Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Aruba Employee

AOS-Switch and Cisco IP Phones PoC - Testing CDP, Voice VLAN, QoS, and 802.1X

Hello Airheads community

 

I had the opportunity to work in a PoC to demonstrate that Aruba AOS-switches fully support a Cisco telephony solution; here are the 5 tasks requested by End Customer and the results achieved (below).

 

I also attached the PoC-guide.pdf to this post that shows configurations made in 2930F Switch, Clearpass and CUCM, debugs, show commands, and Access Tracker.

 

Topology:

topology.png

                                              Image 1

 

Task No 1: Turn on Cisco phone 7960. These Cisco phones are very old (currently are EoS/EoL), they have the singularity of supporting the Cisco Pre-standard PoE and CDP (they do not support standard PoE, nor LLDP). 

 

Result: Aruba 2930F was able to turn on the Cisco Phone 7960, assign the voice VLAN via CDP (Image 2).

Aruba switches supports these type of phones by entering two commands:

2930F-8(config)# cdp mode pre-standard-voice

2930F-8(config)# power-over-ethernet pre-std-detect ports 1-8

CDP.png

                                           Image 2

 

Task No 2: Register Cisco Phone 7960 (SCCP) and Cisco Phone 7821 (SIP) phones to CUCM.

 

Result: Both phones were able to connect and register to CUCM (Image 3).

Configuring voice VLANs separates voice traffic from data traffic. You must configure the port as a tagged member of the voice VLAN.

2930F-8(config)# vlan 50
2930F-8(vlan-50)# name "Voice"
2930F-8(vlan-50)# tagged 1
2930F-8(vlan-50)# ip address 10.10.0.1 255.255.255.0.
2930F-8(vlan-50)# voice
2930F-8(vlan-50)# dhcp-server
2930F-8(vlan-50)# exit

 

Per Cisco requirements, you may need to enable DHCP Option 150 so that in the DHCP broadcasts, phones see a list of all TFTP (CUCM) servers that are connected to the network.

2930F-8(config)#dhcp-server pool "VOICE"
2930F-8(VOICE)#default-router "10.10.0.1"
2930F-8(VOICE)#dns-server "8.8.8.8"
2930F-8(VOICE)#network 10.10.0.0 255.255.255.0
2930F-8(VOICE)#option 150 ip "172.16.0.90"
2930F-8(VOICE)#range 10.10.0.5 10.10.0.20
2930F-8(VOICE)#exit

CUCM.png

                                          Image 3

 

Task No 3: Authenticate old phones that dont include a Manufacturing Installed Certificate (MIC), such as the 7960, via MAC-AUTH process, and authenticate the most recent phones, such as the 7821, via EAP-TLS using the MIC.

 

Result: Both phones were authenticated (Image 5). 

Import Cisco Root certificates to Clearpass in order to execute 802.1X EAP-TLS Authentication Method. 

MIC.png

                                           Image 4

 

Phones were authenticated via MAC-AUTH (7960) and 802.1X EAP-TLS (7821) and received the VOICE-ROLE: 

TLS.png

                                           Image 5

 

Task No 4: Assign differentiated network access policies: restrictive access policy to Cisco IP Phones (VOICE-ROLE) and unrestricted access to employees (EMPLOYEE-ROLE).

 

Result: Phones and End Users were authenticated, differentiated network access policies were assigned using roles on 2930F switch (image 6).

PC.png

                                                Image 6

 

Task No 5: Clear the session when the device (PC) is disconnected from the Phone's switch port .

 

Result: If the device unplugs from behind the phone, the switch cannot rely on link state to know when to clear the session. Proxy EAPoL-Logoff enables the phone to transmit an EAPoL-Logoff message on behalf of the data device when the phone detects that an 802.1X device has unplugged from behind the phone. AOS-Switch processed the EAPoL-Logoff message and cleared the session. (image 7).

 

EAP.png

                                                 Image 7

 

Task No 6: Assign QoS to voice traffic: tag RTP packects.

 

Result: Packet capture showed RTP packets tagged with CoS 5 and DSCP 46 (Image 8).

qos.png

                                                          Image 8

 

Regards,

Adolfo

 

Aruba Employee

Re: AOS-Switch and Cisco IP Phones PoC - Testing CDP, Voice VLAN, QoS, and 802.1X

Version 16.08.0005

https://support.hpe.com/hpsc/doc/public/display?docId=a00079541en_us

802.1X CR_0000250258 Symptom: User role changes to mac-auth initial role even though the user is not reachable. Scenario: When authenticating a user through 802.1X, if auth-order and auth-priority are configured as authenticator mac-based, the user role changes to mac-auth initial role even after disconnecting the user.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: