LLDP, Voice and Port Security on Comware 7
Getting a practical deployment of 802.1x on the wired network running Comware 7 is something that’s been on my radar for a while now. Until recently, we had a working (for our system) configuration that would automatically drop desk phones onto the voice VLAN based on the OUI observed.
While it’s not the most secure configuration, the phone would pick up the voice settings from DHCP on the untrusted VLAN. By the time the phone was re-configuring to the voice VLAN, the switch was told to trust it as tagged traffic on the voice VLAN. Nice and simple but very effective under Comware 5.
Sadly, the switches we operate are end of sale and thus we’ve been moved onto Comware 7. The behaviour is a little different here. Firstly, the phone is not actually dropped into the untrusted VLAN at any point. The switch simply drops most of the traffic from it until a decision has been reached. If that means it’s told to expect the tagged voice VLAN, the switch will continue to drop untagged traffic from the phone.
That’s a problem. We can resolve this by telling the phone to use the voice VLAN specifically through LLDP. While that does mean the phone will drop onto the correct VLAN, we do run into a problem on the switch. Turns out that the fact the phone’s talking anything but the untrusted VLAN initially results in the switch not trusting it. The MAC address is blocked as a security problem before the MAC authentication even starts.
At that point our phone stops working. Whoops!
The fix is rather simple thankfully. Remove the LLDP configuration from the port. This means the phone will now try to talk on the native VLAN.
As a second stage you will need to reconfigure your RADIUS server. Specifically, to make use of the Egress-VLANID feature. By configuring this field to be sent twice, we can configure a tagged and an untagged VLAN for the switch to accept phones on.
By setting the untagged VLAN to be the untrusted VLAN, we’re back to the behaviour we observed on the Comware 5 switches. And the best bit is that the RADIUS configuration works on both generations successfully.
Ideally, we shouldn’t have faced the problem by configuring the phones to use 802.1x authentication. But on the up side, we do now have a feature in Comware 7 where we can trigger both 802.1x and MAC address authentication simultaneously.