One of the more tedious parts of any phone system deployment is configuring the access layer switches to support said phones. The configuration in and of itself isn’t complicated, but every port that may receive a phone needs to be setup correctly. In Cisco parlance, this is accomplished with the switchport voice vlan <ID> command. I’ve typed that into the CLI a thousand times and never really knew what it did besides “make the phones work”. After a little research, I finally found some answers. I thought I’d share them with you.
In the old days, before the Catalyst 2950, configuring a switch port for use by a phone involved creating an explicit 802.1q trunk. This made sense from the perspective that it allowed traffic from multiple VLANs to pass on a single link. It also allowed the 802.1p priority bits for Quality of Service (QoS) tagging to be sent with the frames. The downside is that it was very difficult for phone mobility. You either needed to provision every phone-facing switchport in your organization to be an 802.1q trunk or you had to leave the phones were they were. While the latter is usually the case in most of my deployments, the mobility provided by the ability to plug a phone in anywhere in the network and not worry about extra configuration is key to some clients. Thankfully, Cisco fixed this starting in the 2950 with a little concept known as the Auxiliary VLAN.
The Auxiliary VLAN (AUX VLAN) is a specialized VLAN that sits beside a regular access VLAN configured on a switch (sometimes called a “normal” VLAN). The purpose of the AUX VLAN is to allow IP phones to transmit their payloads along with the untagged data coming from a PC that might be plugged into a switchport on the back of the phone. The AUX VLAN allows these two devices to transmit on the same port without the need to use an explicit trunk on the link. In addition, since the port is not configured explicitly as an 802.1q trunk, extraneous VLANs will not be flooded over the port. In essence, the port becomes a two VLAN trunk. All the phone traffic is tagged with the ID of the AUX VLAN and the PC traffic is untagged. Curiously, according to this document, the traffic in the AUX VLAN must also carry a Class of Service (CoS) of 5 along with the AUX VLAN ID. Otherwise, the traffic is dropped. So how does the phone get the ID of the AUX VLAN so it can start sending the traffic? Ah, that’s where CDP comes in.
Cisco Discovery Protocol (CDP) is very crucial in the operation of a Cisco IP phone. It not only provides the AUX (Voice) VLAN ID for the phone to being sending traffic on the AUX VLAN, it also allows the phone to automatically negotiate power settings. This allows the phone to use less than the maximum 15.4 watts of power under the 802.3af PoE standard. If you disable CDP on the port facing the phone/PC you will likely start pulling your hair out. Even though the phone might have already assigned itself in the Voice VLAN, removing CDP from the switchport in question causes it to forget where to find the voice VLAN. You’ll need to re-enable CDP and reboot the phone. You could also statically configure an 802.1q trunk to fix the issue, but where’s the fun in that?
One other curious note is that I’ve always been told that the connection between the phone and the switch when switchport voice vlan is configured is a “special 802.1q trunk”. Not that I’ve ever been able to see that configuration, as show interface trunk seems to think that the port isn’t trunking and show interface switchport says that it’s an access port. The key is in Cisco’s documentation. The correct term for a port with switchport voice vlan configured is a “multi-VLAN access port”. The distinction between the two is that only the two vlans (voice and access) configured on the switchport will be accepted on the link. If you were to do something silly like, oh I don’t know, plug another switch into the back of the phone and configure an access port on that switch to be in a different VLAN than the voice or PC access VLAN, traffic will not pass through the phone port to the switch. Once again, that’s because this isn’t a real trunk. The switch will only accept tagged frames from the Voice (AUX) VLAN.
Tom’s Take
I hope this was a little more insight into what the magical command switchport voice vlan does on a switch. I’m often asked by people new to voice why this must be configured each time. Before I blindly regurgitated lines like “special 802.1q trunk” and “do it or it won’t work.” Now I have a very interesting story to tell and threaten people with if they don’t do it.
The Networking Nerd 
In the 3500xl days, you had to configure the voice vlan and still configure the port as a trunk. The former only modified CDP’s advertisements. You then had to make sure that you pruned off the non-desktop and voice vlans or you’d wind up with some very noisy ports and a security problem.
Pingback: Internets of Interest for 9th May 2012 — My EtherealMind
Do you know if non Cisco phones can understand CDP? We are rolling out Polycom phones and they phones are ending up in the data Vlan instead of the voice Vlan. Not sure if its because they dont understand CDP or maybe its something else? I honestly thought LLDP is what told the phone which Vlan it’s in, power settings, etc.
