Agile
Controller is used as an example.
Choose Policy > Permission Control > Authentication & Authorization >
Authorization Result and click Add to create an authorization result.

Switches

Switches
Cause 4: An IP Phone Is Enabled with 802.1X Authentication and the Switch Is

Configured with MAC Address Bypass Authentication. When 802.1X
Authentication of the IP Phone Fails, the Switch Does Not Perform MAC
Address Authentication. Consequently, the IP Phone Cannot Go Online
Workaround
l Method 1: Disable 802.1X authentication on the IP phone.
a. Disable 802.1X authentication on the Avaya phone:
i. Press the star key (*), enter the password (27238 by default), and press the
pound key (#) to enter the menu.
ii. Select 802.1X, and set values of Supplicant and Pass-thru to disable.
b. Disable 802.1X authentication on the Cisco phone:
Choose Security Configuration > 8021X Authentication and set Device
Authentication to Disable.
l Method 2: Configure MAC address-prioritized Portal authentication on the switch
interface. Only the common mode supports this configuration.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x mac-bypass mac-auth-first
Cause 5: The IP Phone Goes Online and Offline Frequently Because It Does Not
Respond to ARP Offline Probe Packets Sent by the Switch
To ensure normal online status of the IP phone, the switch sends ARP offline probe packets
with the source IP address of 255.255.255.255 to the IP phone. If the IP phone does not
support response to ARP offline probe packets with the source IP address of 255.255.255.255,
the switch considers the IP phone offline and disconnects the IP phone. In this case, the IP
phone may go online and offline frequently. Check ARP detect fail.
Run the display aaa offline-record all command to check the cause for logout of the IP
phone.
<HUAWEI> display aaa offline-record all
-------------------------------------------------------------------
User name : test@rds
Domain name : default
User MAC : 0021-9746-b67c
User access type : MAC
User access interface : GigabitEthernet0/0/2
Qinq vlan/User vlan : 0/1
User IP address : 192.168.2.2
User IPV6 address : -
User ID : 19
User login time : 2016/10/01 04:49:39
User offline time : 2016/10/01 04:59:43
User offline reason : ARP detect fail
-------------------------------------------------------------------
Are you sure to display some information?(y/n)[y]:
Workaround
l Method 1: Configure the default source IP address of ARP offline detection packets.
[HUAWEI] access-user arp-detect default ip-address 0.0.0.0 //Configure the
default source address of ARP offline probe packets as 0.0.0.0.

Switches
l Method 2: Configure the source IP address and source MAC address of ARP offline
detection packets in the specified VLAN.
[HUAWEI] access-user arp-detect vlan 10 ip-address 192.168.1.1 mac-address
2222-1111-1234 //Configure the source IP address of ARP offline probe
packets as 192.168.1.1 and the source MAC address as 2222-1111-1234.
Cause 6: Customized Options Are Not Configured for a Switch Functioning as

the DHCP Server. As a Result, Mitel 5212 Phones Fail to Go Online
When a switch functions as the DHCP server, Option 128, Option 129, Option 130, and
Option 131 need to be configured in the address pool of the DHCP server; otherwise, Mitel
5212 phones cannot identify DHCP Offer packets sent by the DHCP server and cannot go
online.
Workaround
Perform the following configurations on the switch and ensure that these fields are included in
sent packets:
[HUAWEI] ip pool ip-phone
[HUAWEI-ip-pool-ip-phone] option 128 ip-address 10.20.20.1
[HUAWEI-ip-pool-ip-phone] option 130 ascii MITEL IP PHONE
1.12 Appendix 2: Guide for Configuring Cisco RADIUS

Authentication Server
When CiscoSecure ACS is used as the RADIUS authentication server and hosts are connected
to IP phones in inline mode, bind user names and passwords of IP phones to the voice VLAN
on the RADIUS server, as shown in Figure 1-21.
Figure 1-21 Networking of the RADIUS server
S Switch V200R006 provides the following optimization:

Switches
l In earlier versions of S Switch V200R006, the voice VLAN attribute (device-traffic-

class=voice) is configured on the RADIUS server to identify the voice VLAN and
authenticate voice services, as shown in Figure 1-22.
In S Switch V200R006 and later versions, the voice VLAN attribute (device-traffic-
class=voice) does not need to be configured. The voice-vlan X enable command is
configured on the switch to identify the voice VLAN and authenticate voice services.
Figure 1-22 Configuring the voice VLAN attribute (device-traffic-class=voice) on the

RADIUS server
l In earlier versions of S Switch V200R006, data and voice services for a VLAN on an
interface can be authenticated simultaneously. In V200R006 and later versions,
authentication is performed one at a time.

01-01 Interoperation Between Huawei Switches and IP Phones

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-01 Interoperation Between Huawei Switches and IP Phones

Uploaded by

Copyright:

Available Formats

S2700, S3700, S5700, S6700, S7700, and S9700 Series

1 Interoperation Between Huawei Switches

About This Chapter

1.1 Overview of Interoperation Between Switches and IP Phones

1.1 Overview of Interoperation Between Switches and IP

Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 1

PRI (3 bits) CFI (1 bit) VLAN ID (12 bits)

Table 1-1 Categories of packets sent by IP phones

No. Packet Description

1 The packets carry After IP phones connect to a switch, the

Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 2

No. Packet Description

2 The packets carry After IP phones connect to a switch, the switch

3 The packets carry After IP phones connect to a switch, the switch

4 The packets carry After IP phones connect to a switch, the switch

5 The packets do not After IP phones connect to a switch, the switch

Physical Connection of an IP Phone for Interworking

Figure 1-1 Internal structure of the IP phone

Cisco IP Phone 7962

Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 3

Figure 1-2 Connecting a downstream PC to an IP phone

Figure 1-3 Connecting the PC and IP phone to the switch separately

1.2 IP Phone Interoperation Solution

Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 4

Table 1-2 Summary of solutions for connecting switches to IP phones

1.4 l IP phones cannot obtain voice All models of V200R003C00 and

1.6 l IP phones can obtain voice All models of V200R002 and

Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 5

Interoperation Applicable Scenario Applicable S Series Switch

Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 6

Interoperation Applicable Scenario Applicable S Series Switch

1.3 (Recommended) Interoperation Between Switches and

Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 7

Figure 1-4 Networking diagram of connecting switches to IP phones through LLDP

DHCP server Switch B

Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 8

Obtain the 1. Power on the IP phone and

3. Send an LLDP packet containing

4. Obtain the voice VLAN ID.

3. Assign the IP address.

According to the preceding process, the configuration roadmap is as follows:

Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 9

Table 1-3 Data plan for IP phones

Voice VLAN VLAN 100

MAC address 001b-d4c7-0001

Address segment 10.20.20.1/24

Authentication mode MAC address authentication

Table 1-4 Data plan for the PC

Data VLAN VLAN 101

Address segment 10.20.30.1/24

Authentication mode 802.1X authentication

Table 1-5 Data plan for communication

VLAN and IP address used by SwitchA to VLAN 200; 10.10.20.1/24

VLAN and IP address used by SwitchB to VLAN 200; 10.10.20.2/24

IP address of SwitchA 192.168.100.200

802.1X access profile name ipphone

MAC access profile name ipphone

IP address of the RADIUS authentication 192.168.100.182

Port number of the RADIUS authentication 1812

Port number of the RADIUS accounting 1813

RADIUS shared key Huawei2012

Issue 13 (2019-05-10) Copyright © Huawei Technologies Co., Ltd. 10

Step 2 Enable the voice VLAN function on SwitchA.

# Add interfaces to the voice VLAN.