Vlan Management Policy Server by amo74898

VIEWS: 31 PAGES: 7

Vlan Management Policy Server document sample

More Info
									    802.1X Authentication,
 Link Layer Discovery Protocol,
LLDP-Media Endpoint Discovery,
   and Avaya IP Telephones
Definitions

Acronym       Definition
ANSI          American National Standards Institute
CNA           Converged Network Analyzer
DHCP          Dynamic Host Configuration Protocol
EAP           Extensible Authentication Protocol
EAPoL         Extensible Authentication Protocol over LAN
HTTP          Hyper-Text Transfer Protocol
IEEE          Institute of Electrical and Electronics Engineers
LAN           Local Area Network
LLDP          Link Layer Discovery Protocol
LLDP-MED      Link Layer Discovery Protocol – Media Endpoint discovery
MAC           Media Access Control
MIB           Management Information Base
OID           Object Identifier
PoE           Power over Ethernet
SNMP          Simple Network Management Protocol
TFTP          Trivial File Transfer Protocol
TIA           Telecommunications Industry Association
TLS           Transport Layer Security
TLV           Type-Length-Value
VLAN          Virtual Local Area Network
Introduction

Through the support of 802.1X security and Link Layer Discovery Protocol, Avaya IP
phones and PCs connected to the phone’s data port can be authenticated separately,
receive different port profiles for QoS and security policies, and communicate over
different VLANs. This is accomplished with onboard security features on both the
phones and Ethernet switches that help guarantee standards-based, enterprise-class secure
network access control. In addition, Avaya's support for LLDP provides the ability to use
discovered information such as device-type, software version and serial number for
inventory management. This same capability also provides a structured workflow for
problem diagnosis and root-cause analysis in case of user-reported communication issues.
When an IT administrator sees discovery protocol packets, they indicate that the phone is
operational, the cable is intact and Layer 2 traffic is functioning. Together these features
provide for a complete, interoperable, secure, and simple to deploy solution.

802.1X Overview

802.1X is an IEEE standard for port-based Network Access Control. It provides
authentication to devices attached to an Ethernet switch port, establishing a connection or
preventing access from that port if authentication fails. 802.1X is supported on most
Ethernet switches to authenticate hosts equipped with supplicant software thus denying
unauthorized access to the network. Upon detection of a new client (supplicant), the port
on the Ethernet switch (authenticator) will be enabled and set to the unauthorized state. In
this state, only 802.1X traffic will be allowed; other traffic, such as DHCP and HTTP,
will be blocked at the data link layer. The authenticator will send out the EAP-Request
identity to the supplicant, the supplicant will then send out the EAP-response packet that
the authenticator will forward to the authenticating server. The authenticating server can
accept or reject the EAP-Request; if it accepts the request, the authenticator will set the
port to the authorized state and normal traffic will be allowed. When the supplicant logs
off, he will send an EAP-logoff message to the authenticator. The authenticator will then
set the port to the unauthorized state, once again blocking all non-EAP traffic.

802.1X pass through on Avaya IP Phones (Only PC Authenticates)

Beginning with release 2.3.2, Avaya IP telephones supported 802.1X forwarding via
EAPoL (Extensible Authentication Protocol over LAN) which allows for the laptop or
workstation connected to the LAN port on the back of Avaya phones to authenticate with
an Ethernet switch on the network. The telephone will transparently pass-through any
EAP method supported by the attached PC’s supplicant.

Normally, an 802.1X-enabled Ethernet switch port would be connected directly to a
single 802.1X supplicant so security is maintained. If more clients are connected to that
port, the first authenticated client opens the port and all other clients are able to enter the
network without the need for authentication. This mode is also known as Single
Supplicant mode. In this scenario only the host behind the phone can be authenticated
and the phone itself must be placed on a separate voice VLAN without authentication
taking place.

The phone can provide additional security for the network by sending an EAPoL logoff
to the Ethernet switch when the host behind it disconnects from the Ethernet port. This
functionality, also known as proxy logoff, prevents another host from using the port
without first authenticating via 802.1X.

802.1X Single Supplicant on Avaya IP Phones (Only Phone Authenticates)

As of firmware release 2.6 on the Avaya 4600 phones and release 1.0 on the Avaya 9600
phones, an 802.1X supplicant is embedded in the phones. The IP telephone can support
802.1X authentication when it is the only device connected to the Ethernet switch port.
Depending on the 802.1X setting of the IP Telephone, the phone can support
authentication from Ethernet switches that send either unicast or multicast 802.1X
(EAPoL) messages. However, the IP telephone supplicant currently supports only the
EAP-MD5 challenge authentication method for the telephone itself.

802.1X Multi Supplicant on Avaya IP Phones (PC and Phone Both Authenticate)

Firmware release 2.6 on the Avaya 4600 phones and release 1.0 on the Avaya 9600
phones also support 802.1X Multi Supplicant mode. This provides the most secure
solution combined with ease of deployment. The Ethernet switch port need only be
configured to support 802.1X Multi Supplicant mode and both devices will be
authenticated. The IP telephone supplicant currently supports only the EAP-MD5
challenge authentication method for the telephone itself. However, the telephone will
transparently pass-through any EAP method supported by the attached PC’s supplicant. It
is important to note that as of August 2006 only the following vendors are known to have
released support for Multi Supplicant mode: Avaya, Extreme, Hewlett Packard (Pro
Curve), and Cisco. Cisco currently only supports the feature on the 6500 series Ethernet
switch.

