3-CX VOIP Deployment

AOS-CX VOIP Deployment Guide
Contents
AOS-CX VOIP Deployment Guide..........................................................................................................................
Use Case 1: With Local authentication using local mac match, device-profile........................................................
Use case 2: Authenticate phone using AAA radius server......................................................................................
Use case 3: VOIP deployment using Local User Role (LUR)................................................................................
Use case 3: VOIP Deployment using Download User Role (DUR).......................................................................
AOS-CX VOIP DEPLOYMENT

GUIDE
AOS-CX VERSION 10.5
2
Design Guide
Dynamic Segmentation: Campus VXLAN/EVPN Architecture
Good day!
AOS-CX VOIP Deployment Guide
Prior condition or prerequisite (not mandatory):
 Good know Power over Ethernet (PoE), LLDP, CDP, VLANs.

 Good know about Voice VLAN and it's Significance.
 Good know Local User Roles, Downloadable User Roles.
Pre-Checklist:
 Check CX operating system version
BLDG01-F1# show version
 Verify Connectivity Check
show lldp neighbor-info or show CDP neighbor-info
 Before starting VOIP deployment, verify voice vlan assignment.
BLDG01-F1(config)# vlan 10
BLDG01-F1(config-vlan-10)# voice
BLDG01-F1# show lldp neighbor-info 2/1/3
Note: Enabling Voice on Vlan context is must for CX VOIP deployment.
Flow of SIMPLE CX VOIP Deployment:
 Use Case 1: With Local authentication using local mac match, device-profile
 Use Case 2: With Remote AAA authentication using radius-attribute
 Use Case 3: With Remote AAA authentication using Local User Role
 Use Case 4: With Remote AAA authentication using Downloadable User Role
Reviewer:
Thank you Hasenaug, Holger for quick review and format, much appreciate!
www.arubanetworks.com
3333 Scott Blvd. Santa Clara, CA 95054
1.844.472.2782 | T: 1.408.227.4500 | FAX: 1.408.227.4550 | [email protected]
Use Case 1: With Local authentication using local mac match, device-profile
Step1:Configure local mac match and device profile as below.
BLDG01-F1# show running-config mac-group

mac-group localmacauth
seq 10 match mac 00:04:f2:80:23:57
BLDG01-F1# show running-config port-access

port-access role localmacauthrole
mtu 1600
reauth-period 5
port-access device-profile localauthdp
enable
associate role localmacauthrole
associate mac-group localmacauth
Step2: Enable authentication on interface connected to Phone.
interface 2/1/3
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 10
spanning-tree port-type admin-edge
aaa authentication port-access allow-cdp-bpdu
aaa authentication port-access allow-lldp-bpdu
aaa authentication port-access client-limit 2
port-access security violation action shutdown
aaa authentication port-access dot1x authenticator
max-eapol-requests 3
max-retries 1
reauth
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
4
enable
exit
BLDG01-F1# show port-access clients
Port Access Clients

--------------------------------------------------------------------------------
Port MAC Address Onboarded Status Role
Method
--------------------------------------------------------------------------------
2/1/3 00:04:f2:80:23:57 device-profile Success localmacauthrole

BLDG01-F1# sh port-access clients detail

Port Access Client Status Details:

Client 00:04:f2:80:23:57
============================
Session Details
---------------
Port : 2/1/3
Session Time : 558s
IPv4 Address :
IPv6 Address :

Authentication Details
----------------------
Status : Authenticated
Auth Precedence : dot1x - Authenticating, mac-auth - Unauthenticated

Authorization Details
----------------------
Role : localmacauthrole
Status : Applied

Role Information:

Name : localmacauthrole
Type : local
----------------------------------------------
Reauthentication Period : 5 secs
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Gateway Zone :
UBT Gateway Role :
5
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
MTU : 1600
QOS Trust Mode :
STP Administrative Edge Port :
PoE Priority :
Captive Portal Profile :
Policy :
Note: Authentication default order on AOS-CX is dot1x, mac-auth and then local mac match
device-profile. You can always change the order of authentication.
Use case 2: authenticate phone using AAA radius server.
Step1: Make sure radius connectivity to switch is proper
BLDG01-F1# show radius-server detail

