[an error occurred while processing this directive] [an error occurred while processing this directive]

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch

You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones. The Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) protocol forwards VoIP parameters from the switch to the phone. You also configure 802.1X authentication to allow the telephone access to the LAN. Authentication is done through a backend RADIUS server.

This example describes how to configure VoIP on an EX Series switch to support an Avaya IP phone, as well as the LLDP-MED protocol and 802.1X authentication:

Requirements

This example uses the following hardware and software components:

  • JUNOS Release 9.1 or later for EX Series switches
  • One EX Series switch acting as an authenticator port access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
  • An Avaya 9620 IP telephone that supports LLDP-MED and 802.1X

Before you configure VoIP, be sure you have:

Note: If the IP address isn't configured on the Avaya IP phone, the phone exchanges LLDP-MED information to get the VLAN ID for the voice VLAN. You must configure the voip statement on the interface to designate the interface as a VoIP interface and allow the switch to forward the VLAN name and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the voice VLAN (that is, it references the voice VLAN’s ID) to send a DHCP discover request and exchange information with the DHCP server (voice gateway).

Overview and Topology

Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch.

In this example, the access interface ge-0/0/2 on the EX4200 switch is connected to an Avaya 9620 IP telephone. Avaya phones have a built-in bridge that allows you to connect a desktop PC to the phone, so the desktop and phone in a single office require only one interface on the switch. The EX Series switch is connected to a RADIUS server on interface ge-0/0/10 (see Figure 1).

Figure 1: VoIP Topology

Image g020049.gif

In this example, you configure VoIP parameters and specify the forwarding class assured-forward for voice traffic to provide the highest quality of service.

Table 1 describes the components used in this VoIP configuration example.

Table 1: Components of the VoIP Configuration Topology

Property Settings

Switch hardware

EX4200 switch

VLAN names

data-vlan
voice-vlan

Connection to Avaya phone—with integrated hub, to connect phone and desktop PC to a single interface (requires PoE)

ge-0/0/2

One RADIUS server

Provides backend database connected to the switch through interface ge-0/0/10.

As well as configuring a VoIP for interface ge-0/0/2, you configure:

  • 802.1X authentication. Authentication is set to multiple supplicant to support more than one supplicant's access to the LAN through interface ge-0/0/2.
  • LLDP-MED protocol information. The switch uses LLDP-MED to forward VoIP parameters to the phone. Using LLDP-MED ensures that voice traffic gets tagged and prioritized with the correct values at the source itself. For example, 802.1p class of service and 802.1Q tag information can be sent to the IP telephone.

    Note: A PoE configuration is not necessary if an IP telephone is using a power adapter.

Configuration

To configure VoIP, LLDP-MED, and 802.1X authentication:

CLI Quick Configuration

To quickly configure VoIP, LLDP-MED, and 802.1X, copy the following commands and paste them into the switch terminal window:


[edit]


set vlans data-vlan vlan-id 77


set vlans voice-vlan vlan-id 99


set vlans data-vlan interface ge-0/0/2.0


set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan


set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access


set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan


set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding


set protocols lldp-med interface ge-0/0/2.0


set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Step-by-Step Procedure

To configure VoIP with LLDP-MED and 802.1X:

  1. Configure the VLANs for voice and data:

    [edit vlans]
    user@switch# set data-vlan vlan-id 77
    user@switch# set voice-vlan vlan-id 99
  2. Associate the VLAN data-vlan with the interface:

    [edit vlans]
    user@switch# set data-vlan interface ge-0/0/2.0
  3. Configure the interface as an access interface, configure support for Ethernet switching, and add the data-vlan VLAN:

    [edit interfaces]
    user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
    user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access
  4. Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service:

    [edit ethernet—switching—options]
    user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan
    user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding
  5. Configure LLDP-MED protocol support:

    [edit protocols]
    user@switch# set lldp-med interface ge-0/0/2.0
  6. To authenticate an IP phone and a PC connected to the IP phone on the interface, configure 802.1X authentication support and specify multiple supplicant mode:

    Note: If you do not want to authenticate any device, skip the 802.1X configuration on this interface.


    [edit protocols]
    user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Results

Display the results of the configuration:

[edit]
user@switch# show configuration
interfaces {
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members data-vlan;
}
}
}
}
}
protocols {
lldp-med {
interface ge-0/0/2.0;
}
dot1x {
authenticator {
interface {
ge-0/0/2.0 {
supplicant multiple;
}
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
ethernet-switching options {
voip {
interface ge-0/0/2.0 {
vlan voice-vlan;
forwarding-class assured-forwarding;
}
}
}

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying LLDP-MED Configuration

Purpose

Verify that LLDP-MED is enabled on the interface.

Action


user@switch> show lldp detail 
LLDP                   : Enabled
Advertisement interval : 30 Second(s)
Transmit delay         : 2 Second(s)
Hold timer             : 2 Second(s)
Config Trap Interval   : 300 Second(s)
Connection Hold timer  : 60 Second(s)

LLDP MED               : Enabled
MED fast start count   : 3 Packet(s)


Interface      LLDP       LLDP-MED    Neighbor count
all            Enabled    -           0         
ge-0/0/2.0     -          Enabled     0         

Interface     VLAN-id     VLAN-name
ge-0/0/0.0    0           default  
ge-0/0/1.0    0           employee-vlan
ge-0/0/2.0    0           data-vlan
ge-0/0/2.0    99          voice-vlan
ge-0/0/3.0    0           employee-vlan
ge-0/0/8.0    0           employee-vlan
ge-0/0/10.0   0           default  
ge-0/0/11.0   20          employee-vlan
ge-0/0/23.0   0           default  

LLDP basic TLVs supported: 
Chassis identifier, Port identifier, Port description, System name, System
description, System capabilities, Management address.

LLDP 802 TLVs supported: 
Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
VLAN name.

LLDP MED TLVs supported: 
LLDP MED capabilities, Network policy, Endpoint location, Extended power
Via MDI.

Meaning

The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.

Verifying 802.1X Authentication for IP Phone and Desktop PC

Purpose

Display the 802.1X configuration to confirm that the VoIP interface has access to the LAN.

Action


user@switch> show dot1x interface ge/0/0/2.0 detail 
ge-0/0/2.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 30 seconds
  Reauthentication: Enabled Reauthentication interval: 3600 seconds
  Supplicant timeout: 30 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Number of connected supplicants: 1
    Supplicant: abc, 00:00:00:00:22:22
      Operational state: Authenticated
      Reauthentication due in 3588 seconds

Meaning

The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed at the bottom of the output.

Verifying the VLAN Association with the Interface

Purpose

Display the interface state and VLAN membership.

Action


 Ethernet-switching table: 0 entries, 0 learned

user@switch> show ethernet-switching interfaces 
Interface   State    VLAN members           Blocking 
ge-0/0/0.0  down     default                unblocked
ge-0/0/1.0  down     employee-vlan          unblocked
ge-0/0/5.0  down     employee-vlan          unblocked
ge-0/0/3.0  down     employee-vlan          unblocked
ge-0/0/8.0  down     employee-vlan          unblocked
ge-0/0/10.0 down     default                unblocked
ge-0/0/11.0 down     employee-vlan          unblocked
ge-0/0/23.0 down     default                unblocked
ge-0/0/2.0  up       voice-vlan             unblocked
                     data-vlan              unblocked

Meaning

The field VLAN members shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.

Published: 2009-08-12

[an error occurred while processing this directive]