We started out with Nortel IP phones, and have more recently started deploying Polycoms. As I understand it, when you connect a Nortel phone to a port with voice vlan defined, it actually makes a DHCP request on the access VLAN and we had to configure our access VLAN DHCP scope with option 128 (Nortel-i2004) which specifies the Voice VLAN the phone should use. The phone then hops onto the Voice VLAN and makes a second DHCP request and this is where it actually pulls it’s address. Then in the Voice VLAN scope I have option 128 and 144 configured as well. When we started rolling out the PolyCom phones they seemed to hop on the correct VLAN as well, but I don’t know for sure if they are doing the same thing the nortel phones are doing or not. I’ve never done packet captures to try to determine that.. They work though. I can say that.
We use Siemens phones and the voice Vlan configuration, but the Vlan ID is given to the phone by our DHCP servers using option 43, not LLDP/CDP.
I wanted to follow up to let you know that we had to do something similar with our Polycom Lync phones to get them working. The following site explained how to setup the DHCP scope option for Polycom Lync phones: http://www.bricomp.com/blogs/post.cfm/dedicated-voice-vlan-for-lync-devices
Most Polycom phones do actually support CDP. You shouldn’t need to configure anything more than the switchport voice VLAN command.
I haven’t had any luck getting the phone to register on the voice VLAN with CDP. Are you aware of a min level of IOS code for this to work?
Don’t forget about switchport port security. If you setup port security to limit the number of mac addresses on a switchport, you will need to take into account the switchport in the phone. It has it’s own mac address and will cause issues if you set the max to 2 instead of 3.
Yes!!! I ran into this issue the other day. I’m seeing the phone register its MAC on the data and voice VLAN, so I had to set the port security max to 3 to keep the port from err-disabling. Why would the phone’s MAC be registered to both VLANs?
Answer:
“Prior to Cisco IOS Release 12.2(31)SG, you required three MAC addresses as the maximum parameter to support an IP Phone and a PC. With Cisco IOS Release 12.2(31)SG and later releases, the maximum parameter must be configured to two, one for the phone and one for the PC. ”
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port_sec.html#wp1139178
Also, don’t forget about QoS. mls qos trust cisco-phone pushes the trust boundary out to the phone and makes the phone do the QoS marking for phone traffic. Additionally, in CUCM you can tell the phones to either believe or remark CoS values entering their pc port. Simply put, the phones will remark pc traffic with default CoS values if you so choose. This is important if an application sends it’s traffic with better than class 0 markings.
Thanks for the information. I have noticed VoiceVLAN and thought may be some fixed vlan no. that will be using 802.1q tagging.
Quote: “If you were to do something silly like, oh I don’t know, plug another switch into the back of the phone and configure an access port on that switch to be in a different VLAN than the voice or PC access VLAN, traffic will not pass through the phone port to the switch.”
I would think that the traffic WOULD get to the switch but it would get there “untagged”. What is untagged to a switch? It is “Native VLan” traffic. Have you actually tested this statement in a lab?
just to add a little input. I recently deployed some 3560’s and some cisco 6921’s. We couldn’t get the phones to pull the tftp address and get it’s load. found out we had to remove the voice vlan and then it registered fine with CUCM. We then added the voice vlan back and there were no problems. the reason is, the 6921’s use lldp-med and the switches we were using did not support lldp-med and the 6921’s do not use cdp. go figure.
Pingback: A Few Easy Steps: Cisco Switch, Setup Voice VLAN on Interface | StaticNAT
Pingback: VoIP Phone – Switchport Config | mrn-cciew
Thanks! Now I know what that command does 🙂
Excellent Explanation
Just make it perfectly understood
-The SW port is a kind of trunk that will ONLY accept tagged frame with VVLAN id only (and this VVLAN id is configured in Voice Vlan command and this information is delivered for first time to phone via CDP)
Plus – The SW port mode access Vlan cmd will be tagging all untagged traffic from PC and sending in the SW
Hope my understood part is correct as this is the final theory i came to conclusion on after all research on Voice/Data .
Pingback: Q And A Should Include The E | The Networking Nerd
Pingback: A Few Easy Steps: Cisco Switch, Setup Voice VLAN on Interface | StaticNAT
Superb! Just the explanation I was looking for – thanks!