No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 Series Agile Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Appendix 1: Common Causes for IP Phones' Login Failures and Workaround

Appendix 1: Common Causes for IP Phones' Login Failures and Workaround

Cause 1: An Avaya Phone Cannot Go Online Because It Cannot Obtain an IP Address Within 60s

The Avaya phone fails to obtain an IP address through DHCP within 60s due to the network delay or other causes. After the timer expires, the Avaya phone sends packets tagged with VLAN 0 repeatedly. The switch processes packets tagged with VLAN 0 in the same manner as untagged packets, that is, in the VLAN specified by the PVID of an interface. Such packets are not processed in the voice VLAN. As a result, the Avaya phone fails to be authenticated and cannot connect to the switch.

Workaround
  • Method 1: You are advised to configure the OUI-based voice VLAN. The switch then adds the voice VLAN ID to untagged packets so that the packets can be forwarded in the voice VLAN. For details, see (Recommended) Interoperation Between Switches and IP Phones Through the OUI-based Voice VLAN. You can also use the voice-vlan vlan-id enable include-tag0 command to enable the voice VLAN for packets tagged with VLAN 0 in V200R010 and later versions.
  • Method 2: Modify the value of the VLAN TEST timer of the IP phone: Press the star key (*) and enter the password to access the menu. Select VLAN TEST and change the default value to 0 (no timeout). After the Avaya phone restarts, the timer settings are no longer effective and must be reconfigured.

Cause 2: An IP Phone Cannot Go Online Because the VLANs for Authentication and Forwarding Voice Flows Are Different

An IP phone cannot go online because the VLANs for authentication and forwarding voice flows are different. The root cause is that the switch forwards only packets from the authenticated VLAN but discards packets from the non-authenticated VLAN.

Figure 3-20 shows the scenario where the IP phone cannot go online.

Figure 3-20  IP phone cannot go online

Workaround

  • Method 1: In V200R003C00 and later versions, you are advised to configure the OUI-based voice VLAN. For details, see (Recommended) Interoperation Between Switches and IP Phones Through the OUI-based Voice VLAN.
  • Method 2: In V200R010 and later versions, MAC address migration can be enabled so that IP phones can be authenticated based on the PVID and voice VLAN ID.
    <HUAWEI> system-view
    [HUAWEI] authentication mac-move enable vlan 10 100  //Assume that the PVID of the interface is VLAN 10 and the voice VLAN ID is VLAN 100.
    
  • Method 3: Configure the blacklist so that the switch discards the packets that come from the IP phone and are forwarded based on the PVID. In this case, the authenticated VLAN and voice VLAN of the IP phone are the same.
    1. Configure an ACL rule to match the MAC address of the IP phone and PVID of the interface.
      <HUAWEI> system-view
      [HUAWEI] acl number 4000
      [HUAWEI-acl-L2-4000] rule 5 permit source-mac ac44-f211-df8e vlan-id 1  //Assume that the MAC address of the IP phone is ac44-f211-df8e and the PVID is VLAN 1.
      [HUAWEI-acl-L2-4000] quit
      
    2. Configure an attack defense policy.
      [HUAWEI] cpu-defend policy p1
      [HUAWEI-cpu-defend-policy-p1] blacklist 1 acl 4000  //Configure the blacklist.
      [HUAWEI-cpu-defend-policy-p1] quit
      
    3. Apply the attack defense policy globally.
      [HUAWEI] cpu-defend-policy p1 global
  • Method 4: Configure dynamic VLAN authorization. If different interfaces use different voice VLAN IDs, configuring dynamic VLAN authorization cannot prevent the problem. You can configure only the unified mode.
    1. Configure the same user VLAN ID as the voice VLAN ID in the service scheme.
      <HUAWEI> system-view
      [HUAWEI] aaa
      [HUAWEI-aaa] service-scheme test  //Create a service scheme named test.
      [HUAWEI-aaa-service-test] user-vlan 100  //Configure a user VLAN. The user VLAN ID is the voice VLAN ID.
      [HUAWEI-aaa-service-test] voice-vlan  //Enable the voice VLAN function.
      [HUAWEI-aaa-service-test] quit
      
    2. Apply the service scheme to the default domain.
      [HUAWEI-aaa] domain default
      [HUAWEI-aaa-domain-default] service-scheme test
      [HUAWEI-aaa-domain-default] quit
      [HUAWEI-aaa] quit
      
    3. Authorize the voice VLAN through the server. Set the authorization VLAN ID to the voice VLAN ID and set Attribute ID/name to HW-Voice-vlan(33). The Agile Controller is used as an example.