******* Global RADIUS Configuration *******
Shared-Secret: None
Timeout: 5
Auth-Type: pap
Retries: 1
TLS Timeout: 5
Tracking Time Interval (seconds): 60
Tracking Retries: 3
Tracking User-name: radius-tracking-user
Tracking Password: None
Number of Servers: 1
****** RADIUS Server Information ******
Server-Name : aoss-cppm.tmelab.net
Auth-Port : 1812
Accounting-Port : 1813
6
VRF : mgmt
TLS Enabled : No
Shared-Secret :
AQBapdAz4irjSK61Zg/CFArsNYWKbn1LObqDD/v9SH1eMQ6ABQAAADY26liu
Timeout (default) : 5
Retries : 5
Auth-Type (default) : pap
Server-Group (default) : radius
Default-Priority : 1
Tracking : enabled
Tracking-Mode : any
Reachability-Status : reachable
ClearPass-Username : admin
ClearPass-Password :
AQBapYv/u3/YfG9vYRpFxmOTtsFLIWxuAX442RdG9j11jsZ6CQAAACZ5Y2/BK9FmhQ==

Note: In this demonstration I am using clearpass as Radius-server, you can use any other
radius-server such Cisco ISE or free radius.
Step2: Enable authentication on the interface.
BLDG01-F1# show running-config interface 2/1/3

interface 2/1/3
no shutdown
no routing
vlan trunk native 1
max-retries 1
reauth
enable
cached-reauth
7
quiet-period 30
enable
exit

BLDG01-F1# show port-access clients detail
Port Access Client Status Details:
Client 00:04:f2:80:23:57, 0004f2802357
============================
Session Details
---------------
Port : 2/1/3
Session Time : 75s
IPv4 Address :
IPv6 Address :
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Unauthenticated, mac-auth - Authenticated
Authorization Details
----------------------
Role : RADIUS_773420618
Status : Applied
Role Information:
Name : RADIUS_773420618
Type : radius
----------------------------------------------
Reauthentication Period :
Authentication Mode :
Session Timeout :
Description :
Gateway Zone :
UBT Gateway Role :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
MTU :
QOS Trust Mode :
PoE Priority :
Policy :

8
9
BLDG01-F1# show vlan port 2/1/3
-------------------------------------------------------------------------------
VLAN Name Mode Mapping
-------------------------------------------------------------------------------
10 VLAN10 trunk port
BLDG01-F1# sh lldp neighbor-info 2/1/3

Port : 2/1/3
Neighbor Entries : 1
Neighbor Entries Deleted : 1
Neighbor Entries Dropped : 0
Neighbor Entries Aged-Out : 1
Neighbor Chassis-Name : Polycom VVX 500
Neighbor Chassis-Description :
Polycom;VVX-VVX_500;3111-44500-001,7;SIP/4.1.2.25646/13-Feb-13
17:14;UP/5.1.2.0869/13-Feb-13 17:28;
Neighbor Chassis-ID : 0.0.0.0
Neighbor Management-Address :
Chassis Capabilities Available : Bridge, Telephone
Chassis Capabilities Enabled : Bridge, Telephone
Neighbor Port-ID : 00:04:f2:80:23:57
Neighbor Port-Desc : 1
Neighbor Port VLAN ID :
TTL : 120
Neighbor PoE information : MED
Neighbor Power Type : PD
Neighbor Power Priority : Unknown
Neighbor Power Source : BOTH
PD Requested Power Value : 8.0 W
PSE Allocated Power Value : 8.0 W
Neighbor MED Capabilities
Neighbor Device class : CLASS_III
MED capabilities enabled : Capabilities, Network Policy, PD, Inventory
MED capabilities supported : Capabilities, Network Policy, PD, Inventory
Neighbor Med Network Policy
Neighbor Med Application type : voice
Neighbor Med Policy VLAN ID : 10
Neighbor Med Policy Priority : 5
Neighbor Med Policy DSCP : 46
Neighbor Med Policy Unknown : false
Neighbor Med Policy Tagged : true
Neighbor Med Application type : voice-signaling
Neighbor Med Policy VLAN ID : 10
Neighbor Med Policy Priority : 5
Neighbor Med Policy DSCP : 44
Neighbor Med Policy Unknown : false
10
Neighbor Med Policy Tagged : true

Neighbor Mac-Phy details
Neighbor Auto-neg Supported : true
Neighbor Auto-Neg Enabled : true
Neighbor Auto-Neg Advertised : 1000 BASE_TFD, 100 BASE_TXFD, 100 BASE_TX, 10
BASET_FD, 10 BASE_T
Neighbor MAU type : 1000 BASETFD

BLDG01-F1#
Note: For Pre-standard Phone, enable below command on interface.
BLDG01-F1(config-if)# power-over-ethernet pre-std-detect
Use case 3: VOIP deployment using Local User Role (LUR)
Step1: Configure local user role
BLDG01-F1# show running-config port-access

port-access role phone_role
auth-mode client-mode

BLDG01-F1# show running-config interface 2/1/3
interface 2/1/3
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
max-retries 1
11
reauth
enable
cached-reauth
quiet-period 30
enable
exit
Step2: On radius-server make sure same role name is configured and phone is authenticated.

