Confusion about voice vlan

Confusion about voice vlan !! ???

The main reason why I decide to create posts like this one despite the fact that there are millions if not more similar posts, explanations and websites out there on the internet is mainly because I simply enjoy gathering all relevant information from various sources then combine it all into a single unit so we do not have to jump from one website to another in order to find whatever we’re after, this relates to Cisco and Cisco only of course 🙂

This set up is most definitely how it all looks like in your office environment, go ahead and first check and see how your PC connects with your desk phone then from the phone trace the cable which most likely connects to RJ45 floor port which most likely is located under your desk then it all goes through the walls of your company all the way back to your Company’s Comms Room (Data Centre) where it connects into a patch panel in one of the network cabinets and from there directly to L2 switch which then goes to your business’s L3 Core switches, routers,firewalls etc …



I have spent really long hours on this one, especially the one that involves  802.1p tag

I have been looking into this like a madman and must admit that Voice combined with QOS is not the easiest to understand.

The reason why it takes so long top prepare for the LAB is because you never know what Cisco is going to ask you to configure or troubleshoot and this is because we need to know and understand it all !!

The upstream switch communicates with the Cisco IP phone using CDP to set up an interconnection link that allows the Cisco IP phone to send VoIP packets on its uplink port back to the switch, either in the VoIP VLAN or in the data VLAN

So there are 4 modes to set up a switch port you expect to plug a phone into (Interface Ethernet 4/0 connects to the phone)

1. First you can just use a regular access port. In this mode, both the phone traffic and pc data both land on the same access vlan and there is no way to distinguish between the two. Two things to note, because the traffic will use the same vlan then you have a security risk as well as having no ability to provide QOS priority to only the phone. Any QOS is applied to ALL traffic coming in that switch port.

Rack5SW2(config)#int ethernet 4/0
Rack5SW2(config-if)#switchport mode access
Rack5SW2(config-if)#switchport access vlan 79


Rack5SW2(config)#int ethernet 4/0
Rack5SW2(config-if)#switchport mode access
Rack5SW2(config-if)#switchport voice vlan none





2. Now we see the special 802.1Q trunk where CDP is required. The second mode is referred to as “untagged”. Now cisco doesn’t use the term untagged too often but when you create a dot1Q trunk, every packet entering the switch needs to have a vlan tag to specify what vlan number it belongs to. Any packets entering the trunk port without a vlan tag, is dumped into the untagged vlan, or as cisco calls it a native vlan.
By default this is vlan 1, so you probably need to specify a untagged vlan for this method.

Rack5SW2(config)#int ethernet 4/0
Rack5SW2(config-if)#switchport trunk encapsulation dot1q
Rack5SW2(config-if)#switchport mode trunk
Rack5SW2(config-if)#switchport trunk native vlan 146
Rack5SW2(config-if)#switchport trunk allowed vlan 79,146 (This is optional and Vlan 79 is for data)
Rack5SW2(config-if)#switchport voice vlan untagged





3. Third we have the dot1p mode. In this mode just like in the first method but this time you gain the qos abilities by adding 802.1p COS tag. The phone will actually tag it’s own voice traffic with vlan id equal to 0, and send it with a 802.1p priority of 5 by default. (call control gets a priority of 3). The benefit of this mode is that you get QOS abilities without needing a separate voice vlan created on your switches and routers. The PC traffic should be the default priority of 0 or best effort.

Rack5SW2(config)#int ethernet 4/0
Rack5SW2(config-if)#switchport mode access
Rack5SW2(config-if)#switchport access vlan 79
Rack5SW2(config-if)#switchport voice vlan dot1p





4. Fourth is the most common method the vlan-id option and it is most likely used in your office.
Create a vlan on your routers and switches that will be used just for phones. The phone will now send voice packets tagged with your voice vlan ID to the switch, with Layer 3 IP precedence and Layer 2 CoS values, which are both set to 5 by default, while the data packets are sent along untagged to the access vlan.

Rack5SW2(config)#int ethernet 4/0
Rack5SW2(config-if)#switchport mode access
Rack5SW2(config-if)#switchport access vlan 79
Rack5SW2(config-if)#switchport voice vlan 146

Note that spanning-tree portfast is automatically enabled as soon as “switchport voice vlan ID” is applied






Now log on to few access switches in your company and check switchports configuration and compare with all above examples also if and ONLY if you have an opportunity and you’re convinced you will not affect any of your business daily operations go ahead and lab it up , I guess for that you could use your own office desk phone just to minimise risk , well I’ll leave it for you to decide 🙂

If  have come across any other switchport configuration for Voice and Data please go ahead and post a comment so we can all learn from one another.
Enjoy !
















About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

6 Responses to Confusion about voice vlan

  1. Pingback: Confusion about voice vlan | ytd2525

  2. Terry says:

    I am implementing VoIP using example 4 above. This question has arisen, “Can all interfaces safely have the command SWITCHPORT VOICE VLAN XXX?” even though there may not be a phone plugged in. I have tested and found it works, which is no surprise, but is there a security or other risk in doing so? sh spanning-tree interface gx/xx on a one such port with a printer attached (but no phone) shows that both the data and voice vlans are being forwarded. It’s easy enough to say just don’t set a voice vlan where not needed. On the other hand it’s nice to allow phones to move around (and they will) without generating trouble tickets constantly. Thoughts?

    • ccie4all says:

      Hi Terry,
      Well potentially “yes” however I personally have not seen it in action !

      The “SWITCHPORT VOICE VLAN XXX” feature allows a PC to be daisy chained to an IP Phone and the connection for both PC and Phone to be trunked through the same physical Ethernet cable so effectively we could use a testing laptop (attacker) and if the laptop had an IP address on the voice VLAN, it would have an unrestricted access to the data network unless a firewall was in place protecting specifically the voice VLAN from the corporate data network which is not very common in practise.

      You could simply have a Linux PC enabled for 802.1q VLAN tagging (by default PCs are not enabled for this feature) and if the DHCP server returns a DHCP lease for an IP address, then any PC can successfully VoIP Hop onto the Voice VLAN, simulating the behaviour of an IP Phone and like I specified before have an unrestricted access to the data network.

      Two PCs daisy-chained together where one of them (attacker) configured for 802.1q VLAN tagging and acting as an IP Phone

      This is the only instance I could think of from the top of my head !


  3. Pingback: Fredrik's CCNP thread - Page 6

  4. Navaneeth says:

    Hi Tom,

    Thanks for a wonderful explanation of all possibilities with the voice vlan configurations.
    Just to understand, I have the fourth setup in my office and accidentally connected an Access point on that interface, the issue is, when i did so I am not able to communicate with the Access point. Where the Access point is configured with the Data vlan ip address range. But when i removed the Voice vlan all started working fine. Can you advise what could have happened because of the same?


  5. Eason says:

    Thanks for your nice post!

    Regarding the 2nd mode, phone will send untagged voip packets to switch and will be put into vlan 146, but how could phone know which vlan tag should put onto the data packets?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: