Comware

Dear Experts, 

I need to understand that is it possible in CW7 to apply Voice Vlan dynamically or at some point we need to define it statically like when telling the IP phone which vlan to use for tagging the traffic? 

https://support.hpe.com/hpesc/public/docDisplay?docId=sf000096280en_us&docLocale=en_US

There are some commands that need to be defined statically on port like below

ldp tlv-enable dot1-tlv protocol-vlan-id

lldp tlv-enable med-tlv network-policy 180

So i dont see any benefit of sending voice vlan via radius if we have to define it ultimately on the port as well?

The solution depends on the way the phone is setup. We have 100% dynamic assignment of VLANs to all devices. Phones have PC's plugged into the back of them. The phone is configured so that both the PC and the phone's traffic are untagged. Therefore when both MAC addresses hit a hybrid port they are MAC-authenticated in the same way as two independent devices on a unmanaged switch. 

An example config below with the only static assignment being the vlan they drop into if they fail authentication.

interface GigabitEthernet1/0/1 undo enable snmp trap updown port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 31 untagged port hybrid pvid vlan 31 mac-vlan enable stp edged-port poe enable undo dot1x handshake dot1x mandatory-domain york.ac.uk dot1x max-user 80 undo dot1x multicast-trigger dot1x re-authenticate dot1x auth-fail vlan 31 dot1x critical vlan 31 mac-authentication max-user 80 mac-authentication domain mac_domain mac-authentication guest-vlan 31 mac-authentication critical vlan 31 undo mac-authentication offline-detect enable port-security port-mode userlogin-secure-or-mac-ext port-security mac-move bypass-vlan-check loopback-detection enable vlan 1 to 4094 loopback-detection action shutdown dhcp snooping binding record dhcp snooping check request-message dhcp snooping check mac-address dhcp snooping information enable dhcp snooping information strategy keep

Results in the following LLDP output:

LLDP tlv-config of port 1[GigabitEthernet1/0/1]:LLDP agent nearest-bridge:NAME                              STATUS    DEFAULTBasic optional TLV: Port Description TLV             YES       YES System Name TLV                  YES       YES System Description TLV           YES       YES System Capabilities TLV          YES       YES Management Address TLV           YES       YESIEEE 802.1 extend TLV: Port VLAN ID TLV                 YES       YES Port And Protocol VLAN ID TLV    NO        NO VLAN Name TLV                    NO        NO DCBX TLV                         NO        NO EVB TLV                          NO        NO Link Aggregation TLV             YES       YES Management VID TLV               NO        NOIEEE 802.3 extend TLV: MAC-Physic TLV                   YES       YES Power via MDI TLV                YES       YES Maximum Frame Size TLV           YES       YES Link Aggregation TLV             NO        NOLLDP-MED extend TLV: Capabilities TLV                 YES       YES Network Policy TLV               YES       YES Location Identification TLV      NO        NO Extended Power via MDI TLV       YES       YES Inventory TLV                    YES       YES

If the switch needs to know which VLAN to tag and which VLAN to untag on the edge port then I guess the LLDP-MED is required, or static assignment.

Dear Experts, 

I need to understand that is it possible in CW7 to apply Voice Vlan dynamically or at some point we need to define it statically like when telling the IP phone which vlan to use for tagging the traffic? 

https://support.hpe.com/hpesc/public/docDisplay?docId=sf000096280en_us&docLocale=en_US

There are some commands that need to be defined statically on port like below

ldp tlv-enable dot1-tlv protocol-vlan-id

lldp tlv-enable med-tlv network-policy 180

So i dont see any benefit of sending voice vlan via radius if we have to define it ultimately on the port as well?

In my case the ip phone will be mac authenticated where as the user will be authenticated through dot1x and data vlan be assigned according to it. At the same time i want to assign ip phone to a different Vlan, i dont really need tagging. I just need to assign Ip phone to its respective Vlan. Is it doable?

The solution depends on the way the phone is setup. We have 100% dynamic assignment of VLANs to all devices. Phones have PC's plugged into the back of them. The phone is configured so that both the PC and the phone's traffic are untagged. Therefore when both MAC addresses hit a hybrid port they are MAC-authenticated in the same way as two independent devices on a unmanaged switch. 

An example config below with the only static assignment being the vlan they drop into if they fail authentication.

interface GigabitEthernet1/0/1 undo enable snmp trap updown port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 31 untagged port hybrid pvid vlan 31 mac-vlan enable stp edged-port poe enable undo dot1x handshake dot1x mandatory-domain york.ac.uk dot1x max-user 80 undo dot1x multicast-trigger dot1x re-authenticate dot1x auth-fail vlan 31 dot1x critical vlan 31 mac-authentication max-user 80 mac-authentication domain mac_domain mac-authentication guest-vlan 31 mac-authentication critical vlan 31 undo mac-authentication offline-detect enable port-security port-mode userlogin-secure-or-mac-ext port-security mac-move bypass-vlan-check loopback-detection enable vlan 1 to 4094 loopback-detection action shutdown dhcp snooping binding record dhcp snooping check request-message dhcp snooping check mac-address dhcp snooping information enable dhcp snooping information strategy keep

Results in the following LLDP output:

LLDP tlv-config of port 1[GigabitEthernet1/0/1]:LLDP agent nearest-bridge:NAME                              STATUS    DEFAULTBasic optional TLV: Port Description TLV             YES       YES System Name TLV                  YES       YES System Description TLV           YES       YES System Capabilities TLV          YES       YES Management Address TLV           YES       YESIEEE 802.1 extend TLV: Port VLAN ID TLV                 YES       YES Port And Protocol VLAN ID TLV    NO        NO VLAN Name TLV                    NO        NO DCBX TLV                         NO        NO EVB TLV                          NO        NO Link Aggregation TLV             YES       YES Management VID TLV               NO        NOIEEE 802.3 extend TLV: MAC-Physic TLV                   YES       YES Power via MDI TLV                YES       YES Maximum Frame Size TLV           YES       YES Link Aggregation TLV             NO        NOLLDP-MED extend TLV: Capabilities TLV                 YES       YES Network Policy TLV               YES       YES Location Identification TLV      NO        NO Extended Power via MDI TLV       YES       YES Inventory TLV                    YES       YES

If the switch needs to know which VLAN to tag and which VLAN to untag on the edge port then I guess the LLDP-MED is required, or static assignment.

Dear Experts, 

I need to understand that is it possible in CW7 to apply Voice Vlan dynamically or at some point we need to define it statically like when telling the IP phone which vlan to use for tagging the traffic? 

https://support.hpe.com/hpesc/public/docDisplay?docId=sf000096280en_us&docLocale=en_US

There are some commands that need to be defined statically on port like below

ldp tlv-enable dot1-tlv protocol-vlan-id

lldp tlv-enable med-tlv network-policy 180

So i dont see any benefit of sending voice vlan via radius if we have to define it ultimately on the port as well?