Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring VoIP on an EX Series Switch with ELS Support Without Including 802.1X Authentication

 
Note

This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Example: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication. For ELS details, see Using the Enhanced Layer 2 Software CLI.

You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones.

To configure VoIP on an EX Series switch to support an IP phone that does not support 802.1X authentication, you must either add the MAC address of the phone to the static MAC bypass list or enable MAC RADIUS authentication on the switch.

This example describes how to configure VoIP on an EX Series switch without 802.1X authentication by using static MAC bypass of authentication:

Requirements

This example uses the following hardware and software components:

Note

This figure also applies to QFX5100 switches.

  • One EX Series switch with support for ELS

  • Junos OS Release 13.2 or later for EX Series switches

  • An Avaya IP telephone

Before you configure VoIP, be sure you have:

Note

If the IP address is not configured on the Avaya IP phone, the phone exchanges LLDP-MED information to get the VLAN ID for the voice VLAN. You must configure the voip statement on the interface to designate the interface as a VoIP interface and allow the switch to forward the VLAN name and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the voice VLAN (that is, it references the voice VLAN’s ID) to send a DHCP discover request and exchange information with the DHCP server (voice gateway).

Overview

Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch.

In this example, the access interface ge-0/0/2 on the EX Series switch is connected to a non-802.1X IP phone.

To configure VoIP on an EX Series switch to support an IP phone that does not support 802.1X authentication, add the MAC address of the phone as a static entry in the authenticator database and set the supplicant mode to multiple.

Configuration

CLI Quick Configuration

To quickly configure VoIP without using 802.1X authentication, copy the following commands and paste them into the switch terminal window:

[edit]


set vlans data-vlan vlan-id 77


set vlans voice-vlan vlan-id 99




set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan




set switch-options voip interface ge-0/0/2.0 vlan voice-vlan


set switch-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding


set protocols lldp-med interface ge-0/0/2


set protocols dot1x authenticator authentication-profile-name auth-profile


set protocols dot1x authenticator static 00:04:f2:11:aa:a7


set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple


Step-by-Step Procedure

To configure VoIP without 802.1X authentication:

  1. Configure the VLANs for voice and data:
    [edit vlans]

    user@switch# set data-vlan vlan-id 77

    user@switch# set voice-vlan vlan-id 99
  2. Configure the interface as an access interface, configure support for Ethernet switching, and add the interface as a member of the data-vlan VLAN:
    [edit interfaces]

    user@switch# set ge-0/0/2 unit 0 family ethernet-switching interface-mode access

    user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
  3. Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service:
    [edit switch-options]

    user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan

    user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding

  4. Configure LLDP-MED protocol support:
    [edit protocols]

    user@switch# set lldp-med interface ge-0/0/2

  5. Set the authentication profile with the name auth-profile (see Configuring 802.1X Interface Settings (CLI Procedure) and Configuring 802.1X RADIUS Accounting (CLI Procedure)):
    [edit protocols]

    user@switch# set dot1x authenticator authentication-profile-name auth-profile
  6. Add the MAC address of the phone to the static MAC bypass list:
    [edit protocols]

    user@switch# set dot1x authenticator static 00:04:f2:11:aa:a7
  7. Set the supplicant mode to multiple:
    [edit protocols]

    user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Results

Display the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying LLDP-MED Configuration

Purpose

Verify that LLDP-MED is enabled on the interface.

Action

user@switch> show lldp detail

Meaning

The show lldp detail command output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2 interface. The end of the output shows the list of supported LLDP basic management TLVs and organizationally specific TLVs that are supported.

Verifying Authentication for the Desktop PC

Purpose

Display the 802.1X configuration for the desktop PC connected to the VoIP interface through the IP phone.

Action

user@switch> show dot1x interface ge/0/0/2.0 detail

Meaning

The field Role shows that the ge-0/0/2.0 interface is in the authenticator role. The Supplicant Mode field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed at the bottom of the output.

Verifying the VLAN Association with the Interface

Purpose

Display the interface’s VLAN membership.

Action

user@switch> show ethernet-switching interface ge-0/0/2.0

Meaning

The Vlan members field shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN.