Voice VLAN Configuration

A Cisco IP phone contains a built-in three-port switch: one uplink port connects to the wall jack (to the network switch), one port is the phone itself, and one access port passes through to a PC sitting on the desk. This means a single physical cable from the wall carries two types of traffic simultaneously — voice traffic from the IP phone and data traffic from the PC — each needing its own VLAN to keep them separated.

The voice VLAN (also called the auxiliary VLAN) is a dedicated VLAN for IP phone traffic. The switch port is configured in access mode with two VLANs: the regular data VLAN for the PC (untagged) and the voice VLAN for the phone (tagged with 802.1Q, CoS 5). Cisco Discovery Protocol (CDP) tells the IP phone which voice VLAN to use — the phone then tags its own voice traffic with that VLAN ID automatically.

Before starting, complete VLAN Creation and Management, Assigning VLANs to Switch Ports, and Inter-VLAN Routing — voice and data VLANs each need their own Layer 3 gateway for routing and DHCP reachability.

1. How Voice VLAN Works

Understanding the traffic flow is essential before configuring. The IP phone and PC share one physical cable but their traffic is logically separated by VLAN tagging:

Traffic Type	Device	VLAN	Tagging	CoS / Priority
Voice	IP Phone	Voice VLAN (e.g., 100)	802.1Q tagged (by the phone)	CoS 5 — high priority
Data	PC (behind the phone)	Data VLAN (e.g., 10)	Untagged — phone passes through as-is	CoS 0 — best effort

Physical Connection and Traffic Path

  Wall jack
  (Fa0/1)         ┌───────────────────────────┐
      ────────────│  Cisco IP Phone 7960       │
                  │  Built-in 3-port switch    │
                  │                            │──── PC (untagged, VLAN 10)
                  │  Voice frames: tagged 100  │
                  │  Data frames:  untagged    │
                  └───────────────────────────┘

  Switch sees on Fa0/1:
    Tagged frames  (VLAN 100)  → Voice traffic  → Voice VLAN 100
    Untagged frames            → Data traffic   → Data VLAN 10

Role of CDP in Voice VLAN

When the switch port has a voice VLAN configured, it uses CDP (Cisco Discovery Protocol) to advertise the voice VLAN ID to the connected IP phone. The phone reads the CDP advertisement and automatically begins tagging its voice traffic with that VLAN ID. Without CDP running on the port (or without switchport voice vlan configured), the phone does not know which VLAN to use and places all traffic on the default VLAN.

Feature	Role in Voice VLAN
CDP	Tells the IP phone which VLAN ID to tag voice traffic with. Must be running on the port (enabled by default).
switchport voice vlan [id]	Configures the voice VLAN on the switch port — advertised via CDP to the phone.
switchport access vlan [id]	Configures the data VLAN — used by the PC connected through the phone's access port.
802.1Q tagging (by phone)	The IP phone tags its own voice frames with the voice VLAN ID and CoS 5. The switch handles them as tagged frames.

Is this port a trunk? No — despite carrying two VLANs, this port is configured in access mode. Cisco IOS treats it as a special access port that supports one untagged (data) VLAN and one tagged (voice) VLAN. The tagged voice frames use 802.1Q encapsulation applied by the phone itself. The port-level behavior is unique to the Cisco phone/switch integration — it is not a standard 802.1Q trunk.

2. Why Voice Traffic Needs Its Own VLAN — QoS

Voice over IP (VoIP) is extremely sensitive to delay, jitter, and packet loss. Even small amounts of congestion on a shared data network cause noticeable call quality degradation — choppy audio, echo, or dropped calls. Separating voice into its own VLAN allows the network to apply QoS (Quality of Service) policies that prioritize voice packets above ordinary data traffic. See QoS Overview and DSCP Marking for the broader QoS framework.

Requirement	Voice Traffic	Data Traffic
Latency (one-way)	< 150 ms (Cisco recommendation)	Tolerant — seconds acceptable
Jitter	< 30 ms	Tolerant
Packet loss	< 1%	TCP retransmission handles loss
CoS marking	CoS 5 (tagged frames)	CoS 0 (best effort)
DSCP marking	EF (Expedited Forwarding, DSCP 46)	BE (Best Effort, DSCP 0)

mls qos trust cos: To have the switch honor the CoS 5 marking set by the IP phone, add mls qos trust cos to the port configuration. Without this, the switch may re-mark or ignore the CoS value. This ensures voice traffic retains its high-priority marking as it traverses the network.

3. Lab Scenario & Topology

                    ┌──────────────────────────────────┐
                    │         NetsTuts_SW1             │
                    │      (Layer 3 / Multilayer)      │
                    │                                  │
                    │  SVI Vlan10  ── 192.168.10.1/24  │  ← Data gateway
                    │  SVI Vlan100 ── 192.168.100.1/24 │  ← Voice gateway
                    │                                  │
                    │  Fa0/1 ── IP Phone + PC (desk 1) │
                    │  Fa0/2 ── IP Phone + PC (desk 2) │
                    │  Fa0/3 ── IP Phone only (desk 3) │
                    └──────────────────────────────────┘

  Data VLAN  : 10  (192.168.10.0/24)  — PC traffic
  Voice VLAN : 100 (192.168.100.0/24) — IP Phone traffic

Parameter	Value
Data VLAN	10 — name: DATA
Voice VLAN	100 — name: VOICE
Data SVI (PC gateway)	192.168.10.1 /24
Voice SVI (Phone gateway)	192.168.100.1 /24
PC IP addressing	DHCP from 192.168.10.0/24
Phone IP addressing	DHCP from 192.168.100.0/24

4. Step 1 — Create VLANs and SVIs

Both VLANs must exist in the database before they can be assigned to ports. SVIs provide the Layer 3 gateway that DHCP and routing use to reach each VLAN.

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Create VLANs ──────────────────────────────────────────
NetsTuts_SW1(config)#vlan 10
NetsTuts_SW1(config-vlan)#name DATA
NetsTuts_SW1(config-vlan)#vlan 100
NetsTuts_SW1(config-vlan)#name VOICE
NetsTuts_SW1(config-vlan)#exit

! ── Enable IP routing ─────────────────────────────────────
NetsTuts_SW1(config)#ip routing

! ── SVI for Data VLAN 10 ──────────────────────────────────
NetsTuts_SW1(config)#interface vlan 10
NetsTuts_SW1(config-if)#description SVI-Data-VLAN10
NetsTuts_SW1(config-if)#ip address 192.168.10.1 255.255.255.0
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

! ── SVI for Voice VLAN 100 ────────────────────────────────
NetsTuts_SW1(config)#interface vlan 100
NetsTuts_SW1(config-if)#description SVI-Voice-VLAN100
NetsTuts_SW1(config-if)#ip address 192.168.100.1 255.255.255.0
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

Two VLANs and two SVIs created. The voice SVI (192.168.100.1) serves as the default gateway for IP phones — phones use DHCP to get an address from the 192.168.100.0/24 subnet. See Layer 3 Switch Inter-VLAN Routing for full SVI configuration details. If a centralised DHCP server handles both subnets, configure DHCP relay (ip helper-address) on each SVI.

5. Step 2 — Configure the Voice VLAN Access Port

The key command is switchport voice vlan [id]. This tells the switch to advertise the voice VLAN via CDP and to treat tagged frames with that VLAN ID as voice traffic. The data VLAN is configured as the normal access VLAN.

