No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 Series Agile Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Recommended) Interoperation Between Switches and IP Phones Through LLDP

(Recommended) Interoperation Between Switches and IP Phones Through LLDP

Overview

If an IP phone supports LLDP, you can enable LLDP and voice VLAN on the switch to provide VoIP access. Then the switch uses LLDP to deliver the voice VLAN ID to the IP phone and increases the packet priority through the voice VLAN.

For applicable IP phones, see List of IP Phone Models That Can Be Connected to Switches.

Configuration Notes

Networking Requirements

In Figure 3-4, to save investment costs, the customer requires that IP phones and PCs connect to the network through VoIP. IP phones support LLDP and can obtain voice VLAN IDs through LLDP. The network plan should meet the following requirements:
  • The priority of voice packets sent by IP phones is low and needs to be increased to ensure communication quality.
  • Voice packets are transmitted in VLAN 100, and data packets from PCs are transmitted in VLAN 101.
  • IP addresses of IP phones and PC are dynamically allocated by the DHCP server, and are on a different network segment from that of the DHCP server.
  • IP phones need to connect to switches through MAC address authentication and PC need to connect to switches through 802.1X authentication.
Figure 3-4  Networking diagram of connecting switches to IP phones through LLDP

Configuration Roadmap

To implement interoperation between switches and IP phones through LLDP, IP phones need to obtain the voice VLAN, apply for IP addresses, go online after authentication, and send packets. Figure 3-5 shows the process for interoperation between switches and IP phones through LLDP.

The operations of obtaining the voice VLAN, applying for IP addresses, and enabling IP phones to go online after authentication can be performed simultaneously. The PC connected to the IP phone does not need to obtain VLAN information. Instead, you only need to apply for an IP address and enable the PC to go online after authentication.

Figure 3-5  Process for interoperation between switches and IP phones through LLDP

According to the preceding process, the configuration roadmap is as follows:
  • Enable LLDP to allocate a voice VLAN to IP phones.
  • Enable the voice VLAN function to increase the packet priority.
  • Configure the DHCP relay function and DHCP server to allocate IP addresses to IP phones and the PC.
  • Configure the authentication server and enable IP phones to go online after authentication.

Data Plan

Table 3-3  Data plan for IP phones

Item

Value

Voice VLAN

VLAN 100

MAC address

001b-d4c7-0001

0021-a08f-0002

Address segment

10.20.20.1/24

Authentication mode

MAC address authentication

Table 3-4  Data plan for the PC

Item

Value

Data VLAN

VLAN 101

Address segment

10.20.30.1/24

Authentication mode

802.1X authentication

Table 3-5  Data plan for communication

Item

Value

VLAN and IP address used by SwitchA to communicate with SwitchB

VLAN 200; 10.10.20.1/24

VLAN and IP address used by SwitchB to communicate with SwitchA

VLAN 200; 10.10.20.2/24

IP address of SwitchA

192.168.100.200

802.1X access profile name

ipphone

MAC access profile name

ipphone

IP address of the RADIUS authentication and accounting server

192.168.100.182

Port number of the RADIUS authentication server

1812

Port number of the RADIUS accounting server

1813

RADIUS shared key

Huawei2012

Procedure

  1. Enable LLDP on SwitchA.

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] lldp enable  //Enable LLDP globally. By default, LLDP is enabled on an interface.
    

  2. Enable the voice VLAN function on SwitchA.

    # Create voice VLAN 100.

    [SwitchA] vlan batch 100
    

    # Add interfaces to the voice VLAN.

    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] port link-type hybrid   
    [SwitchA-GigabitEthernet1/0/1] port hybrid tagged vlan 100  //Add the interface to voice VLAN 100 in tagged mode.
    [SwitchA-GigabitEthernet1/0/1] quit
    [SwitchA] interface gigabitethernet 1/0/2
    [SwitchA-GigabitEthernet1/0/2] port link-type hybrid
    [SwitchA-GigabitEthernet1/0/2] port hybrid tagged vlan 100
    [SwitchA-GigabitEthernet1/0/2] quit
    

    # Enable the voice VLAN function on the interface.

    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable 
    [SwitchA-GigabitEthernet1/0/1] quit
    [SwitchA] interface gigabitethernet 1/0/2
    [SwitchA-GigabitEthernet1/0/2] voice-vlan 100 enable 
    [SwitchA-GigabitEthernet1/0/2] quit
    

