[Prev][Next][Report an Error]

Example: Setting Up VoIP with 802.1X and LLDP-MED (CLI)

You can configure voice over IP (VoIP) on an SRX or J Series device to support IP telephones. The Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) protocol forwards VoIP parameters from the device to the phone. You also configure 802.1X authentication to allow the telephone access to the LAN. Authentication is done through a backend RADIUS server.

This example describes how to configure VoIP to support an Avaya IP phone, as well as the LLDP-MED protocol and 802.1X authentication. (This procedure is intended for an Avaya 9620 IP telephone that supports LLDP-MED and 802.1X.)

Preparation for Configuration

Before configuring VoIP be sure that the following set up is complete:

Note: If the IP address is not configured on the Avaya IP phone, the phone exchanges LLDP-MED information to get the VLAN ID for the voice VLAN. You must configure the voip statement on the interface to designate the interface as a VoIP interface and to allow the SRX or J Series device to forward the VLAN name and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the voice VLAN (that is, it refers to the voice VLAN’s ID) to send a DHCP discover request and exchange information with the DHCP server (voice gateway).

In this example, the access interface ge-0/0/2 on the SRX Series or J Series device is connected to an Avaya 9620 IP telephone. Avaya phones have a built-in bridge that allows you to connect a desktop PC to the phone. In this way, the desktop and phone in a single office require only one interface on the switch. The SRX or J Series device is connected to a RADIUS server on interface ge-0/0/10.

Configuring VoIP

To configure VoIP with LLDP-MED and 802.1X:

  1. Configure the VLANs for voice and data:

    [edit vlans]
    user@host# set data-vlan vlan-id 77
    user@host# set voice-vlan vlan-id 99
  2. Associate the VLAN data-vlan with the interface:

    [edit vlans]
    user@host# set data-vlan interface ge-0/0/2.0
  3. Configure support for Ethernet switching, add the data-vlan VLAN, and configure the interface as an access interface:

    [edit interfaces]
    user@host# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
    user@host# set ge-0/0/2 unit 0 family ethernet-switching port-mode access
  4. Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service:

    [edit ethernet-switching-options]
    user@host# set voip interface ge-0/0/2.0 vlan voice-vlan
    user@host# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding
  5. Configure LLDP-MED protocol support:

    [edit protocols]
    user@host# set lldp-med interface ge-0/0/2.0
  6. To authenticate an IP phone and a PC connected to the IP phone on the interface, configure 802.1X authentication support and specify multiple supplicant mode:

    Note: If you do not want to authenticate any device, skip the 802.1X configuration on this interface.

    [edit protocols]
    user@host# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Verifying the VoIP Configuration

  1. Display the results of the configuration:
    user@host# show configuration
    interfaces {
    ge-0/0/2 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members data-vlan;
    protocols {
    lldp-med {
    interface ge-0/0/2.0;
    dot1x {
    authenticator {
    interface {
    ge-0/0/2.0 {
    supplicant multiple;
    vlans {
    data-vlan {
    vlan-id 77;
    interface {
    voice-vlan {
    vlan-id 99;
    ethernet-switching options {
    voip {
    interface ge-0/0/2.0 {
    vlan voice-vlan;
    forwarding-class assured-forwarding;
  2. Verify that LLDP-MED is enabled on the interface:

    user@host> show lldp detail
    LLDP                   : Enabled
    Advertisement interval : 30 Second(s)
    Transmit delay         : 2 Second(s)
    Hold timer             : 2 Second(s)
    Config Trap Interval   : 300 Second(s)
    Connection Hold timer  : 60 Second(s)
    LLDP MED               : Enabled
    MED fast start count   : 3 Packet(s)
    Interface      LLDP       LLDP-MED    Neighbor count
    all            Enabled    -           0         
    ge-0/0/2.0     -          Enabled     0         
    Interface     VLAN-id     VLAN-name
    ge-0/0/0.0    0           default  
    ge-0/0/1.0    0           employee-vlan
    ge-0/0/2.0    0           data-vlan
    ge-0/0/2.0    99          voice-vlan
    ge-0/0/3.0    0           employee-vlan
    ge-0/0/8.0    0           employee-vlan
    ge-0/0/10.0   0           default  
    ge-0/0/11.0   20          employee-vlan
    ge-0/0/23.0   0           default  
    LLDP basic TLVs supported: 
    Chassis identifier, Port identifier, Port description, System name, System
    description, System capabilities, Management address.
    LLDP 802 TLVs supported: 
    Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
    VLAN name.
    LLDP MED TLVs supported: 
    LLDP MED capabilities, Network policy, Endpoint location, Extended power
    Via MDI.

    This sample shows that both LLDP and LLDP-MED are configured on the ge-0/0/2.0 interface. The end of the output lists LLDP basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.

  3. Display the 802.1X configuration to confirm that the VoIP interface has access to the LAN.

    user@host> show dot1x interface ge/0/0/2.0 detail
      Role: Authenticator
      Administrative state: Auto
      Supplicant mode: Multiple
      Number of retries: 3
      Quiet period: 60 seconds
      Transmit period: 30 seconds
      Mac Radius: Disabled
      Mac Radius Restrict: Disabled
      Reauthentication: Enabled
      Configured Reauthentication interval: 3600 seconds
      Supplicant timeout: 30 seconds
      Server timeout: 30 seconds
      Maximum EAPOL requests: 2
      Guest VLAN member: <not configured>
      Number of connected supplicants: 1
        Supplicant: user101, 00:04:0f:fd:ac:fe
          Operational state: Authenticated
          Authentication method: Radius
          Authenticated VLAN: vo11
          Dynamic Filter: match source-dot1q-tag 10 action deny
          Session Reauth interval: 60 seconds
          Reauthentication due in 50 seconds

    The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant mode field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The Supplicant field near the bottom of the output displays the MAC addresses of the supplicants currently connected.

  4. Display the interface state and VLAN membership.

    user@host> show ethernet-switching interfaces
     Ethernet-switching table: 0 entries, 0 learned
    user@host> show ethernet-switching interfaces 
    Interface   State    VLAN members           Blocking 
    ge-0/0/0.0  down     default                unblocked
    ge-0/0/1.0  down     employee-vlan          unblocked
    ge-0/0/5.0  down     employee-vlan          unblocked
    ge-0/0/3.0  down     employee-vlan          unblocked
    ge-0/0/8.0  down     employee-vlan          unblocked
    ge-0/0/10.0 down     default                unblocked
    ge-0/0/11.0 down     employee-vlan          unblocked
    ge-0/0/23.0 down     default                unblocked
    ge-0/0/2.0  up       voice-vlan             unblocked
                         data-vlan              unblocked

    The VLAN members column shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN. The State column shows that this interface is up.

[Prev][Next][Report an Error]