[Prev][Next][Report an Error]
Example: Setting Up VoIP with 802.1X and
LLDP-MED (CLI)
You can configure voice over IP (VoIP) on an SRX or J Series
device to support IP telephones. The Link Layer Discovery Protocol–Media
Endpoint Discovery (LLDP-MED) protocol forwards VoIP parameters from
the device to the phone. You also configure 802.1X authentication
to allow the telephone access to the LAN. Authentication is done through
a backend RADIUS server.
This example describes how to configure VoIP to support an Avaya
IP phone, as well as the LLDP-MED protocol and 802.1X authentication.
(This procedure is intended for an Avaya 9620 IP telephone that supports
LLDP-MED and 802.1X.)
Preparation for Configuration
Before configuring VoIP be sure that the following set up is
complete:
- The initial Services Gateway device configuration
- Basic bridging and VLAN configuration on the device
- RADIUS server configuration for 802.1X authentication
and the access profile set up.
- (Optional) Interface ge-0/0/2 configured for
Power over Ethernet (PoE). The PoE configuration is not necessary
if the VoIP supplicant is using a power adapter.
 |
Note:
If the IP address is not configured on the Avaya IP phone, the
phone exchanges LLDP-MED information to get the VLAN ID for the voice
VLAN. You must configure the voip statement on the interface
to designate the interface as a VoIP interface and to allow the SRX
or J Series device to forward the VLAN name and VLAN ID for the voice
VLAN to the IP telephone. The IP telephone then uses the voice VLAN
(that is, it refers to the voice VLAN’s ID) to send a DHCP discover
request and exchange information with the DHCP server (voice gateway).
|
In this example, the access interface ge-0/0/2 on the
SRX Series or J Series device is connected to an Avaya 9620 IP telephone.
Avaya phones have a built-in bridge that allows you to connect a desktop
PC to the phone. In this way, the desktop and phone in a single office
require only one interface on the switch. The SRX or J Series device
is connected to a RADIUS server on interface ge-0/0/10.
Configuring VoIP
To configure VoIP with LLDP-MED and 802.1X:
- Configure the VLANs for voice and data:
[edit vlans]
user@host# set data-vlan vlan-id 77
user@host# set voice-vlan vlan-id 99
- Associate the VLAN data-vlan with the
interface:
[edit vlans]
user@host# set data-vlan interface ge-0/0/2.0
- Configure support for Ethernet switching, add the data-vlan VLAN, and configure the interface as an access interface:
[edit interfaces]
user@host# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
user@host# set ge-0/0/2 unit 0 family
ethernet-switching port-mode access
- Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable
class of service:
[edit ethernet-switching-options]
user@host# set voip interface ge-0/0/2.0 vlan voice-vlan
user@host# set voip interface ge-0/0/2.0 forwarding-class
assured-forwarding
- Configure LLDP-MED protocol support:
[edit protocols]
user@host# set lldp-med interface ge-0/0/2.0
- To authenticate an IP phone and a PC connected
to the IP phone on the interface, configure 802.1X authentication
support and specify multiple supplicant mode:
|
Note:
If you do not want to authenticate any device, skip the 802.1X
configuration on this interface.
|
[edit protocols]
user@host# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Verifying the VoIP Configuration
- Display the results of the configuration:
- [edit]
- user@host# show configuration
- interfaces {
-
- ge-0/0/2 {
-
- unit 0 {
-
- family ethernet-switching {
- port-mode access;
-
- vlan {
- members data-vlan;
- }
- }
- }
- }
- }
- protocols {
-
- lldp-med {
- interface ge-0/0/2.0;
- }
-
- dot1x {
-
- authenticator {
-
- interface {
-
- ge-0/0/2.0 {
- supplicant multiple;
- }
- }
- }
- }
- }
- vlans {
-
- data-vlan {
- vlan-id 77;
-
- interface {
- ge-0/0/2.0;
- }
- }
-
- voice-vlan {
- vlan-id 99;
- }
- }
- ethernet-switching options {
-
- voip {
-
- interface ge-0/0/2.0 {
-
- vlan voice-vlan;
-
- forwarding-class assured-forwarding;
- }
- }
- }
- Verify that LLDP-MED is enabled on the
interface:
user@host> show lldp detail
LLDP : Enabled
Advertisement interval : 30 Second(s)
Transmit delay : 2 Second(s)
Hold timer : 2 Second(s)
Config Trap Interval : 300 Second(s)
Connection Hold timer : 60 Second(s)
LLDP MED : Enabled
MED fast start count : 3 Packet(s)
Interface LLDP LLDP-MED Neighbor count
all Enabled - 0
ge-0/0/2.0 - Enabled 0
Interface VLAN-id VLAN-name
ge-0/0/0.0 0 default
ge-0/0/1.0 0 employee-vlan
ge-0/0/2.0 0 data-vlan
ge-0/0/2.0 99 voice-vlan
ge-0/0/3.0 0 employee-vlan
ge-0/0/8.0 0 employee-vlan
ge-0/0/10.0 0 default
ge-0/0/11.0 20 employee-vlan
ge-0/0/23.0 0 default
LLDP basic TLVs supported:
Chassis identifier, Port identifier, Port description, System name, System
description, System capabilities, Management address.
LLDP 802 TLVs supported:
Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
VLAN name.
LLDP MED TLVs supported:
LLDP MED capabilities, Network policy, Endpoint location, Extended power
Via MDI.
This sample shows that both LLDP and LLDP-MED are configured
on the ge-0/0/2.0 interface. The end of the output lists
LLDP basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.
- Display the 802.1X configuration to confirm that
the VoIP interface has access to the LAN.
user@host> show dot1x interface ge/0/0/2.0
detail
ge-0/0/2.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: <not configured>
Number of connected supplicants: 1
Supplicant: user101, 00:04:0f:fd:ac:fe
Operational state: Authenticated
Authentication method: Radius
Authenticated VLAN: vo11
Dynamic Filter: match source-dot1q-tag 10 action deny
Session Reauth interval: 60 seconds
Reauthentication due in 50 seconds
The field Role shows that the ge-0/0/2.0 interface
is in the authenticator state. The Supplicant mode field
shows that the interface is configured in multiple supplicant mode,
permitting multiple supplicants to be authenticated on this interface.
The Supplicant field near the bottom of the output displays
the MAC addresses of the supplicants currently connected.
- Display the interface state and VLAN membership.
user@host> show ethernet-switching interfaces
Ethernet-switching table: 0 entries, 0 learned
user@host> show ethernet-switching interfaces
Interface State VLAN members Blocking
ge-0/0/0.0 down default unblocked
ge-0/0/1.0 down employee-vlan unblocked
ge-0/0/5.0 down employee-vlan unblocked
ge-0/0/3.0 down employee-vlan unblocked
ge-0/0/8.0 down employee-vlan unblocked
ge-0/0/10.0 down default unblocked
ge-0/0/11.0 down employee-vlan unblocked
ge-0/0/23.0 down default unblocked
ge-0/0/2.0 up voice-vlan unblocked
data-vlan unblockedThe VLAN members column shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN. The State column shows that this interface is up.
[Prev][Next][Report an Error]
help_page
