S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Interoperation and Replacement Guide
This document provides typical configuration examples for interoperation between Huawei switches and mainstream IP phones, firewalls, routers, Microsoft NLB servers, multi-NIC servers, Cisco switches, and SolarWinds.
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Interoperation Between Switches and IP Phones Through an ACL
Interoperation Between Switches and IP Phones Through an ACL
If an IP phone
does not support LLDP or DHCP, a switch cannot assign a voice VLAN
ID to the IP phone. In this case, the IP phone can interoperate with
the switch through an ACL. That is, you can run the port add-tag
acl command on an interface to identify voice packets and increase
the priority of voice packets.
In this example, the port
add-tag acl command is supported on all S series modular
switches and on the following S series fixed switches:
S2700 series: S2752EI
S3700 series: all models
S5700 series: S5700EI, S5700HI, S5710EI, S5720EI, S5710HI, S5720HI,
and S5730HI
S6700 series: S6700EI, S6720EI, S6720S-EI, and S6720HI
If an IP phone sends tagged packets with VLAN 0, the switch does
not add the voice VLAN ID to the tagged packets. As a result, the
IP phone cannot interoperate with the switch. You can change the configuration
of the IP phone or use other methods to connect the IP phone to the
switch.
In Figure 1-16, to save
investment costs, the customer requires that IP phones connect to
the network through VoIP. IP phones cannot obtain voice VLAN IDs and
can send only untagged voice packets. The network plan should meet
the following requirements:
The priority of voice packets is increased to ensure communication
quality of IP phones.
Voice packets are transmitted in VLAN 100.
IP addresses of IP phones are dynamically allocated by the DHCP
server, and are on a different network segment from that of the DHCP
server.
IP phones need to connect to switches through 802.1X authentication.
Figure 1-16 Networking diagram of connecting switches to IP phones through
an ACL
Configuration Roadmap
To implement
interoperation between switches and IP phones through an ACL, you
need to apply for IP addresses for IP phones, bring IP phones online
after authentication, and conduct communication normally. Figure 1-17 shows the process for interoperation between
switches and IP phones through an ACL.
The operations of applying
for IP addresses and enabling IP phones to go online after authentication
can be performed simultaneously.
Figure 1-17 Process for interoperation between switches and IP phones through
an ACL
According to the preceding process, the configuration roadmap
is as follows:
Configure an ACL to identify voice packets, add the voice VLAN
ID to the voice packets, and increase the priority.
Configure the DHCP relay function and DHCP server to allocate
IP addresses to IP phones.
Configure the authentication server and enable IP phones to go
online after authentication.
Data Plan
Table 1-16 Data plan for IP phones
Item
Value
Voice VLAN
VLAN 100
MAC address
001b-d4c7-0001
0021-a08f-0002
Address segment
10.20.20.1/24
Authentication mode
802.1X authentication
Table 1-17 Data plan for communication
Item
Value
VLAN and IP address used by SwitchA to communicate with
SwitchB
VLAN 200, 10.10.20.1/24
VLAN and IP address used by SwitchB to communicate with
SwitchA
VLAN 200, 10.10.20.2/24
IP address of SwitchA
192.168.100.200
802.1X access profile name
ipphone
IP address of the RADIUS authentication and accounting server
[SwitchA] interface gigabitethernet1/0/1[SwitchA-GigabitEthernet1/0/1] port link-type hybrid//In V200R005C00 and later versions, the default link type of an interface is not hybrid, and needs to be manually configured.
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100//Packets sent by IP phones do not carry tags, so the interface must be join VLAN 100 in untagged mode.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet1/0/2[SwitchA-GigabitEthernet1/0/2] port link-type hybrid
[SwitchA-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[SwitchA-GigabitEthernet1/0/2] quit
Configure an ACL to identify voice packets, and add the
voice VLAN ID to the voice packets and increase the priority.
[SwitchA] acl 4000
[SwitchA-acl-L2-4000] rule permit source-mac 001d-a21a-0000 ffff-ffff-0000//The IP phone's MAC address uses the 24-bit mask.
