Voice VLAN

Thank you so much for replying!

If I wanted to have a phone connected a switch and wanted to use the command:

switchport voice vlan dot1p

I understand this command is for the switch and not the phone. If this is applied on a switch interface, how would the phone send the ethernet frame with 802.1q tag with a VLAN 0 and some priority bits set up in the PCP section? Are there commands that are put on to the phone directly? Because I’m only aware of the commands that I mentioned previously that go on to a switch and not a phone.

Thank you!

Hello Grant

In the case of a Cisco IP phone with a Cisco switch, when you configure the command switchport voice vlan 10 for example, the switch and the phone will use CDP to communicate to obtain the information they need to function. Under such circumstances, a phone will send it’s voice frames with a VLAN tag of 10 (info that has been received using CDP), and any frames received from a connected PC would be sent without a tag, and the switch would interpret them as frames on the access VLAN configured on the switchport.

In the event that you use the switchport voice vlan dot1p command, the switch will tell the phone using CDP of this configuration. The phone will then send all voice frames tagged but with a VLAN of 0, and send all data traffic from any connected PC without a tag. The result is that the switch will place both voice and data frames on the access VLAN configured on the port, but will retain the QoS info in the tag for the voice frame, and use it accordingly.

Now if you’re not using a Cisco phone, then you don’t have the benefit of CDP, so you will then have to manually configure the phone to use the appropriate VLAN tag for voice, for both of the above scenarios.

I hope this has been helpful!

Laz

Thank you so much Lazaros for explaining!!

Hello Team,

I made a setup on l3 switch with the same VLAN for voice and data. When I test the PC is working fine but the phone can not register.

interface GigabitEthernet0/1
description Workstation
switchport access vlan 55
switchport mode access
switchport voice vlan 55
load-interval 30
spanning-tree portfast

I can not figure this out, do I maybe miss some configuration? On this VLAN SVI I’m using DHCP helper address.
Thank you in advance.

BR

Hello Milan

First of all, the best practice is to have a different voice VLAN and a different data VLAN. This way you can ensure that security features are in place that will not allow someone on the VLAN to eavesdrop on conversations, as well as being able to apply QoS features on the VLAN tag of the Voice VLAN such that proper priorities are being set.

Now having said that, it is possible to configure the switch as you have it in your post, even if it is not recommended. If the phone is not registering, then the problem is probably not the voice VLAN. For phone registration problems, take a look at the following:

1. Make sure the DHCP server is reachable from that VLAN
2. Make sure Option 150 on the DHCP server is configured and provides the correct TFTP server
3. Make sure the TFTP server is reachable from the voice VLAN.

I hope this has been helpful!

Laz

Hello,

If the data vlan traffic is untagged, how does the switch know in which vlan it belongs to?
I suppose it knows because the switchport is configured with the vlan 100, but does the data traffic get tagged once it arrives in the switchport?

Thanks,
Chris

Hello Christos

When you configure a port to be used with an IP phone and a workstation together, you configure it like so:

SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 100
SW1(config-if)#switchport voice vlan 101
SW1(config-if)#exit

Where VLAN 100 is the data VLAN, and VLAN 101 is the voice VLAN.

What does this tell the switch? Well, first notice that the mode is access. This means that we can expect untagged frames on this port. But what VLAN will these untagged frames be placed on? Well, the switchport access vlan 100 command tells us that untagged frames will be placed on VLAN 100.

So far, the configuration we’ve talked about is the same as that of any access port on a switch, as shown in this lesson.

All the magic happens with the next and final command of switchport voice vlan 101. This tells the switch that it can expect tagged frames with a VLAN tag of 101 on this port.

This behavior is similar to a trunk port that has been configured with a native VLAN. Take a look at this:

SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk allowed vlan 101
SW1(config-if)#switchport trunk native vlan 100
SW1(config-if)#exit

This configuration works exactly the same way as the voice VLAN configuration. Untagged frames are placed on the configured native VLAN of 100 while tagged frames with an ID of 101 are also accepted by the port.

So why do we use the voice VLAN configuration? Because it automatically configures additional parameters that are unique to IP phones, and in particular, to Cisco IP phones. It enables CDP communication between the switch and the phone that allows the devices to negotiate various parameters such as PoE and QoS. But fundamentally, the connectivity, VLANs, and tags work the same way for both configurations above.

I hope this has been helpful!

Laz

Hello,

I understand it now. Thanks again for the detailed explanation.

Chris

Hi Laz
If for some reason have to disable CDP. Does Voice VLAN still work?

Hello TE-EN LIN

CDP will inform the IP phone of the voice VLAN and will also let it know about the CoS values the phone should configure for its voice traffic. If you disable CDP, then you must manually configure the voice VLAN on the IP phone. It will still work, but you need to take that extra step of manual configuration on the IP phone.

If you’re using a non-Cisco phone that doesn’t speak CDP, then you will have to configure the voice VLAN on the phone anyway.

I hope this has been helpful!

Laz

Thanks Laz. You’re very kind.
May I ask how to configure if disable CDP or connect to Non-CISCO device.

Hello TE-EN LIN

That depends upon the manufacturer of the phone. Some phones have a web interface that you can connect to via their IP address where you can configure Voice VLAN and other parameters as well. Others allow you to make the change on the physical screen of the phone, either using a touchscreen or using specific menu keys. You’ll have to check out each manufacturer’s instruction manual.

For Cisco phones, most can be configured manually via the web interface, or the phone’s menus.

I hope this has been helpful!

Laz

What is the process if you’re adding a Voice VLAN on a router connected to a Switch interface? Would that config be under an interface of the router?

