Nortel 2350 用户指南
Configuring and managing security ACLs 437
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Enabling SVP optimization for SpectraLink phones
SpectraLink’s Voice Interoperability for Enterprise Wireless (VIEW) Certification Program is designed to ensure
interoperability and high performance between SVP phones and WLAN infrastructure products. Nortel WSSs and APs
are VIEW certified. This section describes how to configure WSSs and APs for SVP phones.
interoperability and high performance between SVP phones and WLAN infrastructure products. Nortel WSSs and APs
are VIEW certified. This section describes how to configure WSSs and APs for SVP phones.
Nortel recommends that you plan for a maximum of 6 wireless phones per AP.
To configure WSS Software for SVP phones, perform the following configuration tasks:
•
Install APs and configure them on the switch. (The examples in this section assume this is already done.)
•
Configure a service for the voice SSID. The service profile also specifies the encryption parameters to use for the
SSID. This section shows configuration examples for WPA and for RSN (WPA2).
SSID. This section shows configuration examples for WPA and for RSN (WPA2).
•
Configure a radio profile to manage the radios that will provide service for the voice SSID.
•
Configure a VLAN for the voice clients.
•
Configure a last-resort user in the local database.
•
Configure an authentication and accounting rule that allows clients of the voice SSID onto the network and places
them in the voice VLAN.
them in the voice VLAN.
•
Configure an ACL that marks ingress and egress traffic to and from the voice VLAN with CoS value 7.
Known limitations
•
You cannot have WPA and WPA2 configured on handsets simultaneously within the same ESSID. SVP phones will
not check-in.
not check-in.
•
You must disable IGMP snooping when running SpectraLink’s SRP protocol. SRP uses multicast packets to
check-in which are not forwarded through the WSS when IGMP snooping is enabled. When a tunneled VLAN is
configured over a Layer 3 network, IGMP snooping must be disabled each time the tunnel is established, because
the virtual VLAN is established with IGMP snooping turned on by default.
check-in which are not forwarded through the WSS when IGMP snooping is enabled. When a tunneled VLAN is
configured over a Layer 3 network, IGMP snooping must be disabled each time the tunnel is established, because
the virtual VLAN is established with IGMP snooping turned on by default.
Configuring a service profile for RSN (WPA2)
To configure a service profile for SVP phones that use RSN (WPA2):
•
Create the service profile and add the voice SSID to it.
•
Enable the RSN information element (IE).
•
Disable TKIP and enable CCMP.
•
Disable 802.1X authentication and enable preshared key (PSK) authentication instead.
•
Enter the PSK key.
The following commands configure a service profile called vowlan-wpa2 for RSN:
WSS# set service-profile vowlan-wpa2 ssid-name phones
WSS# set service-profile vowlan-wpa2 rsn-ie enable
WSS# set service-profile vowlan-wpa2 cipher-tkip disable
WSS# set service-profile vowlan-wpa2 cipher-ccmp enable
WSS# set service-profile vowlan-wpa2 auth-dot1x disable
WSS# set service-profile vowlan-wpa2 auth-psk enable
WSS# set service-profile vowlan-wpa2 psk-raw
WSS# set service-profile vowlan-wpa2 rsn-ie enable
WSS# set service-profile vowlan-wpa2 cipher-tkip disable
WSS# set service-profile vowlan-wpa2 cipher-ccmp enable
WSS# set service-profile vowlan-wpa2 auth-dot1x disable
WSS# set service-profile vowlan-wpa2 auth-psk enable
WSS# set service-profile vowlan-wpa2 psk-raw
c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d