[SwitchA-acl-L2-4000] rule permit source-mac 0021-a08f-0000 ffff-ffff-0000//This is the MAC address of another IP phone.
[SwitchA-acl-L2-4000] quit
[SwitchA] interface gigabitethernet1/0/1
[SwitchA-GigabitEthernet1/0/1] port add-tag acl 4000 vlan 100 remark-8021p 6//Configure ACL 4000. The switch tags VLAN 100 to the packets that match ACL 4000 and changes the 802.1p priority to 6.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet1/0/2
[SwitchA-GigabitEthernet1/0/2] port add-tag acl 4000 vlan 100 remark-8021p 6
[SwitchA-GigabitEthernet1/0/2] quit
Configure the DHCP relay function and DHCP server.
Configure the DHCP relay function on SwitchA.
# Configure the DHCP relay function on an interface.
[SwitchA] dhcp enable//Enable DHCP globally. By default, DHCP is disabled.
[SwitchA] interface Vlanif 100
[SwitchA-Vlanif100] ip address 10.20.20.1 255.255.255.0//Assign an IP address to VLANIF 100.
[SwitchA-Vlanif100] dhcp select relay//Enable the DHCP relay function on VLANIF 100.
[SwitchA-Vlanif100] dhcp relay server-ip 10.10.20.2//Configure the DHCP server address on the DHCP relay agent.
[SwitchA-Vlanif100] quit
# Create VLANIF 200.
[SwitchA] vlan batch 200
[SwitchA] interface Vlanif 200
[SwitchA-Vlanif200] ip address 10.10.20.1 255.255.255.0//Configure an IP address for VLANIF 200 for communication with SwitchB.
[SwitchA-Vlanif200] quit
# Add the uplink interface to VLAN 200.
[SwitchA] interface gigabitethernet1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type access
[SwitchA-GigabitEthernet1/0/3] port default vlan 200
[SwitchA-GigabitEthernet1/0/3] quit
# Configure a default static route.
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2//The next hop address of the route corresponds to the IP address of VLANIF 200 on SwitchB.
Configure SwitchB as the DHCP server to allocate IP
addresses to IP phones.
# Configure an address pool.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] ip pool ip-phone//Create an address pool to allocate IP addresses to IP phones.
[SwitchB-ip-pool-ip-phone] gateway-list 10.20.20.1//Configure the gateway address on the DHCP server.
[SwitchB-ip-pool-ip-phone] network 10.20.20.0 mask 255.255.255.0//Configure allocatable IP addresses in the IP address pool.
[SwitchB-ip-pool-ip-phone] quit
# Configure the DHCP server function.
[SwitchB] dhcp enable//Enable DHCP globally. By default, DHCP is disabled.
[SwitchB] vlan batch 200
[SwitchB] interface Vlanif 200//Create VLANIF 200.
[SwitchB-Vlanif200] ip address 10.10.20.2 255.255.255.0//Assign an IP address to VLANIF 200.
[SwitchB-Vlanif200] dhcp select global//Configure SwitchB to allocate IP addresses from the global IP address pool to the IP phone.
[SwitchB-Vlanif200] quit
# Add the downlink interface to VLAN 200.
[SwitchB] interface gigabitethernet1/0/3
[SwitchB-GigabitEthernet1/0/3] port link-type access
[SwitchB-GigabitEthernet1/0/3] port default vlan 200
[SwitchB-GigabitEthernet1/0/3] quit
# Configure
a return route.
[SwitchB] ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
Configure an AAA domain and 802.1X authentication for IP
phones.
Configure an AAA domain.
# Create and configure a RADIUS server template.
[SwitchA] radius-server template ipphone//Create a RADIUS server template named ipphone.
[SwitchA-radius-ipphone] radius-server authentication 192.168.100.182 1812//Configure the IP address and port number of the RADIUS authentication server.
[SwitchA-radius-ipphone] radius-server accounting 192.168.100.182 1813//Configure the IP address and port number of the RADIUS accounting server.
[SwitchA-radius-ipphone] radius-server shared-key cipher Huawei2012//Configure the shared key of the RADIUS server.
[SwitchA-radius-ipphone] quit
# Configure an authentication scheme.
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme radius//Set the authentication mode to RADIUS.
[SwitchA-aaa-authen-radius] authentication-mode radius//Set the authentication mode to RADIUS.
[SwitchA-aaa-authen-radius] quit
# Create an AAA domain and bind the RADIUS server template
and authentication scheme to the AAA domain.
[SwitchA-aaa] domain default//Configure a domain named default.
[SwitchA-aaa-domain-default] authentication-scheme radius//Bind the authentication scheme radius to the domain.
[SwitchA-aaa-domain-default] radius-server ipphone//Bind the RADIUS server template ipphone to the domain.
[SwitchA-aaa-domain-default] quit
[SwitchA-aaa] quit
Configure 802.1X
authentication for IP phones.
V200R007C00 and earlier
versions, and V200R008C00
# Set the NAC mode to unified.
[SwitchA] authentication unified-mode//By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.
[SwitchA] authentication unified-mode//By default, the switch uses the unified mode. When the traditional and unified modes are switched, the administrator must save the configuration and restart the switch to make the configuration take effect.
# Configure access profiles.
[SwitchA] dot1x-access-profile name ipphone//Create an 802.1X access profile named ipphone.
[SwitchA-dot1x-access-profile-ipphone] quit
# Configure
an authentication profile.
[SwitchA] authentication-profile name ipphone//Configure an authentication profile.
[SwitchA-authen-profile-ipphone] dot1x-access-profile ipphone//Bind the 802.1X access profile ipphone to the authentication profile.
[SwitchA-authen-profile-ipphone] quit
Configure the Agile Controller.
The display of the Agile Controller varies by version. V100R003C60
is used as an example.
Log in to the Agile Controller.
Add a common account.
Choose Resource > User > User Management.
Click Add in the operation area on the
right, and create an 802.1X account. Click Common account and
enter the user name and password. The configured user name and password
must be the same as those configured on the IP phone, and the account
is configured to be the same as the user name.
Click OK to complete the configuration.
Be aware that the account belongs to the user group named ROOT.
Add SwitchA to the Agile Controller.
Choose Resource > Device > Device Management.
Click Add in the operation area on the
right. On the Add Device page that is displayed, set Name to SwitchA and IP address to 192.168.100.200 (IP address used by SwitchA to communicate with the Agile Controller).
Select Enable RADIUS, and set Authentication/Accounting
key and Authorization key to Huawei2012 (shared
key configured on SwitchA). The real-time accounting interval is not
configured and accounting is performed based on the time.
Click Add in the operation area on the
right and add an authentication rule for the IP phone. Set Name to ipphone, click Access, set User group to ROOT, and select allowed authentication protocols under Authentication
Rule.
Click Add in the operation area on the
right and add an authorization result. Set Name to voice
vlan 100, Service type to Access, and VLAN under Authorization Parameter to 100.
Click Add to add authorization information.
Set Vendor/Standard attribute to Huawei, Attribute
ID/name to HW-Voice-Vlan(33), and Attribute type to Integer. If Attribute value is set to 1, VLAN 100
is a voice VLAN.
Click OK to complete the configuration,
and the Add Authorization Result page is displayed.
Select the added authorization information.
Click OK to complete the configuration.
Add an authorization rule.
After the check in the authentication
phase is passed, the authorization phase starts. During this phase,
the Agile Controller assigns rights to users based on authorization
rules.
Click Add in the operation area on the
right and add an authorization rule for the IP phone. Set Name to ipphone, click Access, set User group to ROOT, and set Authorization result to voice vlan 100.
Click OK to complete the configuration.
Verify the configuration.
You can see that the IP phone can correctly obtain IP address
through the menu of the IP phone.
The display access-user command output on SwitchA
displays connection information about IP phones.
[SwitchA] display access-user
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
564 001bd4c71fa9 10.20.20.198 001b-d4c7-1fa9 Success
565 0021a08f2fa8 10.20.20.199 0021-a08f-2fa8 Success
------------------------------------------------------------------------------
Total: 2, printed: 2
Configuration Files
SwitchA
configuration file (V200R007C00
and earlier versions, and V200R008C00)