数通产品线S3700话机上线获取不到语音vlan网段地址
问题描述
需求是 pc端能够获取到ip为 10.23.196.0/24 网段,ip电话能够获取到地址是 10.23.197.0/24网段。
问题:PC机可以获取到10.23.196.0/24网段地址,ip电话不能获取到10.23.197.0/24网段地址。
网络结构:路由器做外网互联,汇聚是2台37堆叠,接入有7台37,4台堆叠1号,3台37堆叠2号
附件是debug信息以及报文头分析信息,路由器是友商的客户没有给到登陆密码,看了下汇聚3700上做了dhcp中继。接入设备配置了dot1x
CSS1配置:
[***_CSS1-Ethernet1/0/21]dis current-configuration
#
!Software Version V100R006C05
sysname ***_CSS1
#
info-center loghost 10.23.117.11
#
voice-vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description AVAYA IPHONE
voice-vlan mac-address 0007-3b00-0000 mask ffff-ff00-0000 description AVAYA 9620 IPHONE
voice-vlan mac-address 000b-8200-0000 mask ffff-ff00-0000 description NEW PHONE
voice-vlan mac-address 0015-6500-0000 mask ffff-ff00-0000
voice-vlan mac-address 001b-4f00-0000 mask ffff-ff00-0000 description AVAYA 9620_1 IPHONE
voice-vlan mac-address d478-5600-0000 mask ffff-ff00-0000
voice-vlan mac-address 0026-8b00-0000 mask ffff-ff00-0000
#
vlan batch 100 195 to 199
#
stp bpdu-protection
stp disable
#
domain paicdom
#
dot1x enable
dot1x authentication-method eap
dot1x dhcp-trigger
dot1x timer handshake-period 120
dot1x timer tx-period 15
mac-authen
mac-authen domain mac_domain mac-address b447-5e00-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 000b-8200-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 6ca8-4900-0000 mask ffff-ff00-0000
#
lldp enable
#
observe-port 1 interface Ethernet1/0/23
#
radius-server template ***
radius-server shared-key cipher ***
radius-server authentication 10.11.111.96 1645
radius-server authentication 10.37.111.71 1645 secondary
undo radius-server user-name domain-included
#
vlan 196
description data vlan
vlan 197
description voice vlan
vlan 198
description data over wirless vlan
vlan 199
description voice over wirless vlan
#
aaa
authentication-scheme default
authentication-scheme lan-access
authentication-mode radius
authentication-scheme login
authentication-mode hwtacacs local
authentication-scheme mac
authentication-mode none
authorization-scheme default
authorization-scheme lan-access
authorization-scheme login
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs
accounting-scheme default
accounting-scheme lan-access
accounting-mode radius
accounting-scheme login
accounting-mode hwtacacs
domain default
domain default_admin
domain paicdom
authentication-scheme lan-access
radius-server ***
domain paicdomt
authentication-scheme login
accounting-scheme login
authorization-scheme login
domain mac_domain
authentication-scheme mac
local-user admin password cipher ***
local-user admin service-type telnet ssh http
local-user *** password cipher ***
local-user *** privilege level 3
local-user *** service-type telnet ssh
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.196.211 255.255.255.0
#
interface Eth-Trunk10
description TO-Core
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/1
voice-vlan 197 enable
port hybrid pvid vlan 100
port hybrid untagged vlan 100
loopback-detect enable
stp edged-port enable
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
#
CSS2配置:
<***CSS2>dis current-configuration
#
!Software Version V100R006C05
sysname ***CSS2
#
info-center loghost 10.23.117.11
#
voice-vlan mac-address 0001-e300-0000 mask ffff-ff00-0000
voice-vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description AVAYA IPHONE
voice-vlan mac-address 0007-3b00-0000 mask ffff-ff00-0000 description AVAYA 9620 IPHONE
voice-vlan mac-address 0009-6e00-0000 mask ffff-ff00-0000
voice-vlan mac-address 000b-8200-0000 mask ffff-ff00-0000 description NEW PHONE
9611
voice-vlan mac-address d478-5600-0000 mask ffff-ff00-0000
voice-vlan mac-address 0026-8b00-0000 mask ffff-ff00-0000
voice-vlan mac-address 10cd-ae00-0000 mask ffff-ff00-0000
#
vlan batch 100 195 to 199
#
stp bpdu-protection
#
domain paicdom
#
dot1x enable
dot1x authentication-method eap
dot1x dhcp-trigger
dot1x timer handshake-period 120
dot1x timer tx-period 15
mac-authen
mac-authen domain mac_domain mac-address b447-5e00-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 000b-8200-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 6ca8-4900-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 2cf4-c500-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 50cd-2200-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 0015-6500-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address a425-1b00-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 10cd-ae00-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 0007-3b00-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address b4b0-1700-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 001b-4f00-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address c057-bc00-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 3cb1-5b00-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 0004-0d00-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address d478-5600-0000 mask ffff-ff00-0000
