[an error occurred while processing this directive] [an error occurred while processing this directive]

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

You can configure voice over IP (VoIP) to support IP telephones. VoIP is a protocol used for the transmission of voice through packet-switched networks. VoIP transmits voice calls using a network connection instead of an analog phone line. Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch.

This example describes how to configure VoIP on the switch to support an Avaya telephone, as well as the LLDP-MED protocol. This protocol forwards VoIP parameters from the switch to the phone. You also configure 802.1X authentication to allow the telephone access to the LAN. Authentication is done through a backend RADIUS server.

Requirements

This example uses the following hardware and software components:

  • JUNOS Release 9.0 or later for EX-series switches
  • One EX-series 4200 switch acting as an authenticator port access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
  • An Avaya 9620 IP telephone (supports LLDP-MED and 802.1X)

Before you configure VoIP, be sure you have:

Overview and Topology

Access interface ge-0/0/2 on the EX-series 4200 switch is connected to an Avaya 9620 IP telephone. Avaya phones have a built-in bridge that allows you to connect a desktop PC to the phone, so the desktop and phone in a single office require only one interface on the switch. The EX-series switch is connected to a RADIUS server on interface ge-0/0/10.

Figure 1: VoIP Topology

Image g020049.gif

In this example, you configure VoIP parameters and specify the forwarding class assured-forward for voice traffic to provide the highest quality of service.

Table 1: Components of the VoIP Configuration Topology

PropertySettings

Switch hardware

EX-series 4200 access switch

VLAN names

data1
voice-vlan

Connection to Avaya phone—with integrated hub, to connect phone and desktop PC to a single interface (requires PoE)

ge-0/0/2

One RADIUS server

Provides backend database connected to the switch through interface ge-0/0/10.

As well as configuring VoIP for interface ge-0/0/2, you configure:

  • 802.1X authentication. Authentication is set to multiple supplicant to support more than one supplicant access to the LAN through interface ge-0/0/2.
  • LLDP-MED protocol information. The switch uses LLDP-MED to forward VoIP parameters to the phone. Using LLDP-MED ensures that voice traffic gets tagged and prioritized with the correct values at the source itself. For example, 802.1p CoS and 802.1q tag information can be sent to the IP telephone.

    Note: A PoE configuration is not necessary if an IP telephone is using a power adapter.

Configuration

To configure VoIP to support and Avaya phone, as well as the LLDP-MED protocol:

CLI Quick Configuration

To quickly configure VoIP, LLDP–MED, and 802.1X for an interface, copy the following commands and paste them into the switch terminal window:


[edit]

set vlans data1 description data-vlan

set vlans voice-vlan description voice-vlan

set vlans data1 interface ge-0/0/2.0

set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data1

set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access

set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan

set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding

set protocols lldp-med interface ge-0/0/2.0

set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Step-by-Step Procedure

To configure VoIP, LLDP, LLDP–MED, and 802.1X authentication:

  1. Configure the VLANs for voice and data:
    [edit vlans]
    user@switch# set data1 description data-vlan
    user@switch# set vlans voice-vlan description voice-vlan
  2. Configure the VLAN data1 on the interface:
    [edit vlans]
    user@switch# set data1 interface ge-0/0/2.0
  3. Configure the maximum transmission unit for the media:
    [edit interfaces]
    user@switch# set ge-0/0/2 mtu 1518
  4. Configure the interface as an access interface, configure support for the Ethernet switching protocol, and add the data1 VLAN:
    [edit interfaces]
    user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members data1
    user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access
  5. Add the VoIP configuration for the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service:
    [edit ethernet-switching-options]
    user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan
    user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding
  6. Configure LLDP-MED protocol support:
    [edit protocols]
    user@switch# set lldp–med interface ge-0/0/2.0
  7. Configure 802.1X protocol support and specify multiple supplicants to allow more than one supplicant to be authenticated on the interface:
    [edit protocols]
    user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Configuration Results

Display the results of the configuration:

[edit]
user@switch# show configuration
interfaces {
ge-0/0/2 {
mtu 1518;
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members data1;
}
}
}
}
}
protocols {
lldp-med {
interface ge-0/0/2.0;
}
dot1x {
authenticator {
interface {
ge-0/0/2.0 {
supplicant multiple;
}
}
}
}
}
vlans {
data1 {
description data-vlan;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
description voice-vlan;
}
}

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying LLDP-MED Configuration

Purpose

Verify that LLDP-MED is enabled on the interface.

Action


user@switch> show lldp detail 

LLDP                   : Enabled
Advertisement interval : 30 Second(s)
Transmit delay         : 2 Second(s)
Hold timer             : 2 Second(s)
Config Trap Interval   : 300 Second(s)
Connection Hold timer  : 60 Second(s)

LLDP MED               : Enabled
MED fast start count   : 3 Packet(s)


Interface      LLDP       LLDP-MED    Neighbor count
all            Enabled    -           0         
ge-0/0/2.0     -          Enabled     0         

Interface     VLAN-id     VLAN-name
ge-0/0/0.0    0           default  
ge-0/0/1.0    0           employee-vlan
ge-0/0/2.0    0           data1
ge-0/0/3.0    0           employee-vlan
ge-0/0/8.0    0           employee-vlan
ge-0/0/10.0   0           default  
ge-0/0/11.0   20          employee-vlan
ge-0/0/11.0   0           __juniper_vlan_internal__
ge-0/0/23.0   0           default  

LLDP basic TLVs supported: 
Chassis identifier, Port identifier, Port description, System name, System
description, System capabilities, Management address.

LLDP 802 TLVs supported: 
Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
VLAN name.

LLDP MED TLVs supported: 
LLDP MED capabilities, Network policy, Endpoint location, Extended power
Via MDI.

Meaning

The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.

Verifying 802.1X Authentication

Purpose

Display the 802.1X configuration to confirm that the VoIP interface has access to the LAN.

Action


user@switch> show dot1x interface ge/0/0/2.0 detail 
ge-0/0/2.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 30 seconds
  Reauthentication: Enabled Reauthentication interval: 3600 seconds
  Supplicant timeout: 30 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Number of connected supplicants: 1
    Supplicant: abc, 00:00:00:00:22:22
      Operational state: Authenticated
      Reauthentication due in 3588 seconds

Meaning

The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed at the bottom of the output.

Verifying the Interface

Purpose

Display the interface state and VLAN membership.

Action


user@switch> show ethernet-switching interfaces 
 Ethernet-switching table: 0 entries, 0 learned

user@switch> show ethernet-switching interfaces 
Interface   State    VLAN members           Blocking 
ge-0/0/0.0  down     default                unblocked
ge-0/0/1.0  down     employee-vlan          unblocked
ge-0/0/5.0  down     employee-vlan          unblocked
ge-0/0/3.0  down     employee-vlan          unblocked
ge-0/0/8.0  down     employee-vlan          unblocked
ge-0/0/10.0 down     default                unblocked
ge-0/0/11.0 down     employee-vlan          unblocked
ge-0/0/23.0 down     default                unblocked
ge-0/0/2.0  up       voice-vlan             unblocked
                     data1                  unblocked

Meaning

The field VLAN members shows that the ge-0/0/2.0 interface supports both the data1 VLAN and voice-vlan VLAN. The State field shows that the interface up.

[an error occurred while processing this directive]