Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch

Note: This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch. For ELS details, see Getting Started with Enhanced Layer 2 Software.

You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones. The Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) protocol forwards VoIP parameters from the switch to the phone. You also configure 802.1X authentication to allow the telephone access to the LAN. Authentication is done through a backend RADIUS server.

This example describes how to configure VoIP on an EX Series switch to support an Avaya IP phone, as well as the LLDP-MED protocol and 802.1X authentication:

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 13.2X50 or later for EX Series switches
  • One EX4300 switch acting as an authenticator port access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
  • An Avaya IP telephone that supports LLDP-MED and 802.1X

Before you configure VoIP, be sure you have:

Note: If the IP address is not configured on the Avaya IP phone, the phone exchanges LLDP-MED information to get the VLAN ID for the voice VLAN. You must configure the voip statement on the interface to designate the interface as a VoIP interface and allow the switch to forward the VLAN name and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the voice VLAN (that is, it references the voice VLAN’s ID) to send a DHCP discover request and exchange information with the DHCP server (voice gateway).

Overview and Topology

Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch.

In this example, the access interface ge-0/0/2 on the EX4300 switch is connected to an Avaya IP telephone. Avaya phones have a built-in bridge that allows you to connect a desktop PC to the phone, so the desktop and phone in a single office require only one interface on the switch. The EX Series switch is connected to a RADIUS server on the ge-0/0/10 interface (see Figure 1).

Figure 1: VoIP Topology

VoIP Topology

In this example, you configure VoIP parameters and specify the forwarding class assured-forward for voice traffic to provide the highest quality of service.

Table 1 describes the components used in this VoIP configuration example.

Table 1: Components of the VoIP Configuration Topology

PropertySettings

Switch hardware

EX4300 switch

VLAN names

data-vlan
voice-vlan

Connection to Avaya phone—with integrated hub, to connect phone and desktop PC to a single interface (requires PoE)

ge-0/0/2

One RADIUS server

Provides backend database connected to the switch through interface ge-0/0/10.

As well as configuring a VoIP for interface ge-0/0/2, you configure:

  • 802.1X authentication. Authentication is set to multiple supplicant mode to support more than one supplicant's access to the LAN through interface ge-0/0/2.
  • LLDP-MED protocol information. The switch uses LLDP-MED to forward VoIP parameters to the phone. Using LLDP-MED ensures that voice traffic gets tagged and prioritized with the correct values at the source itself. For example, 802.1p class of service and 802.1Q tag information can be sent to the IP telephone.

    Note: A PoE configuration is not necessary if an IP telephone is using a power adapter.

Configuration

CLI Quick Configuration

To quickly configure VoIP, LLDP-MED, and 802.1X, copy the following commands and paste them into the switch terminal window:

[edit]

set vlans data-vlan vlan-id 77

set vlans voice-vlan vlan-id 99

set vlans data-vlan switch-options interface ge-0/0/2.0


set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access

set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
set switch-options voip interface ge-0/0/2.0 vlan voice-vlan

set switch-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding

set protocols lldp-med interface ge-0/0/2

set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Step-by-Step Procedure

To configure VoIP with LLDP-MED and 802.1X:

  1. Configure the VLANs for voice and data:
    [edit vlans]
    user@switch# set data-vlan vlan-id 77
    user@switch# set voice-vlan vlan-id 99
  2. Associate the VLAN data-vlan with the interface:
    [edit vlans]
    user@switch# set data-vlan switch-options interface ge-0/0/2.0
  3. Configure the interface as an access interface, configure support for Ethernet switching, and add the data-vlan VLAN:
    [edit interfaces]
    user@switch# set ge-0/0/2 unit 0 family ethernet-switching interface-mode access
    user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
  4. Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service:
    [edit switch—options]
    user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan
    user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding
  5. Configure LLDP-MED protocol support:
    [edit protocols]
    user@switch# set lldp-med interface ge-0/0/2
  6. To authenticate an IP phone and a PC connected to the IP phone on the interface, configure 802.1X authentication support and specify multiple supplicant mode:

    Note: If you do not want to authenticate any device, skip the 802.1X configuration on this interface.