  3. Configure SwitchA to forward data flows.

    [SwitchA] vlan batch 101  //Data flows are transmitted in VLAN 101.
    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 101  //Set the PVID of the interface to VLAN 101. 
    [SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 101  //Add the interface to VLAN 101 in untagged mode.
    [SwitchA-GigabitEthernet1/0/1] quit

  4. Configure the DHCP relay function and DHCP server.
    1. Configure the DHCP relay function on SwitchA.

      # Configure the DHCP relay function on an interface.

      [SwitchA] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled.
      [SwitchA] interface Vlanif 100
      [SwitchA-Vlanif100] ip address 10.20.20.1 255.255.255.0  //Assign an IP address to VLANIF 100.
      [SwitchA-Vlanif100] dhcp select relay  //Enable the DHCP relay function on VLANIF 100.
      [SwitchA-Vlanif100] dhcp relay server-ip 10.10.20.2  //Configure the DHCP server address on the DHCP relay agent.
      [SwitchA-Vlanif100] quit
      [SwitchA] interface Vlanif 101
      [SwitchA-Vlanif101] ip address 10.20.30.1 255.255.255.0  //Assign an IP address to VLANIF 101.
      [SwitchA-Vlanif101] dhcp select relay  //Enable the DHCP relay function on VLANIF 101.
      [SwitchA-Vlanif101] dhcp relay server-ip 10.10.20.2  //Configure the DHCP server address on the DHCP relay agent.
      [SwitchA-Vlanif101] quit
      

      # Create VLANIF 200.

      [SwitchA] vlan batch 200
      [SwitchA] interface Vlanif 200
      [SwitchA-Vlanif200] ip address 10.10.20.1 255.255.255.0  //Configure an IP address for VLANIF 200 for communication with SwitchB.
      [SwitchA-Vlanif200] quit
      

      # Add the uplink interface to VLAN 200.

      [SwitchA] interface gigabitethernet 1/0/3
      [SwitchA-GigabitEthernet1/0/3] port link-type access
      [SwitchA-GigabitEthernet1/0/3] port default vlan 200
      [SwitchA-GigabitEthernet1/0/3] quit
      

      # Configure a default static route.

      [SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2  //The next hop address of the route corresponds to the IP address of VLANIF 200 on SwitchB.
      

    2. Configure SwitchB as the DHCP server to allocate IP addresses to IP phones and PC.

      # Configure an address pool.

      <HUAWEI> system-view
      [HUAWEI] sysname SwitchB
      [SwitchB] ip pool ip-phone  //Create an address pool to allocate IP addresses to IP phones.
      [SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1  //Configure a gateway addresses for IP phones.
      [SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0  //Configure allocatable IP addresses in the IP address pool.
      [SwitchB-ip-pool-ip-phone] quit
      [SwitchB] ip pool ip-pc  //Create an address pool to allocate IP addresses to PC.
      [SwitchB-ip-pool-ip-pc] gateway-list 10.20.30.1  //Configure a gateway address for the PC.
      [SwitchB-ip-pool-ip-pc] network 10.20.30.0 mask 255.255.255.0  //Configure allocatable IP addresses in the IP address pool.
      [SwitchB-ip-pool-ip-pc] quit
      

      # Configure the DHCP server function.

      [SwitchB] dhcp enable  //Enable DHCP globally. By default, DHCP is disabled.
      [SwitchB] vlan batch 200
      [SwitchB] interface Vlanif 200
      [SwitchB-Vlanif200] ip address 10.10.20.2 255.255.255.0  //Assign an IP address to VLANIF 200.
      [SwitchB-Vlanif200] dhcp select global  //Configure SwitchB to allocate IP addresses from the global IP address pool to the IP phone.
      [SwitchB-Vlanif200] quit
      

      # Add the downlink interface to VLAN 200.

      [SwitchB] interface gigabitethernet 1/0/3
      [SwitchB-GigabitEthernet1/0/3] port link-type access
      [SwitchB-GigabitEthernet1/0/3] port default vlan 200
      [SwitchB-GigabitEthernet1/0/3] quit

      # Configure a return route.

      [SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1  //Configure a return route for IP phones.
      [SwitchB] ip route-static 10.20.30.0 255.255.255.0 10.10.20.1  //Configure a return route for the PC.

  5. Configure an AAA domain, and configure MAC address authentication for IP phones and 802.1X authentication for the PC.
    1. Configure an AAA domain.

      # Create and configure a RADIUS server template.

      [SwitchA] radius-server template ipphone  //Create a RADIUS server template named ipphone.
      [SwitchA-radius-ipphone] radius-server authentication 192.168.100.182 1812  //Configure the IP address and port number of the RADIUS authentication server.
      [SwitchA-radius-ipphone] radius-server accounting 192.168.100.182 1813  //Configure the IP address and port number of the RADIUS accounting server.
      [SwitchA-radius-ipphone] radius-server shared-key cipher Huawei2012  //Configure the shared key of the RADIUS server.
      [SwitchA-radius-ipphone] quit
      

      # Configure an authentication scheme.

      [SwitchA] aaa
      [SwitchA-aaa] authentication-scheme radius  //Create an authentication scheme named radius.
      [SwitchA-aaa-authen-radius] authentication-mode radius  //Set the authentication mode to RADIUS.
      [SwitchA-aaa-authen-radius] quit
      

      # Create an AAA domain and bind the RADIUS server template and authentication scheme to the AAA domain.

      [SwitchA-aaa] domain default  //Configure a domain named default.
      [SwitchA-aaa-domain-default] authentication-scheme radius  //Bind the authentication scheme radius to the domain.
      [SwitchA-aaa-domain-default] radius-server ipphone  //Bind the RADIUS server template ipphone to the domain.
      [SwitchA-aaa-domain-default] quit
      [SwitchA-aaa] quit
      

    2. Configure MAC address authentication for IP phones and 802.1X authentication for PC.

      • V200R007C00 and earlier versions, and V200R008C00

        # Set the NAC mode to unified.

        [SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

        # Enable MAC address authentication on an interface.

        [SwitchA] interface gigabitethernet 1/0/1
        [SwitchA-GigabitEthernet1/0/1] authentication dot1x mac-authen  //Enable 802.1X authentication and MAC address authentication.
        [SwitchA-GigabitEthernet1/0/1] quit
        [SwitchA] interface gigabitethernet 1/0/2
        [SwitchA-GigabitEthernet1/0/2] authentication mac-authen
        [SwitchA-GigabitEthernet1/0/2] quit
        
      • V200R007C20, and V200R009C00 and later versions

        # Set the NAC mode to unified.

        [SwitchA] authentication unified-mode  //By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.

        # Configure access profiles.

        [SwitchA] dot1x-access-profile name ipphone  //Create an 802.1X access profile named ipphone.
        [SwitchA-dot1x-access-profile-ipphone] quit
        [SwitchA] mac-access-profile name ipphone  //Create a MAC access profile named ipphone. If no user name and password are specified in the MAC access profile, both the user name and password are MAC addresses without separators or colons.  
        [SwitchA-mac-access-profile-ipphone] quit

        # Configure an authentication profile.

        [SwitchA] authentication-profile name ipphone  //Configure an authentication profile.
        [SwitchA-authen-profile-ipphone] dot1x-access-profile ipphone  //Bind an 802.1X access profile.
        [SwitchA-authen-profile-ipphone] mac-access-profile ipphone  //Bind a MAC access profile.
        [SwitchA-authen-profile-ipphone] authentication dot1x-mac-bypass  //Enable MAC address bypass authentication.
        [SwitchA-authen-profile-ipphone] quit

        # Apply the authentication profile to interfaces.

        [SwitchA] interface gigabitethernet 1/0/1
        [SwitchA-GigabitEthernet1/0/1] authentication-profile ipphone  //Bind an authentication profile.
        [SwitchA-GigabitEthernet1/0/1] quit
        [SwitchA] interface gigabitethernet 1/0/2
        [SwitchA-GigabitEthernet1/0/2] authentication-profile ipphone
        [SwitchA-GigabitEthernet1/0/2] quit
        

    3. Configure the Agile Controller. The display of the Agile Controller varies by version. V100R003C60 is used as an example.

      1. Log in to the Agile Controller.
      2. Create an 802.1X account used for PC authentication.
        1. Choose Resource > User > User Management.
        2. Click Add in the operation area on the right. Click Common account and enter the user name and password. The configured user name and password must be the same as those configured on the PC, and the account is configured to be the same as the user name. Be aware that the account belongs to the user group ROOT.

