(Recommended) Interoperation Between Switches and IP Phones Through the OUI-based Voice VLAN
Overview
If an IP phone sends packets with VLAN 0 or untagged packets, the switch can identify the OUI of the untagged packet from the IP phone. Then the switch adds the voice VLAN ID to the packet and increases the priority of the packet based on the voice VLAN ID.
For applicable IP phones, see List of IP Phone Models That Can Be Connected to Switches.
Configuration Notes
- This example applies to all models of V200R003C00 and later versions.
- For the fixed device (S5720EI, S6720EI, S6720S-EI), and modular device (excluding X series cards), in V200R010 and later versions, run the voice-vlan vlan-id enable include-tag0 command to enable the switch to identify packets with tag 0 as voice packets and adds the voice VLAN ID to packets.
- When IP phones are connected in Voice-VLAN include-untagged mode, disable LLDP on the interface or run the undo lldp tlv-enable med-tlv network-policy command to disable the switch and IP phones from advertising the VLAN configuration. Otherwise, the switch allocates the voice VLAN ID to IP phones through LLDP. Then IP phones send tagged packets to the switch, whereas the switch forwards untagged packets to IP phones. As a result, IP phones cannot go online.
- If Mitel 5212 phones cannot go online, rectify the fault by referring to Cause 6: Customized Options Are Not Configured for a Switch Functioning as the DHCP Server. As a Result, Mitel 5212 Phones Fail to Go Online.
Networking Requirements
- The priority of voice packets is increased to ensure communication quality of IP phones.
- Voice packets are transmitted in VLAN 100.
- IP addresses of IP phones are on a different network segment from that of the DHCP server, and DHCP snooping is configured to improve network security.
- IP phones need to connect to switches through MAC address authentication.
Configuration Roadmap
To implement interoperation between switches and IP phones through the OUI-based voice VLAN, you need to apply for IP addresses for IP phones, bring IP phones online after authentication, and conduct communication normally. Figure 1-7 shows the process for interoperation between switches and IP phones through the OUI-based voice VLAN.
The operations of applying for IP addresses and enabling IP phones to go online after authentication can be performed simultaneously.
- Configure OUI-based voice VLANs, assign VLANs to IP phones, and increase the priority.
- Configure the DHCP relay function and DHCP server to allocate IP addresses to IP phones.
- Configure the authentication server and enable IP phones to go online after authentication.
Data Plan
Item |
Value |
---|---|
Voice VLAN |
VLAN 100 |
MAC address |
001b-d4c7-0001 0021-a08f-0002 |
Address segment |
10.20.20.1/24 |
Authentication mode |
MAC address authentication |
Item |
Value |
---|---|
VLAN and IP address used by SwitchA to communicate with SwitchB |
VLAN 200, 10.10.20.1/24 |
VLAN and IP address used by SwitchB to communicate with SwitchA |
VLAN 200, 10.10.20.2/24 |
IP address of SwitchA |
192.168.100.200 |
MAC access profile name |
ipphone |
IP address of the RADIUS authentication and accounting server |
192.168.100.182 |
Port number of the RADIUS authentication server |
1812 |
Port number of the RADIUS accounting server |
1813 |
RADIUS shared key |
Huawei2012 |
Procedure
- Add an interface on SwitchA to a VLAN.
# Create voice VLAN 100
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100
# Add an interface to VLAN 100 in untagged mode.
[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later versions, the default link type of an interface is not hybrid, and needs to be manually configured. [SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100 //Packets sent by IP phones do not carry tags, so the interface must be join VLAN 100 in untagged mode. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type hybrid [SwitchA-GigabitEthernet1/0/2] port hybrid untagged vlan 100 [SwitchA-GigabitEthernet1/0/2] quit
- On SwitchA, configure the interface to add the voice VLAN
ID to untagged packets and configure the OUI.
[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] voice-vlan 100 enable include-untagged //Configure the interface to add the voice VALN ID to untagged packets. In V200R010 and later versions, run the voice-vlan vlan-id enable include-tag0 command to enable the switch to process packets tagged with voice VLAN 0 for the S5720EI, S6720EI, S6720S-EI, and modular switches (excluding swtiches using X series cards). [SwitchA-GigabitEthernet1/0/1] undo lldp enable //In V200R011C10 and later versions, you need to manually disable LLDP. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] voice-vlan 100 enable include-untagged [SwitchA-GigabitEthernet1/0/2] undo lldp enable [SwitchA-GigabitEthernet1/0/2] quit [SwitchA] voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 //When the interface is configured to add the voice VLAN ID to untagged packets, this command must be configured. The MAC address is the IP phone's MAC address. [SwitchA] voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000
- Configure the DHCP relay function and DHCP server.
- Configure DHCP snooping on SwitchA.