    [edit protocols]
    user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Results

Display the results of the configuration:

[edit]user@switch# show configuration
interfaces {ge-0/0/2 {unit 0 {family ethernet-switching {interface-mode access;vlan {members data-vlan;}}}}}
protocols {lldp-med {interface ge-0/0/2;}dot1x {authenticator {interface {ge-0/0/2.0 {supplicant multiple;}}}}}
vlans {data-vlan {vlan-id 77;switch-options {interface ge-0/0/2.0;}}voice-vlan {vlan-id 99;}}
switch-options {voip {interface ge-0/0/2.0 {vlan voice-vlan;forwarding-class assured-forwarding;}}}

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying LLDP-MED Configuration

Purpose

Verify that LLDP-MED is enabled on the interface.

Action

user@switch> show lldp detail 
LLDP                   : Enabled
Advertisement interval : 30 seconds
Transmit delay         : 2 seconds
Hold timer             : 120 seconds
Notification interval  : 0 Second(s)
Config Trap Interval   : 0 seconds
Connection Hold timer  : 300 seconds

LLDP MED               : Enabled
MED fast start count   : 3 Packets

Port ID TLV subtype    : locally-assigned

Interface      Parent Interface    LLDP        LLDP-MED     Power Negotiation
  Neighbor count
all            -                   Enabled     Enabled      Enabled
  0
ge-0/0/2       -                   -           Enabled      -
  0

Interface      Parent Interface    Vlan-id     Vlan-name
ge-0/0/0       -                   1           vlan-1
ge-0/0/1       -                   1           vlan-1
ge-0/0/2       -                   77          vlan-77
ge-0/0/2       -                   99          vlan-99
ge-0/0/3       -                   1           vlan-1
ge-0/0/4       -                   1           vlan-1
ge-0/0/5       -                   1           vlan-1
ge-0/0/6       -                   1           vlan-1
ge-0/0/7       -                   1           vlan-1
ge-0/0/8       -                   1           vlan-1
ge-0/0/9       -                   1           vlan-1
ge-0/0/10      -                   1           vlan-1

Basic Management TLVs supported:
End Of LLDPDU, Chassis ID, Port ID, Time To Live, Port Description, System Name,
 System Description, System Capabilities, Management Address

Organizationally Specific TLVs supported:
MAC/PHY configuration/status, Power via MDI, Link aggregation, Maximum Frame Size,
 Port VLAN tag, Port VLAN name.

Meaning

The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2 interface. The end of the output shows the list of supported LLDP basic management TLVs and organizationally specific TLVs that are supported.

Verifying 802.1X Authentication for IP Phone and Desktop PC

Purpose

Display the 802.1X configuration to confirm that the VoIP interface has access to the LAN.

Action

user@switch> show dot1x interface ge/0/0/2.0 detail 
ge-0/0/2.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 30 seconds
  Mac Radius: Disabled
  Mac Radius Restrict: Disabled
  Reauthentication: Enabled
  Configured Reauthentication interval: 3600 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Guest VLAN member: <not configured>
  Number of connected supplicants: 1
    Supplicant: user101, 00:04:0f:fd:ac:fe
      Operational state: Authenticated
      Authentication method: Radius
      Authenticated VLAN: vo11
      Dynamic Filter: match source-dot1q-tag 10 action deny
      Session Reauth interval: 60 seconds
      Reauthentication due in 50 seconds

Meaning

The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed at the bottom of the output.

Verifying the VLAN Association with the Interface

Purpose

Display the interface’s VLAN membership.

Action

user@switch> show ethernet-switching interface ge-0/0/2.0 
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop,
                         LH - MAC limit hit, DN - interface down )
Logical      Vlan       TAG   MAC      STP          Logical         Tagging
interface    members          limit    state        interface flags
ge-0/0/2.0                    65535                                 untagged
             voice-vlan 99
                              65535    Discarding
             data-vlan  77
                              65535    Discarding

Meaning

The field VLAN members shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN.

 

Related Documentation

 

Published: 2014-04-23

Previous Page Next Page