        3. Click OK to complete the configuration.
      3. Add SwitchA to the Agile Controller.
        1. Choose Resource > Device > Device Management.

        2. Click Add in the operation area on the right. On the Add Device page that is displayed, set Name to SwitchA and IP address to 192.168.100.200 (IP address used by SwitchA to communicate with the Agile Controller). Select Enable RADIUS, and set Authentication/Accounting key and Authorization key to Huawei2012 (shared key configured on SwitchA). The real-time accounting interval is not configured and accounting is performed based on the time.

        3. Click OK to complete the configuration.
      4. Add MAC address information of an IP phone to the Agile Controller. MAC address information is added so that the MAC address can be used for authentication when the 802.1X client times out. That is, the IP phone connects to the switch using MAC address authentication.
        1. Choose Resource > Terminal > Terminal List.
        2. Click Add in the operation area on the right. On the Add Device Group page that is displayed, add an IP phone group ipphone.

        3. Click OK to complete the configuration.
        4. Click the device group in the navigation tree and select the created IP phone group ipphone.
        5. Click Add in the device list, add an IP phone, and enter the MAC address of the IP phone.

        6. Click OK to complete the configuration.
        7. Click Add and add the MAC address of another IP phone.
        8. Click OK to complete the configuration.
      5. Add an authentication rule. Two authentication rules need to be added: 802.1X authentication rule for the PC and MAC address authentication rule for the IP phone.
        1. Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule.
        2. Click Add in the operation area on the right. On the Add Authentication Rule page that is displayed, add an authentication rule for the PC. Set Name to PC, click Access, set User group to ROOT, and select allowed authentication protocols under Authentication Condition.



        3. Click OK to complete the configuration.
        4. Click Add again to add an authentication rule for the IP phone. Set Name to ipphone, Service type to MAC bypass authentication, and Terminal group to ipphone.

        5. Click OK to complete the configuration.
      6. Add an authorization result.
        1. Choose Policy > Permission Control > Authentication & Authorization > Authorization Result.
        2. Click Add in the operation area on the right and add an authorization result. Set Name to voice vlan 100, Service type to MAC bypass authentication, and VLAN under Authorization Parameter to 100.

        3. Click Add under customized authorization parameter to add authorization information. Set Vendor/Standard attribute to Huawei, Attribute ID/name to HW-Voice-Vlan(33), and Attribute type to Integer. If Attribute value is set to 1, VLAN 100 is a voice VLAN.

        4. Click OK to complete the configuration, and the Add Authorization Result page is displayed.
        5. Add authorization information on the page.

        6. Click OK to complete the configuration.
      7. Add two authorization rules: one authorization rule for the PC and the other for the IP phone. After a user is authenticated, the Agile Controller grants the user access rights based on the authorization rule.
        1. Choose Policy > Permission Control > Authentication & Authorization > authorization Rule.
        2. Click Add in the operation area on the right and add an authorization rule for the PC. Set Name to PC, click Access, set User group to ROOT, and set Authorization result to Permit Access.



        3. Click OK to complete the configuration.
        4. Click Add again to add an authorization rule for the IP phone. Set Name to ipphone, click MAC bypass authentication, set Terminal Group to ipphone, and set Authorization result to voice vlan 100.



        5. Click OK to complete the configuration.

  6. Verify the configuration.

    • You can see that the IP phone can correctly obtain the voice VLAN ID and IP address through the menu of the IP phone.
    • The display access-user command output on SwitchA displays connection information about IP phones and PC.
      [SwitchA] display access-user
       ------------------------------------------------------------------------------ 
       UserID Username     IP address       MAC            Status          
       ------------------------------------------------------------------------------ 
       564   001bd4c71fa9  10.20.20.198     001b-d4c7-1fa9 Success        
       565   0021a08f2fa8  10.20.20.199     0021-a08f-2fa8 Success         
       566   3c970ecf1101  10.20.30.190     3c97-0ecf-1101 Success 
       ------------------------------------------------------------------------------ 
       Total: 3, printed: 3  

Configuration Files

  • SwitchA configuration file (V200R007C00 and earlier versions, and V200R008C00)

    #
    sysname SwitchA
    #
    vlan batch 100 to 101 200
    #
    lldp enable
    #
    dhcp enable
    #
    radius-server template ipphone
     radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%#
     radius-server authentication 192.168.100.182 1812 weight 80
     radius-server accounting 192.168.100.182 1813 weight 80
    #
    aaa
     authentication-scheme radius
      authentication-mode radius
     domain default
      authentication-scheme radius
      radius-server ipphone
    #
    interface Vlanif100
     ip address 10.20.20.1 255.255.255.0
     dhcp select relay
     dhcp relay server-ip 10.10.20.2
    #
    interface Vlanif101
     ip address 10.20.30.1 255.255.255.0
     dhcp select relay
     dhcp relay server-ip 10.10.20.2
    #
    interface Vlanif200
     ip address 10.10.20.1 255.255.255.0
    #
    interface GigabitEthernet1/0/1       
     port link-type hybrid
     voice-vlan 100 enable
     port hybrid pvid vlan 101                                                                                                          
     port hybrid tagged vlan 100                                                                                                        
     port hybrid untagged vlan 101
     authentication dot1x mac-authen
    #
    interface GigabitEthernet1/0/2       
     port link-type hybrid
     voice-vlan 100 enable
     port hybrid tagged vlan 100
     authentication mac-authen
    #
    interface GigabitEthernet1/0/3       
     port link-type access
     port default vlan 200
    #
    ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
    #
    return
    
  • SwitchA configuration file (V200R007C20, and V200R009C00 and later versions)

    #
    sysname SwitchA
    #
    vlan batch 100 to 101 200
    #
    authentication-profile name ipphone                                                                                                 
     dot1x-access-profile ipphone                                                                                                       
     mac-access-profile ipphone                                                                                                         
     authentication dot1x-mac-bypass      
    #
    lldp enable
    #
    dhcp enable
    #
    radius-server template ipphone
     radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%#
     radius-server authentication 192.168.100.182 1812 weight 80
     radius-server accounting 192.168.100.182 1813 weight 80
    #
    aaa
     authentication-scheme radius
      authentication-mode radius
     domain default
      authentication-scheme radius
      radius-server ipphone
    #
    interface Vlanif100
     ip address 10.20.20.1 255.255.255.0
     dhcp select relay
     dhcp relay server-ip 10.10.20.2
    #
    interface Vlanif101
     ip address 10.20.30.1 255.255.255.0
     dhcp select relay
     dhcp relay server-ip 10.10.20.2
    #
    interface Vlanif200
     ip address 10.10.20.1 255.255.255.0
    #
    interface GigabitEthernet1/0/1       
     port link-type hybrid
     voice-vlan 100 enable
     port hybrid pvid vlan 101                                                                                                          
     port hybrid tagged vlan 100                                                                                                        
     port hybrid untagged vlan 101
     authentication-profile ipphone
    #
    interface GigabitEthernet1/0/2       
     port link-type hybrid
     voice-vlan 100 enable
     port hybrid tagged vlan 100
     authentication-profile ipphone
    #
    interface GigabitEthernet1/0/3       
     port link-type access
     port default vlan 200
    #
    ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
    #                                                                                                                                   
    dot1x-access-profile name ipphone                                                                                                   
    #                                                                                                                                   
    mac-access-profile name ipphone  
    #
    return
    
  • SwitchB configuration file
    #
    sysname SwitchB
    #
    vlan batch 200
    #
    dhcp enable
    #
    ip pool ip-phone                                                                                                                    
     gateway-list 10.20.20.1                                                                                                            
     network 10.20.20.0 mask 255.255.255.0                                                                                              
    #                                                                                                                                   
    ip pool ip-pc                                                                                                                       
     gateway-list 10.20.30.1                                                                                                            
     network 10.20.30.0 mask 255.255.255.0                                                                                              
    #  
    interface Vlanif200
     ip address 10.10.20.2 255.255.255.0
     dhcp select global
    #
    interface GigabitEthernet1/0/3
     port link-type access                                                                                                              
     port default vlan 200 
    #
    ip route-static 10.20.20.0 255.255.255.0 10.10.20.1                                                                                 
    ip route-static 10.20.30.0 255.255.255.0 10.10.20.1 
    #
    return
    
Download
Updated: 2019-05-16

Document ID: EDOC1000069466

Views: 163240

Downloads: 1809

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next