Voice Vlans

Cisco phones (and most enterprise VoIP phones), have a jack in the back to hook a computer to. This means inside the phone is a embedded 3 port switch. One port is to the pc, one to the voice stream or the phone itself, and one is the uplink from your company switch. If you use port security, this means you should allow 3 mac addresses on the port. The phone's mac address can be learned on both the voice and data vlans, and the computer's will be learned on the data. (although I have only ever seen two, this is cisco best practice)


Note that cisco phones expect CDP to be enabled on the switch ports as they use it for both choosing the correct PoE levels and to negotiate a special dot1Q(802.1Q) trunk.

So there are 4 modes to set up a switch port you expect to plug a phone into.

The Voice Vlan command is: switchport voice vlan [vlan-id | dot1p | untagged | none]

1. First you can just use a regular access port. (in voice vlans, it is referred to as none) In this mode, both the phone traffic and pc data both land on the same access vlan and there is no way to distinguish between the two. Two things to note, because the traffic is inter-mingled you have a security risk as well as having no ability to provide QOS (quality of service) priority to only the phone. Any QOS is applied to all traffic coming in that switch port. Specify switchport mode access to use this, or use default switchport voice vlan none command

2. Now we see the special 802.1Q trunk where CDP is required. The second mode is referred to as "untagged". Now cisco doesn't use the term untagged nearly as much as other network vendors, but when you create a dot1Q trunk, every packet entering the switch needs to have a vlan tag to specify what vlan number it belongs to. Any packets entering the trunk port without a vlan tag, is dumped into the untagged vlan, or as cisco calls it a native vlan. By default this is vlan 1, so you probably need to specify a untagged vlan for this method. Specify the native or untagged vlan with the interface command switchport trunk native vlan [vlan #]. Then you use the voice vlan command to instruct the phone to send it's voice packets without attaching a vlan tag. switchport voice vlan untagged

3. Third we have the dot1p mode. In this mode, you gain the qos abilities. The phone will actually tag it's own voice traffic with vlan 0, and send it with a 802.1p priority of 5 by default. (call control gets a priority of 3). The benefit of this mode is that you get QOS abilities without needing a separate voice vlan created on your switches and routers. switchport voice vlan dot1p

4. Fourth is the most common (and best in my opinion) the vlan-id option. Create a vlan on your routers and switches that will be used just for phones. The phone will now send voice packets tagged with your voice vlan ID to the switch, with qos priority, while the data packets are sent along untagged to the access vlan. The command is switchport voice vlan [vlanID]

Methods 2, 3, and 4 use a special dot1Q trunk that is negotiated through cdp messages and carries only up to 2 vlans for voice and pc traffic.

To set a different qos priority to the phone for it's voice packets, use the interface command switchport priority extend [cos value] (you can also extend trust to the pc with the same command, but since I know you will get QOS trust boundary questions on the BCMSN test, I will give it it's own post.)

To display voice vlan configurations for an interface, type show interface [interface id] or simply show running interface [interface id]

*CDP should always be enabled on an interface with a cisco phone plugged in for voice vlan, trust, power settings, and qos to be set up properly with the phone.

*voice vlans automatically enable spanning-tree portfast (and does not disable when your remove the voice vlan)

*voice vlans can cause conflicts with private vlans, do not enable them on the same port