Example: Configuring VoIP on an EX Series Switch with ELS Support Without Including 802.1X Authentication
This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Example: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication. For ELS details, see Using the Enhanced Layer 2 Software CLI.
You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones.
To configure VoIP on an EX Series switch to support an IP phone that does not support 802.1X authentication, you must either add the MAC address of the phone to the static MAC bypass list or enable MAC RADIUS authentication on the switch.
This example describes how to configure VoIP on an EX Series switch without 802.1X authentication by using static MAC bypass of authentication:
This example uses the following hardware and software components:
This figure also applies to QFX5100 switches.
One EX Series switch with support for ELS
Junos OS Release 13.2 or later for EX Series switches
An Avaya IP telephone
Before you configure VoIP, be sure you have:
Installed your EX Series switch. See the installation information for your switch.
Performed the initial switch configuration. See Connecting and Configuring an EX Series Switch (CLI Procedure).
Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch with ELS Support or Example: Setting Up Basic Bridging and a VLAN on Switches.
Configured the RADIUS server for 802.1X authentication and set up the access profile. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
(Optional) Configured the interface ge-0/0/2 for Power over Ethernet (PoE). The PoE configuration is not necessary if the VoIP supplicant uses a power adapter. For information about configuring PoE, see Configuring PoE Interfaces on EX Series Switches.
If the IP address is not configured on the Avaya IP phone, the phone exchanges LLDP-MED information to get the VLAN ID for the voice VLAN. You must configure the voip statement on the interface to designate the interface as a VoIP interface and allow the switch to forward the VLAN name and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the voice VLAN (that is, it references the voice VLAN’s ID) to send a DHCP discover request and exchange information with the DHCP server (voice gateway).
Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch.
In this example, the access interface ge-0/0/2 on the EX Series switch is connected to a non-802.1X IP phone.
To configure VoIP on an EX Series switch to support an IP phone that does not support 802.1X authentication, add the MAC address of the phone as a static entry in the authenticator database and set the supplicant mode to multiple.
CLI Quick Configuration
To quickly configure VoIP without using 802.1X authentication, copy the following commands and paste them into the switch terminal window:
set vlans data-vlan vlan-id 77
set vlans voice-vlan vlan-id 99
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
set switch-options voip interface ge-0/0/2.0 vlan voice-vlan
set switch-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding
set protocols lldp-med interface ge-0/0/2
set protocols dot1x authenticator authentication-profile-name auth-profile
set protocols dot1x authenticator static 00:04:f2:11:aa:a7
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple
To configure VoIP without 802.1X authentication:
- Configure the VLANs for voice and data:
user@switch# set data-vlan vlan-id 77
user@switch# set voice-vlan vlan-id 99
- Configure the interface as an access interface, configure support for Ethernet switching, and add the interface as a member of the data-vlan VLAN:
- Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service:
user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan
user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding
- Configure LLDP-MED protocol support:
user@switch# set lldp-med interface ge-0/0/2
- Set the authentication profile with the name auth-profile (see Configuring 802.1X Interface Settings (CLI Procedure) and Configuring 802.1X RADIUS Accounting (CLI Procedure)):
user@switch# set dot1x authenticator authentication-profile-name auth-profile
- Add the MAC address of the phone to the static MAC bypass
user@switch# set dot1x authenticator static 00:04:f2:11:aa:a7
- Set the supplicant mode to multiple:
user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Display the results of the configuration:
To confirm that the configuration is working properly, perform these tasks:
Verifying LLDP-MED Configuration
Verify that LLDP-MED is enabled on the interface.
user@switch> show lldp detail
LLDP : Enabled Advertisement interval : 30 seconds Transmit delay : 2 seconds Hold timer : 120 seconds Notification interval : 0 Second(s) Config Trap Interval : 0 seconds Connection Hold timer : 300 seconds LLDP MED : Enabled MED fast start count : 3 Packets Port ID TLV subtype : locally-assigned Interface Parent Interface LLDP LLDP-MED Power Negotiation Neighbor count all - Enabled Enabled Enabled 0 ge-0/0/2 - - Enabled - 0 Interface Parent Interface Vlan-id Vlan-name ge-0/0/0 - 1 vlan-1 ge-0/0/1 - 1 vlan-1 ge-0/0/2 - 77 vlan-77 ge-0/0/2 - 99 vlan-99 ge-0/0/3 - 1 vlan-1 ge-0/0/4 - 1 vlan-1 ge-0/0/5 - 1 vlan-1 ge-0/0/6 - 1 vlan-1 ge-0/0/7 - 1 vlan-1 ge-0/0/8 - 1 vlan-1 ge-0/0/9 - 1 vlan-1 ge-0/0/10 - 1 vlan-1 Basic Management TLVs supported: End Of LLDPDU, Chassis ID, Port ID, Time To Live, Port Description, System Name, System Description, System Capabilities, Management Address Organizationally Specific TLVs supported: MAC/PHY configuration/status, Power via MDI, Link aggregation, Maximum Frame Size, Port VLAN tag, Port VLAN name.
The show lldp detail command output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2 interface. The end of the output shows the list of supported LLDP basic management TLVs and organizationally specific TLVs that are supported.
Verifying Authentication for the Desktop PC
Display the 802.1X configuration for the desktop PC connected to the VoIP interface through the IP phone.
user@switch> show dot1x interface ge/0/0/2.0 detail
ge-0/0/2.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: <not configured> Number of connected supplicants: 1 Supplicant: user101, 00:04:0f:fd:ac:fe Operational state: Authenticated Authentication method: Radius Authenticated VLAN: vo11 Dynamic Filter: match source-dot1q-tag 10 action deny Session Reauth interval: 60 seconds Reauthentication due in 50 seconds
The field Role shows that the ge-0/0/2.0 interface is in the authenticator role. The Supplicant Mode field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed at the bottom of the output.
Verifying the VLAN Association with the Interface
Display the interface’s VLAN membership.
user@switch> show ethernet-switching interface ge-0/0/2.0
Routing Instance Name : default-switch Logical Interface flags (DL - disable learning, AD - packet action drop, LH - MAC limit hit, DN - interface down ) Logical Vlan TAG MAC STP Logical Tagging interface members limit state interface flags ge-0/0/2.0 65535 untagged voice-vlan 99 65535 Discarding data-vlan 77 65535 Discarding
The Vlan members field shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN.