Example for Connecting IP Phones to Switches Through LLDP

Networking Requirements

In Figure 1, to save investment costs, the user requires that IP phones and PCs connect to the network through VoIP. IP phones support LLDP and can obtain the voice ID through LLDP. To ensure that IP phones and PCs can connect to the network, the network plan should meet the following requirements:

The priority of voice packets sent by IP phones is low and needs to be increased to ensure communication quality.
Voice and data packets are transmitted in VLAN 100 and VLAN 101, respectively.
IP addresses of IP phones are dynamically allocated by the DHCP server, and the IP addresses of IP phones and the DHCP server are located on different network segments.
IP phones need to connect to switches through MAC address authentication.

Figure 1 Networking for connecting switches to IP phones through LLDP

Configuration Roadmap

The configuration roadmap is as follows:

Enable LLDP on SwitchA.
Configure SwitchA to forward data flows and enable the voice VLAN function.
Configure the DHCP relay function on SwitchA.
Configure SwitchB as the DHCP server to allocate IP addresses to IP phones.
Configure AAA on SwitchA.
Configure MAC address authentication on SwitchA to authenticate IP phones.
Configure the Agile Controller-Campus or iMaster NCE-Campus.

Procedure

Enable LLDP on SwitchA.
1. Choose Configuration > Advanced Services > LLDP to access the global LLDP configuration page.
2. Set Global LLDP status to ON to enable global LLDP, as shown in Figure 2.
  Figure 2 Enabling LLDP globally
Configure SwitchA to forward data flows and enable the voice VLAN function.
1. Choose Configuration > Basic Services > Interface Settings > Service Interface Setting > Connect to IP Phone > Based On Phone Model (Manual) to access the page of manually connecting IP phones.
2. Select GE0/0/1 and GE0/0/2 on the device panel, set parameters according to Figure 3 in Step3: Configure Interface, and click Apply. In the dialog box that is displayed, click OK.
  Figure 3 IP phone configuration
Configure the DHCP relay function on SwitchA.
1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page. Click VLAN data under VLAN ID to access the Modify VLAN page, set parameters according to Figure 4, and click OK.
  Figure 4 Configuring the VLANIF interface
2. Choose Configuration > Basic Services > DHCP > DHCP Address Pool. Set DHCP status to ON to enable the DHCP function.
3. Choose Configuration > Basic Services > DHCP > DHCP Relay. Click Create. On the Create DHCP Relay page, configure a DHCP relay for a VLANIF interface, and click OK, as shown in Figure 5.
  Figure 5 Configuring a DHCP relay
4. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page. Click Create, set parameters according to Figure 6, and click OK. VLANIF 200 is created and the uplink interface is added to VLAN 200.
  Figure 6 Creating a VLANIF interface on SwitchA
5. Choose Configuration > Basic Services > Static Route > IPv4 Static Route, click Add, set parameters according to Figure 7, and click to complete static route configuration on SwitchA. The next-hop address of the route is the IP address of VLANIF 200 on SwitchB.
  Figure 7 Creating a static route on SwitchA
Configure SwitchB as the DHCP server to allocate IP addresses to IP phones.
1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page. Click Create, set parameters according to Figure 8, and click OK. VLANIF 200 is created and the uplink interface is added to VLAN 200.
  Figure 8 Creating a VLANIF interface on SwitchB
2. Choose Configuration > Basic Services > DHCP > DHCP Address Pool. Set DHCP status to ON to enable the DHCP function.
3. Click Create. On the Create DHCP Address Pool page, configure the DHCP server for a VLANIF interface, and click OK, as shown in Figure 9.
  Figure 9 Configuring the DHCP server
4. Choose Configuration > Basic Services > Static Route > IPv4 Static Route, click Add, set parameters according to Figure 10, and click to complete static route configuration on SwitchB. The next-hop address of the route is the IP address of VLANIF 200 on SwitchA.
  Figure 10 Creating a static route on SwitchB
Configure AAA on SwitchA.
1. Choose Configuration > Security Services > AAA, select RADIUS, and click Create to create and configure the RADIUS server template cisco, as shown in Figure 11. Click OK.
  Figure 11 Configuring a RADIUS server template
2. Click Authentication/Authorization/Accounting Scheme and click Create to create an authentication scheme radius and set the authentication mode to RADIUS, as shown in Figure 12. Click OK.
  Figure 12 Configuring an authentication scheme
3. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > Domain Profile to access the Domain Profile List page. Click default under Domain Profile List to access the domain profile configuration page. Bind the AAA authentication scheme radius and RADIUS server template cisco to the domain profile, as shown in Figure 13. Click Apply.
  Figure 13 Configuring an authentication domain
Configure MAC address authentication on SwitchA to authenticate IP phones.
1. Run the authentication unified-mode command in the system view to configure the NAC unified mode.
  
  By default, the unified mode is used. The switch restarts after the NAC mode is changed between the common mode and unified mode. After the configuration is complete, save the configuration
2. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > MAC Authentication Profile to access the MAC Authentication Profile List page. Click Create. The Create MAC Authentication Profile page is displayed. Set Profile name to cisco and click OK to access the MAC access profile parameter configuration page, as shown in Figure 14. Click Apply.
  Figure 14 Configuring a MAC access profile
3. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile to access the Authentication Profile List page. Click Create and set Profile name to cisco, as shown in Figure 15. Click OK to create an authentication profile cisco.
  Figure 15 Creating an authentication profile
4. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > cisco > MAC Authentication Profile. Select cisco from the MAC Authentication Profile drop-down list box, as shown in Figure 16. Click Apply to bind the MAC access profile cisco to the authentication profile cisco.
  Figure 16 Binding the authentication profile to the MAC access profile
5. Choose Configuration > Security Services > AAA Service App > Wired Interface Authentication, select GE0/0/1 on the device panel, and set Authentication Profile to cisco, as shown in Figure 17. Click Apply. Configure GE0/0/2 in the same manner.
  Figure 17 Binding the authentication profile to the interface

Configure the Agile Controller-Campus or iMaster NCE-Campus. The display of the Agile Controller-Campus or iMaster NCE-Campus varies depending on versions. V100R002C10SPC401 is used as an example.

Open the Internet Explorer, enter the Agile Controller-Campus or iMaster NCE-Campus access address in the address bar, and press Enter.

Enter the administrator user name and password. If you log in to the Agile Controller-Campus or iMaster NCE-Campus for the first time, use the super administrator user name admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus or iMaster NCE-Campus cannot be used.

The following access modes of the Agile Controller-Campus or iMaster NCE-Campus can be used.

Access Mode	Description
https:// Agile Controller-Campus or iMaster NCE-Campus-IP:8443	Agile Controller-Campus or iMaster NCE-Campus specifies the IP address of the Agile Controller-Campus or iMaster NCE-Campus.
IP address of the Agile Controller-Campus or iMaster NCE-Campus	If port 80 is enabled during installation, you can access the Agile Controller by entering its IP address without the port number. The URL of the Agile Controller-Campus or iMaster NCE-Campus will automatically change to https://Agile Controller-IP:8443.

Add a MAC address.
1. Choose Resource > User > User Management.
2. Select All Accounts.
3. Click Add to create a MAC account. The value of the first MAC Account parameter is the IP phone's MAC address, and the value of the second MAC Account parameter is the PC's MAC address.
Add SwitchA to the Agile Controller-Campus or iMaster NCE-Campus.
1. Choose Resource > Device > Device Management.
2. Click Add. On the Add Device page, add SwitchA used to authenticate IP phones.
Add an IP phone to the Agile Controller-Campus or iMaster NCE-Campus.
1. Choose Resource > Terminal > Terminal List.
2. Click Add to access the Add Device Group page.
3. On the Add Device Group page, add an IP phone group.
4. Click a device group, select cisco_ipphone, select Device List, and click Add to add an IP phone.
Add a PC to the Agile Controller-Campus or iMaster NCE-Campus.
1. Choose Resource > Terminal > Terminal List.
2. Click Add to access the Add Device Group page.
3. On the Add Device Group page, add a PC group.
4. Click the device group in the navigation tree, select pc, select Device List, and click Add to add a PC.
Add an authentication rule.
Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule and click Add to create authentication rules for the IP phone and PC respectively.
Add an authorization result.
Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule and click Add to create authorization rules for the IP phone and PC respectively.

Operation Result

Through the menu of the IP phone, the IP phone can correctly obtain the voice VLAN ID and IP address.
After a user logs in, log in to the web platform of SwitchA and choose Monitoring > User > Wired User Statistics. You can check online user information.