Hello Lewis

A voice VLAN can only be configured on a switch. Remember, it is used to separate the voice and data on a particular switchport. The voice is placed on a voice VLAN, which corresponds to a particular network segment or subnet, while the data is placed on a data VLAN, which also corresponds to another particular network segment or subnet.

A router may act as the default gateway for a particular voice VLAN to route its traffic to its destination, however, you don’t need any specialized VLAN configuration on the router for such scenarios.

In particular, keep in mind that the voice VLAN configuration should only be applied on switchports that connect to IP phones. It should never be applied to switchports connecting to routers or other switches. Does that make sense?

I hope this has been helpful!

Laz

Hi Rene,

You wrote:

Behind the scenes, we have a trunk between our switch and IP phone. The port on the IP phone that connects to the computer is an access port.

Then afterward you wrote during the configuration:

SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 100
SW1(config-if)#switchport voice vlan 101

Why mode access if you said we have a trunk?

Thank you

Hello Vladimir,

I understand the confusion. This is however how we configure an IP phone on a Cisco switch.

In reality (behind the scenes), it’s the same as a trunk because it’s using VLAN tagging to separate the data VLAN from the voice VLAN.

Rene

Hi Rene

thank you understood ,
you mean that the mode of the port is an access mode meaning does not do any tagging right?
but the port itself is: Operational Trunking Encapsulation: dot1q

Hello Vladimir

When you configure a port to function using a Voice VLAN, you configure it as an access port on a particular VLAN. If you then configure a voice VLAN on that port using the voice vlan X command (where X is the voice VLAN ID) then only those frames on VLAN X will be tagged when being sent on that port. The phone on the other end of the link will also operate in the same way, sending tagged traffic only on VLAN X and untagged traffic on the access VLAN configured.

The result is that the port itself is not a trunk, it is an access port, but Rene is saying that it is acting like a trunk, but only for the voice VLAN. You can see in the output of the show interface switchport command, that it says operational trunking encapsulation: native. This means that frames forwarded out of that specific port will not have any trunking header appended in them (i.e., the frames are untagged and are treated as if they are in a dot1q native vlan, hence the status of “native”).

So ultimately, the port is still considered an access port, but it functions as a trunk only for the voice VLAN. Does that make sense?

I hope this has been helpful!

Laz

Hello Laz,

I wanted to discuss what potential issues may arise from using the voice vlan command on switchports that connect end user devices that are not IP phones and do not process/understand tagged frames. Assume the following configuration on a layer 2 switchport:

SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 100
SW1(config-if)#switchport voice vlan 101

which would have the same effect as:

SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk native vlan 100
SW1(config-if)#switchport trunk allowed vlan 101

I understand the behavior due to this configuration would be that any untagged frames received are assigned/placed on VLAN 100, and any tagged frames received that are marked with a VLAN ID of 101 would of course be assigned to VLAN 101. In the egress direction, any frames from VLAN 100 needing to be forwarded out of this switchport would be forwarded untagged towards the end user device. Any frames from VLAN 101 that are forwarded out of this port would be tagged with a VLAN ID of 101. Given this behavior, I believe using the voice VLAN command on a switchport with a non IP phone end user device that does not understand tagged traffic would be a misutilization and could cause performance issues with the end user device connected on this switchport.

As an example, let’s consider a scenario given the running configuration on a layer 2 switchport I mentioned above. Assume a relatively large switched network in which there are plenty of end user devices connected on switchports with the mentioned running config. Anytime a frame that originates on VLAN 101 egresses on those switchports, it will do so with a 802.1Q tag containing a VLAN ID of 101. The most likely scenario in which frames from VLAN 101 would egress on these switchports would be in situations where a switch would flood a frame within a layer 2 segment, such as unknown unicast frames that originated on VLAN 101, broadcast traffic originating on VLAN 101, and certain multicast traffic that originated on VLAN 101 depending on the configuration.

These tagged frames would then be forwarded to the end user devices connected on those ports. Not understanding tagged traffic, the end user devices would have to process and discard those frames, potentially causing disruptions to their performance.

Due to the points I have expressed, it would be a misutilization of the voice vlan command to be applied on switchports with non IP phone end user devices. Is this conclusion correct?

Thank You Laz

Hello Paul

What you have shared is for the most part correct. The two configs are functionally almost the same. The only difference is that with voice VLAN, CDP is used to inform any potential IP phone of the configured voice VLAN. Also, the port with the voice VLAN fundamentally functions as an access port as far as DTP and negotiation purposes go, while the other acts as a trunk.

Indeed, about 20 years ago, when I first started implementing IP telephony with Cisco, the second configuration was what we actually used on the switch to deploy IP phones with PCs connected to them! This was before the introduction of the voice VLAN configuration.

As you suggest, ideally, you should not configure a port with both a voice and data VLAN unless you are intending to connect an IP phone on that port. Otherwise, you would have the situation you describe.

Now the issue of end devices receiving tagged frames and discarding them, although correct, would have a minimal effect on efficiency. The more pressing issue is security. A malicious user could masquerade as an IP phone on such a port and gain access to the voice VLAN, and possibly any other voice devices (such as other phones, voice gateways, or IP PBXs) that may reside on that voice VLAN/subnet. For this reason, it is best to avoid such configurations.

For larger networks, it can be difficult to manually maintain the appropriate configurations. For a more scalable and manageable implementation, you can use 802.1X or MAB with device profiling to dynamically assign voice VLANs only when a phone is detected via CDP or LLDP.

I agree completely, thanks for the discussion!!

I hope this has been helpful!

Laz