mac-authen domain mac_domain mac-address 0026-8b00-0000 mask ffff-ff00-0000
#
lldp enable
#
radius-server template ***
radius-server shared-key ***
radius-server authentication 10.11.111.96 1645
radius-server authentication 10.37.111.71 1645 secondary
undo radius-server user-name domain-included
#
vlan 196
description data vlan
vlan 197
description voice vlan
vlan 198
description data over wirless vlan
vlan 199
description voice over wirless vlan
#
aaa
authentication-scheme default
authentication-scheme lan-access
authentication-mode radius
authentication-scheme login
authentication-mode hwtacacs local
authentication-scheme mac
authentication-mode none
authorization-scheme default
authorization-scheme lan-access
authorization-scheme login
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs
accounting-scheme default
accounting-scheme lan-access
accounting-mode radius
accounting-scheme login
accounting-mode hwtacacs
domain default
domain default_admin
domain paicdom
authentication-scheme lan-access
radius-server ***
domain paicdomt
authentication-scheme login
accounting-scheme login
authorization-scheme login
domain mac_domain
authentication-scheme mac
local-user admin password cipher ***
local-user admin service-type telnet ssh http
local-user *** password cipher ***
local-user *** privilege level 3
local-user *** service-type telnet ssh
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.196.212 255.255.255.0
#
interface Eth-Trunk10
description TO-Core
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/5
voice-vlan 197 enable
port hybrid pvid vlan 100
port hybrid untagged vlan 100
loopback-detect enable
stp edged-port enable
#
interface Ethernet0/0/13
voice-vlan 197 enable
port hybrid pvid vlan 100
port hybrid untagged vlan 100
loopback-detect enable
stp edged-port enable
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
#
汇聚配置:
!Software Version V200R008C00SPC500
#
sysname ***
#
vlan batch 19 100 195 to 199
#
stp instance 0 root primary
stp bpdu-protection
stp tc-protection
stp tc-protection threshold 2
#
lldp enable
#
clock timezone BJ add 08:00:00
#
dhcp enable
#
stp region-configuration
region-name ***
revision-level 1
instance 1 vlan 1 to 4094
active region-configuration
#
vlan 100
description Connect to Router
vlan 195
description New data vlan
vlan 196
description data vlan
vlan 197
description voice vlan
vlan 198
description data over wirless vlan
vlan 199
description voice over wirless vlan
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password irreversible-cipher ***
local-user admin privilege level 0
local-user admin service-type telnet ssh http
local-user *** password irreversible-cipher ***
local-user *** privilege level 3
local-user *** service-type telnet ssh
#
ntp-service server disable
ntp-service ipv6 server disable
ntp-service unicast-server 10.15.101.1
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.196.200 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.117.10
dhcp relay server-ip 10.23.117.11
#
interface MEth0/0/1
#
interface Eth-Trunk0
description connect_to_ S3700_CSS1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface Eth-Trunk1
description connect_to_ S3700_CSS2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
eth-trunk 0
#
告警信息
处理过程
1.1在接口下关闭dot1x,ip电话可以获取到地址,报文头分析见附件(接口下没有启用dot1x mac-bypass中)
1.2在接口下启用dot1x mac-bypass,开始可以获取到10.23.196.0/24网段地址,而后地址突然就变成全0了,最终变成了无法获取ip地址,报文头分析见(接口启用dot1x mac-bypass)
二 报文头分析情况
1.话机接入现网,和dhcp server正常交互,能够拿到10.23.196.0/24网段地址
2.大概过了3分钟,client端没有发送释放ip报文,dhcp server段自动发送广播discover报文。此时话机没有地址。
3. 5分钟后,client端和dhcp server又进行交互,话机能拿到10.23.197.0/24网段地址。
4.在设备上收集了debug信息,debug cm,debug AAA,debug dot1x。debug信息见附件。
三 关于关闭stp问题:
1.测试关闭stp,ip电话依旧无法获取ip地址。
2.无论开启或关闭stp,在关闭接口下 dot1x mac-bypass的情况下,可以获取10.23.197.0/24 网段地址。
3.无论开启或关闭stp,在开启接口下的dot1x mac-bypass的情况下,无法获取10.23.197.0/24 网段地址。
根因
话机接入后,首先发送了untag的报文,话机MAC认证通过,将话机加入接口pvid vlan,后续话机通过lldp报文协商出voice vlan,但由于已经话机加入pvid vlan,所以话机获取不到voice vlan下的地址。
由于V1R6C05版本不支持接口下配置voice-vlan <vlan-id> enable include-untagged,所以无法通过命令行解决该问题。
解决方案
1、 当前设备接口下配置mac旁路认证,但对话机指定的认证域使用none认证,PC使用radius认证,可修改接口下pvid vlan为voice vlan,radius服务器上对PC用户下发动态vlan;
2、 可以将话机和PC分开,从不同接口接入,接话机的接口不配置认证.