Link Layer Discovery Protocol Overview

LLDP is a vendor-neutral Layer 2 protocol that allows a network device to advertise its
identity and capabilities on the local network. The protocol was formally ratified as IEEE
standard 802.1AB in May 2005. LLDP is positioned to replace proprietary protocols such
as Cisco Discovery Protocol (CDP) and Nortel Discovery Protocol (NDP). LLDP allows
network elements to advertise information and capabilities to neighboring devices, learn
neighboring device information and capabilities, and discover network topologies. LLDP
is currently supported by Avaya, Extreme, Hewlett Packard, and Mitel with widespread
vendor support expected in the near future.

LLDP - Media Endpoint Discovery Overview
LLDP-MED is an enhancement to the 802.1AB standard that provides “plug and play”
capability for VoIP networks. The LLDP-MED protocol was formally approved and
published as the standard ANSI/TIA-1057 by the Telecommunications Industry
Association (TIA) in April 2006. LLDP-MED can be used for auto-discovery of LAN
policies such as VLAN, QoS settings, extended and automated power management of
PoE endpoints, inventory management (manufacturer, software and hardware versions,
serial / asset number) and device location for E911 services.

LLDP on Avaya IP Phones

Effective with release 2.6 on the Avaya 4600 phones, the telephone is able to transmit
LLDP frames out its primary Ethernet port. The IP Telephone can also process selected
LLDP frames received on its primary Ethernet port. No configuration of the IP Telephone
is required to enable LLDP operation. However, note that the IP Telephone will not send
out any LLDP information until it first receives an LLDP packet from the Ethernet
switch. Avaya IP Telephones use Type-Length-Value (TLV) elements specified in IEEE
802.1AB-2005 and Proprietary elements.

Prior to the availability of LLDP support, the Avaya IP phones typically get a DHCP
parameter on the untagged VLAN to inform the phone it should place itself on a VLAN
other than the native VLAN. The phone will start DHCP on the native VLAN (also
referred to as port VLAN in the IEEE standard). When the phone sees the VLAN
parameter is not the native VLAN, the phone releases the initial DHCP lease, performs a
soft reset and begins DHCP on the tagged VLAN.

With the introduction of LLDP there is no longer a need to configure VLAN tagging
manually, by DHCP or TFTP/HTTP. Through the LLDP protocol, the phone
communicates with the Ethernet switch to learn the voice VLAN ID. LLDP settings of
VLAN IDs are the absolute authority if settings are also provided from other sources.

In addition to VLAN ID the phone can also modify settings learned via LLDP on the
following:

      Call Server IP Address
      TLS, HTTP, & TFTP Server Address
      802.1Q Framing
      PoE Conservation: This proprietary TLV can initiate a power conservation mode.
       The telephones that support this will turn on/off the telephone backlight and the
       backlight of an attached EU24BL Button Module in response to this TLV.

Furthermore, Avaya IP phones can report a wide array of information via LLDP as listed
below.

      IPv4 IP address of telephone.
      MAC address of the telephone.
      Time-To-Live (120 seconds)
      The Host Name sent to the DHCP server in DHCP option 12
      System Capabilities - Bit 2 (Bridge) if the secondary port is enabled. Bit 5
       (Telephone) if the telephone is registered.
      Management Address of telephone - Interface number subtype = 3 (system port),
       Interface number = 1, OID = SNMP MIB-II sysObjectID of the telephone.
      MAC / PHY Configuration / Status - Reports autonegotiation status and speed of
       the uplink port on the telephone.
      Avaya Proprietary PoE Conservation Level Support - Provides Power
       Conservation abilities/settings, Typical and Maximum Power values.
      Call Server IP Address
      Avaya Proprietary IP Phone Addresses - Phone IP Address, Phone Address Mask,
       Gateway IP address.
      Avaya Proprietary CNA Server IP Address
      Avaya Proprietary File Server IP Address
      Avaya Proprietary 802.1Q Framing - 802.1Q Framing = 1 if tagging or 2 if not.

LLDP-MED on Avaya IP Phones

Effective with release 2.6 on the Avaya 4600 phones, LLDP-MED extensions are
supported. Avaya IP Telephones use Type-Length-Value (TLV) elements specified in
TIA TR-41 Committee - Media Endpoint Discovery (LLDP-MED, ANSI/TIA-1057).
Avaya IP telephones can report the following information via LLDP-MED:

      LLDP-MED Capabilities: Media Endpoint Discovery - Class III – IP Telephone
      Network Policy: Tagging (Yes/No), VLAN ID for voice, L2 Priority, DSCP
       Value
      Inventory – Hardware Revision: MODEL - Full Model Name
      Inventory – Firmware Revision: BOOTNAME
      Inventory – Software Revision: APPNAME
      Inventory – Serial Number: Telephone serial number
      Inventory – Manufacturer Name: Avaya
      Inventory – Model Name: MODEL4 - 4 character name.

Summary

A commitment to open standards protocols and interoperability are fundamental to the
Avaya architectural strategy for Intelligent Communications. By supporting industry
standards such as 802.1X, 802.1AB and ANSI/TIA-1057 Avaya has delivered flexible,
secure and simple mechanisms for deploying and supporting its IP telephones. Avaya’s
support of industry standards facilitates 3rd party interoperability and thus customer
choices.

While these technologies can be implemented independently, they can also be combined
to provide a more robust, secure solution than other proprietary solutions available today.
Without 802.1X supplicant support, the voice VLAN would be more vulnerable to threats
and it would be extremely difficult to prevent unauthorized devices from connecting to
the network in general. LLDP simplifies provisioning and management by delivering a
standard and flexible tool for discovery of devices and capabilities on the network.
LLDP-MED extensions further enhance the solution with “plug and play” capabilities for
VoIP networks.

References:

http://www.ieee802.org/1/pages/802.1x.html

http://www.ieee802.org/1/pages/802.1ab.html

http://www.tiaonline.org/standards/

								
To top