157
Dynamically advertising server-assigned VLANs
through LLDP
Overview
Dynamic advertisement of server-assigned VLANs through LLDP must work with 802.1X or MAC
authentication, and is available only for LLDP-enabled IP phones. If 802.1X authentication is used, make
sure the IP phones also support 802.1X authentication.
To implement this function for an IP phone, perform the following configuration tasks:
• Enable LLDP globally and on the port connected to the IP phone.
• Configure 802.1X or MAC authentication to make sure the IP phone can pass security
authentication. For more information about 802.1X authentication, MAC authentication, and VLAN
assignment by servers, see Security Configuration Guide.
• Configure VLAN authorization for the IP phone on the authentication server.
After the IP phone passes authentication, LLDP advertises the server-assigned VLAN in the LLDP-MED
Network Policy TLV to the IP phone. The IP phone will send its traffic tagged with the assigned VLAN. Also,
the port connected to the IP phone will be added to the server-assigned VLAN.
Example for using 802.1X to authenticate IP phones
As shown in Figure 51, configure 802.1X on the device to authenticate the host and the IP phone (which
must support 802.1X). Configure the authentication server to assign an untagged VLAN to the host and
assign a tagged VLAN to the IP phone. After the host and the IP phone pass the authentication, the port
connected to the IP phone is added to the VLAN assigned to the IP phone as an tagged member and
added to the VLAN assigned to the host as a untagged member. Also, the LLDP-MED TLVs that the device
sends to the IP phone carry information about the VLAN assigned to the IP phone, so that the voice
packets sent out of the IP phone can be forwarded in the server-assigned VLAN with tags.
The EAPOL packets defined in the 802.1X protocol do not carry VLAN tags. When the server is
configured to assign a tagged VLAN to the IP phone, you must configure the port connected to the IP
phone to send 802.1X protocol packets without tags by using the dot1x eapol untag command.
Only 802.1X supports assigning tagged VLANs.
Figure 51 Using 802.1X to authenticate an IP phone
Displaying and maintaining voice VLAN
Task Command
Remarks
Display the voice VLAN state.
display voice vlan state [ | { begin | exclude |
include } regular-expression ]
Available in any view
To Next Page
Loading...
Need help?
General