- Download
Software
- Research a
Problem - Case Management
- Communities and Forums
- Contract & Product Management
- Technical Documentation Advanced Search
- Documentation Feedback Form
- Documentation Symbols Key
- End-of-Life Products
- Guidelines and Policies
- Security Resources
Juniper was the first North American IP routing vendor to achieve the prestigious TL 9000 certification by the Quality of Excellence for Suppliers of Telecommunications (QuEST) Forum in the router category, for design, development, provision and service and support.
What is J-Care?
It's the world-class service and support that you expect from a company that delivers the industry's best infrastructure and security products. With J-Care, you now have the confidence knowing that Juniper will do our part to keep you on top of the world!
Example: Configuring VoIP on an EX-series Switch Without Including 802.1X Authentication
You can configure voice over IP (VoIP) on an EX-series switch to support IP telephones. VoIP is a protocol used for the transmission of voice through packet-switched networks. VoIP transmits voice calls using a network connection instead of an analog phone line.
To configure VoIP on an EX-series switch to support an IP phone that does not support 802.1X authentication, you must add the MAC address of the phone as a static entry in the authenticator database.
This example describes how to configure VoIP on an EX-series switch without 802.1X authentication:
Requirements
This example uses the following hardware and software components:
- JUNOS Release 9.1 or later for EX-series switches
- An IP telephone without 802.1X authentication
Before you configure VoIP, be sure you have:
- Installed your EX-series switch. See Installing and Connecting an EX-series Switch.
- Performed the initial switch configuration. See Connecting and Configuring the EX-series Switch (J-Web Procedure).
- Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch.
- Configured the RADIUS server for 802.1X authentication and set up the access profile. See Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch.
- Configured interface ge-0/0/2 for Power over
Ethernet (PoE). For information about configuring PoE, see Configuring PoE (CLI Procedure).
Note: The PoE configuration is not necessary if the VoIP supplicant is using a power adapter.
Overview
Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch.
In this example, the access interface ge-0/0/2 on the EX 4200 switch is connected to a non-802.1X IP phone.
To configure VoIP on an EX-series switch to support an IP phone that does not support 802.1X authentication, add the MAC address of the phone as a static entry in the authenticator database and set the supplicant mode to multiple.
Configuration
To configure VoIP without 802.1X authentication:
CLI Quick Configuration
To quickly configure VoIP, copy the following commands and paste them into the switch terminal window:
[edit]
set vlans data-vlan vlan-id 77
set vlans voice-vlan vlan-id 99
set vlans data-vlan interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching
vlan members data-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching
port-mode access
set ethernet—switching—options voip
interface ge-0/0/2.0 vlan voice-vlan
set ethernet—switching—options voip
interface ge-0/0/2.0 forwarding-class assured-forwarding
set protocols lldp–med interface ge-0/0/2.0
set protocols dot1x authenticator authentication-profile-name
auth-profile
set protocols dot1x authenticator static 00:04:f2:11:aa:a7
set protocols dot1x authenticator interface
ge-0/0/2.0 supplicant multiple
Step-by-Step Procedure
To configure VoIP without 802.1X:
- Configure the VLANs for voice and data:
[edit vlans]
user@switch# set data-vlan vlan-id 77
user@switch# set voice-vlan vlan-id 99 - Associate the VLAN data-vlan with the
interface:
[edit vlans]
user@switch# set data-vlan interface ge-0/0/2.0
- Configure the interface as an access interface,
configure support for Ethernet switching, and add the data-vlan VLAN:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access - Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable
class of service:
[edit ethernet—switching—options]
user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan
user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding
- Configure LLDP-MED protocol support:
[edit protocols]
user@switch# set lldp-med interface ge-0/0/2.0
- Set the authentication profile (see Configuring 802.1X Authentication (CLI Procedure) and Configuring 802.1X RADIUS Accounting (CLI Procedure)):
[edit protocols]
set dot1x authenticator authentication-profile-name auth-profile - Specify the MAC address of the phone:
[edit protocols]
set dot1x authenticator static 00:04:f2:11:aa:a7 - Set the supplicant mode to multiple:
[edit protocols]
set dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Results
Display the results of the configuration:
- [edit]
- user@switch# show configuration
- interfaces {
-
- ge-0/0/2 {
-
- unit 0 {
-
- family ethernet-switching {
- port-mode access;
-
- vlan {
- members data-vlan;
- }
- }
- }
- }
- }
- protocols {
-
- lldp-med {
- interface ge-0/0/2.0;
- }
-
- dot1x {
-
- authenticator {
-
- authentication-profile-name auth-profile;
-
- static {
- 00:04:f2:11:aa:a7;
- }
- }
-
- interface {
-
- ge-0/0/2.0 {
- supplicant multiple;
- }
- }
- }
- }
- vlans {
-
- data-vlan {
- vlan-id 77;
-
- interface {
- ge-0/0/2.0;
- }
- }
-
- voice-vlan {
- vlan-id 99;
- }
- }
- ethernet-switching options {
-
- voip {
-
- interface ge-0/0/2.0 {
-
- vlan voice-vlan;
-
- forwarding-class assured-forwarding;
- }
- }
- }
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying LLDP-MED Configuration
- Verifying Authentication for the Desktop PC
- Verifying the VLAN Association with the Interface
Verifying LLDP-MED Configuration
Purpose
Verify that LLDP-MED is enabled on the interface.
Action
user@switch> show lldp detail
LLDP : Enabled Advertisement interval : 30 Second(s) Transmit delay : 2 Second(s) Hold timer : 2 Second(s) Config Trap Interval : 300 Second(s) Connection Hold timer : 60 Second(s) LLDP MED : Enabled MED fast start count : 3 Packet(s) Interface LLDP LLDP-MED Neighbor count all Enabled - 0 ge-0/0/2.0 - Enabled 0 Interface VLAN-id VLAN-name ge-0/0/0.0 0 default ge-0/0/1.0 0 employee-vlan ge-0/0/2.0 0 data-vlan ge-0/0/2.0 99 voice-vlan ge-0/0/3.0 0 employee-vlan ge-0/0/8.0 0 employee-vlan ge-0/0/10.0 0 default ge-0/0/11.0 20 employee-vlan ge-0/0/11.0 0 __juniper-vlan_internal__ ge-0/0/23.0 0 default LLDP basic TLVs supported: Chassis identifier, Port identifier, Port description, System name, System description, System capabilities, Management address. LLDP 802 TLVs supported: Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port VLAN name. LLDP MED TLVs supported: LLDP MED capabilities, Network policy, Endpoint location, Extended power Via MDI.
Meaning
The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.
Verifying Authentication for the Desktop PC
Purpose
Display the 802.1X configuration for the desktop PC connected to the VoIP interface through the IP phone.
Action
user@switch> show dot1x interface ge/0/0/2.0 detail
ge-0/0/2.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Number of connected supplicants: 1
Supplicant: abc, 00:00:00:00:22:22
Operational state: Authenticated
Reauthentication due in 3588 seconds
Meaning
The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed at the bottom of the output.
Verifying the VLAN Association with the Interface
Purpose
Display the interface state and VLAN membership.
Action
user@switch> show ethernet-switching interfaces
Ethernet-switching table: 0 entries, 0 learned
user@switch> show ethernet-switching interfaces
Interface State VLAN members Blocking
ge-0/0/0.0 down default unblocked
ge-0/0/1.0 down employee-vlan unblocked
ge-0/0/5.0 down employee-vlan unblocked
ge-0/0/3.0 down employee-vlan unblocked
ge-0/0/8.0 down employee-vlan unblocked
ge-0/0/10.0 down default unblocked
ge-0/0/11.0 down employee-vlan unblocked
ge-0/0/23.0 down default unblocked
ge-0/0/2.0 up voice-vlan unblocked
data-vlan unblocked
Meaning
The field VLAN members shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.