[SwitchA] dhcp snooping enable //Enable DHCP snooping globally. DHCP snooping is disabled by default. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the interface. [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] dhcp snooping enable [SwitchA-GigabitEthernet1/0/2] quit [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] dhcp snooping trusted //Configure the uplink interface as the trusted interface. [SwitchA-GigabitEthernet1/0/3] quit
- Configure an AAA domain and MAC address authentication
for IP phones.
- Verify the configuration.
- You can see that the IP phone can correctly obtain IP address through the menu of the IP phone.
- The display access-user command output on SwitchA
displays connection information about IP phones.
[SwitchA] display access-user ------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------ 564 001bd4c71fa9 10.20.20.198 001b-d4c7-1fa9 Success 565 0021a08f2fa8 10.20.20.199 0021-a08f-2fa8 Success ------------------------------------------------------------------------------ Total: 2, printed: 2
Configuration Files
- SwitchA configuration
file (V200R007C00 and earlier
versions, and V200R008C00)
# sysname SwitchA # voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000 # vlan batch 100 200 # dhcp enable # dhcp snooping enable # radius-server template ipphone radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%# radius-server authentication 192.168.100.182 1812 weight 80 radius-server accounting 192.168.100.182 1813 weight 80 # aaa authentication-scheme radius authentication-mode radius domain default authentication-scheme radius radius-server ipphone # interface Vlanif100 ip address 10.20.20.1 255.255.255.0 dhcp select relay dhcp relay server-ip 10.10.20.2 # interface Vlanif200 ip address 10.10.20.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type hybrid voice-vlan 100 enable include-untagged port hybrid untagged vlan 100 authentication mac-authen dhcp snooping enable # interface GigabitEthernet1/0/2 port link-type hybrid voice-vlan 100 enable include-untagged port hybrid untagged vlan 100 authentication mac-authen dhcp snooping enable # interface GigabitEthernet1/0/3 port link-type access port default vlan 200 dhcp snooping trusted # ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 # return
- SwitchA configuration file (V200R009C00, V200R010C00,
and V200R011C00)
# sysname SwitchA # voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000 # vlan batch 100 200 # authentication-profile name ipphone mac-access-profile ipphone # dhcp enable # dhcp snooping enable # radius-server template ipphone radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%# radius-server authentication 192.168.100.182 1812 weight 80 radius-server accounting 192.168.100.182 1813 weight 80 # aaa authentication-scheme radius authentication-mode radius domain default authentication-scheme radius radius-server ipphone # interface Vlanif100 ip address 10.20.20.1 255.255.255.0 dhcp select relay dhcp relay server-ip 10.10.20.2 # interface Vlanif200 ip address 10.10.20.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type hybrid voice-vlan 100 enable include-untagged port hybrid untagged vlan 100 authentication-profile ipphone dhcp snooping enable # interface GigabitEthernet1/0/2 port link-type hybrid voice-vlan 100 enable include-untagged port hybrid untagged vlan 100 authentication-profile ipphone dhcp snooping enable # interface GigabitEthernet1/0/3 port link-type access port default vlan 200 dhcp snooping trusted # ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 # mac-access-profile name ipphone # return
- SwitchA configuration file (V200R011C10 and later versions)
# sysname SwitchA # voice-vlan mac-address 001b-d4c7-0000 mask ffff-ffff-0000 voice-vlan mac-address 0021-a08f-0000 mask ffff-ffff-0000 # vlan batch 100 200 # authentication-profile name ipphone mac-access-profile ipphone # dhcp enable # dhcp snooping enable # radius-server template ipphone radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%# radius-server authentication 192.168.100.182 1812 weight 80 radius-server accounting 192.168.100.182 1813 weight 80 # aaa authentication-scheme radius authentication-mode radius domain default authentication-scheme radius radius-server ipphone # interface Vlanif100 ip address 10.20.20.1 255.255.255.0 dhcp select relay dhcp relay server-ip 10.10.20.2 # interface Vlanif200 ip address 10.10.20.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type hybrid voice-vlan 100 enable include-untagged port hybrid untagged vlan 100 authentication-profile ipphone undo lldp enable dhcp snooping enable # interface GigabitEthernet1/0/2 port link-type hybrid voice-vlan 100 enable include-untagged port hybrid untagged vlan 100 authentication-profile ipphone undo lldp enable dhcp snooping enable # interface GigabitEthernet1/0/3 port link-type access port default vlan 200 dhcp snooping trusted # ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 # mac-access-profile name ipphone # return
- SwitchB configuration file
# sysname SwitchB # vlan batch 200 # dhcp enable # ip pool ip-phone gateway-list 10.20.20.1 network 10.20.20.0 mask 255.255.255.0 # interface Vlanif200 ip address 10.10.20.2 255.255.255.0 dhcp select global # interface GigabitEthernet1/0/3 port link-type access port default vlan 200 # ip route-static 10.20.20.0 255.255.255.0 10.10.20.1 # return