BLDG01-F1# show port-access clients
Port Access Clients

--------------------------------------------------------------------------------
Method
--------------------------------------------------------------------------------
2/1/3 00:04:f2:80:23:57 mac-auth Success phone_role

BLDG01-F1#
BLDG01-F1# show port-access role
Role Information:
Name : phone_role
Type : local
----------------------------------------------
Authentication Mode : client-mode
Session Timeout :
Description :
Gateway Zone :
UBT Gateway Role :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs : 10
Access VLAN Name :
Native VLAN Name :
MTU :
QOS Trust Mode :
12
PoE Priority :
Policy :
Use case 4: VOIP Deployment using Download User Role (DUR).
Enable aaa authentication on the interface.
Configure downloadable user role “phone_role” on Clearpass as below.
13
BLDG01-F1# sh port-access clients

Port Access Clients
--------------------------------------------------------------------------------
Method
--------------------------------------------------------------------------------
2/1/3 00:04:f2:80:23:57 mac-auth Success DUR_PY_CX-3099-10

BLDG01-F1# show port-access role clearpass

Role Information:

Name : DUR_PY_CX-3099-10
Type : clearpass
Status: Completed
----------------------------------------------
Authentication Mode : client-mode
Session Timeout :
Description :
Gateway Zone :
UBT Gateway Role :
14
Access VLAN :
Native VLAN :
Allowed Trunk VLANs : 10
Access VLAN Name :
Native VLAN Name :
MTU :
QOS Trust Mode :
PoE Priority :
Policy :
Attached CX switch Working Running configuration
Note: Please configure ip helper address on interface vlan if you looking to assign dhcp ip
address to phone, will add dhcp section in next document.
Below Simple references will help during CX VOIP deployment:
 AOS-CX Simple steps to configure Radius-server

 AOS-CX Downloadable User Role (DUR) simple steps to Configure
 AOS-CX Local User Role (LUR) simple steps to Configure
Have a nice day!
Yash
15

3-CX VOIP Deployment

Uploaded by

Copyright:

Available Formats

3-CX VOIP Deployment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3-CX VOIP Deployment

Uploaded by

Copyright:

Available Formats

AOS-CX VOIP Deployment Guide

AOS-CX VOIP DEPLOYMENT

AOS-CX VOIP Deployment Guide

Prior condition or prerequisite (not mandatory):

 Good know Power over Ethernet (PoE), LLDP, CDP, VLANs.

 Check CX operating system version

BLDG01-F1# show version

 Verify Connectivity Check

show lldp neighbor-info or show CDP neighbor-info

 Before starting VOIP deployment, verify voice vlan assignment.

Note: Enabling Voice on Vlan context is must for CX VOIP deployment.

Flow of SIMPLE CX VOIP Deployment:

Step1:Configure local mac match and device profile as below.

BLDG01-F1# show running-config mac-group

BLDG01-F1# show running-config port-access

Step2: Enable authentication on interface connected to Phone.

Port Access Clients

Use case 2: authenticate phone using AAA radius server.

Step1: Make sure radius connectivity to switch is proper

BLDG01-F1# show radius-server detail

Step2: Enable authentication on the interface.

BLDG01-F1# show running-config interface 2/1/3

BLDG01-F1# sh lldp neighbor-info 2/1/3

Note: For Pre-standard Phone, enable below command on interface.

BLDG01-F1(config-if)# power-over-ethernet pre-std-detect

Use case 3: VOIP deployment using Local User Role (LUR)

Step1: Configure local user role

BLDG01-F1# show running-config port-access

Port Access Clients

Use case 4: VOIP Deployment using Download User Role (DUR).

Enable aaa authentication on the interface.

Configure downloadable user role “phone_role” on Clearpass as below.

Attached CX switch Working Running configuration

Below Simple references will help during CX VOIP deployment:

 AOS-CX Simple steps to configure Radius-server

Have a nice day!

You might also like