      Choose Policy > Permission Control > Authentication & Authorization > Authorization Result and click Add to create an authorization result.

Cause 3: An IP Phone Is Enabled with 802.1X Authentication and the Switch Is Configured with MAC Address Bypass Authentication. When 802.1X Authentication of the IP Phone Fails, the Switch Does Not Perform MAC Address Authentication. Consequently, the IP Phone Cannot Go Online

Workaround
  • Method 1: Disable 802.1X authentication on the IP phone.
    1. Disable 802.1X authentication on the Avaya phone:
      1. Press the star key (*), enter the password (27238 by default), and press the pound key (#) to enter the menu.
      2. Select 802.1X, and set values of Supplicant and Pass-thru to disable.
    2. Disable 802.1X authentication on the Cisco phone:

      Choose Security Configuration > 8021X Authentication and set Device Authentication to Disable.

  • Method 2: Configure MAC address-prioritized Portal authentication on the switch interface. Only the common mode supports this configuration.
    <HUAWEI> system-view
    [HUAWEI] interface gigabitethernet 1/0/1
    [HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass mac-auth-first
    

Cause 4: The IP Phone Goes Online and Offline Frequently Because It Does Not Respond to ARP Offline Probe Packets Sent by the Switch

To ensure normal online status of the IP phone, the switch sends ARP offline probe packets with the source IP address of 255.255.255.255 to the IP phone. If the IP phone does not support response to ARP offline probe packets with the source IP address of 255.255.255.255, the switch considers the IP phone offline and disconnects the IP phone. In this case, the IP phone may go online and offline frequently. Check ARP detect fail.

Run the display aaa offline-record all command to check the cause for logout of the IP phone.

<HUAWEI> display aaa offline-record all
 -------------------------------------------------------------------
  User name             : test@rds
  Domain name           : default
  User MAC              : 0021-9746-b67c
  User access type      : MAC
  User access interface : GigabitEthernet1/0/2
  Qinq vlan/User vlan   : 0/1
  User IP address       : 192.168.2.2
  User IPV6 address     : -
  User ID               : 19
  User login time       : 2016/10/01 04:49:39
  User offline time     : 2016/10/01 04:59:43
  User offline reason   : ARP detect fail
  -------------------------------------------------------------------
  Are you sure to display some information?(y/n)[y]:

Workaround

  • Method 1: Configure the default source IP address of ARP offline detection packets.

    <HUAWEI> system-view
    [HUAWEI] access-user arp-detect default ip-address 0.0.0.0  //Configure the default source address of ARP offline probe packets as 0.0.0.0.
    
  • Method 2: Configure the source IP address and source MAC address of ARP offline detection packets in the specified VLAN.

    <HUAWEI> system-view
    [HUAWEI] access-user arp-detect vlan 10 ip-address 192.168.1.1 mac-address 2222-1111-1234  //Configure the source IP address of ARP offline probe packets as 192.168.1.1 and the source MAC address as 2222-1111-1234.
    

Cause 5: Customized Options Are Not Configured for a Switch Functioning as the DHCP Server. As a Result, Mitel 5212 Phones Fail to Go Online

When a switch functions as the DHCP server, Option 128, Option 129, Option 130, and Option 131 need to be configured in the address pool of the DHCP server; otherwise, Mitel 5212 phones cannot identify DHCP Offer packets sent by the DHCP server and cannot go online.

Workaround

Perform the following configurations on the switch and ensure that these fields are included in sent packets:
<HUAWEI> system-view
[HUAWEI] ip pool ip-phone
[HUAWEI-ip-pool-ip-phone] option 128 ip-address 10.20.20.1
[HUAWEI-ip-pool-ip-phone] option 129 ip-address 11.20.20.1
[HUAWEI-ip-pool-ip-phone] option 130 ascii MITEL IP PHONE
[HUAWEI-ip-pool-ip-phone] option 131 ip-address 11.20.20.1
Download
Updated: 2019-05-16

Document ID: EDOC1000069466

Views: 249400

Downloads: 1980

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next