Single Port Configuration — Fa0/1

NetsTuts_SW1(config)#interface FastEthernet0/1
NetsTuts_SW1(config-if)#description IPPhone-PC-Desk1
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 10
NetsTuts_SW1(config-if)#switchport voice vlan 100
NetsTuts_SW1(config-if)#mls qos trust cos
NetsTuts_SW1(config-if)#spanning-tree portfast
NetsTuts_SW1(config-if)#exit

Four key commands on every IP phone port: access mode, data VLAN 10, voice VLAN 100, and QoS trust. PortFast skips the 50-second STP delay so the phone registers immediately on power-up. See PortFast & BPDU Guard for details.

Command Breakdown

Command	What It Does	Why It Matters
`switchport mode access`	Sets port to access mode	Required — voice VLAN is configured on access ports, not trunks
`switchport access vlan 10`	Assigns data VLAN 10 for untagged (PC) traffic	Untagged frames from the PC pass through the phone and are placed in VLAN 10
`switchport voice vlan 100`	Assigns voice VLAN 100 for tagged phone traffic	Advertised to the phone via CDP — phone tags its voice frames with VLAN 100 + CoS 5
`mls qos trust cos`	Tells the switch to honor the CoS value set by the IP phone	Ensures voice frames retain CoS 5 priority as they travel through the network
`spanning-tree portfast`	Skips STP convergence delay	IP phones register with the call manager on power-up — STP delay causes registration failure

Range Configuration — All Phone Ports

NetsTuts_SW1(config)#interface range FastEthernet0/1 - 3
NetsTuts_SW1(config-if-range)#description IPPhone-PC-Desk
NetsTuts_SW1(config-if-range)#switchport mode access
NetsTuts_SW1(config-if-range)#switchport access vlan 10
NetsTuts_SW1(config-if-range)#switchport voice vlan 100
NetsTuts_SW1(config-if-range)#mls qos trust cos
NetsTuts_SW1(config-if-range)#spanning-tree portfast
NetsTuts_SW1(config-if-range)#exit

NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

All three desk ports configured in a single range command. The complete baseline for a standard open-plan office floor.

6. Step 3 — Adding Port Security to a Voice Port

When combining port security with voice VLAN ports, the maximum MAC address count must be set to at least 2 — one for the IP phone and one for the PC. Setting it to 1 will trigger a violation the moment either device sends a frame.

NetsTuts_SW1(config)#interface FastEthernet0/1
NetsTuts_SW1(config-if)#switchport port-security
NetsTuts_SW1(config-if)#switchport port-security maximum 2
NetsTuts_SW1(config-if)#switchport port-security mac-address sticky
NetsTuts_SW1(config-if)#switchport port-security violation restrict
NetsTuts_SW1(config-if)#exit

Maximum 2 MACs — one for the phone (on VLAN 100) and one for the PC (on VLAN 10). Restrict mode keeps the port up if a third device is connected, logging the event without disrupting the phone or existing PC. This was also demonstrated in Port Security & Sticky MAC.

Port security maximum on voice ports: Some IP phone models generate multiple MAC addresses (for different internal functions). If violations occur immediately after configuring port security on a phone port, increase the maximum to 3 and check show port-security address to see how many MAC addresses the phone itself is using.

7. Complete Configuration

! ══════════════════════════════════════════════════════════
! NetsTuts Voice VLAN Baseline — NetsTuts_SW1
! ══════════════════════════════════════════════════════════

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── IP routing and VLANs ──────────────────────────────────
NetsTuts_SW1(config)#ip routing
NetsTuts_SW1(config)#vlan 10
NetsTuts_SW1(config-vlan)#name DATA
NetsTuts_SW1(config-vlan)#vlan 100
NetsTuts_SW1(config-vlan)#name VOICE
NetsTuts_SW1(config-vlan)#exit

! ── SVIs ──────────────────────────────────────────────────
NetsTuts_SW1(config)#interface vlan 10
NetsTuts_SW1(config-if)#description SVI-Data-VLAN10
NetsTuts_SW1(config-if)#ip address 192.168.10.1 255.255.255.0
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#interface vlan 100
NetsTuts_SW1(config-if)#description SVI-Voice-VLAN100
NetsTuts_SW1(config-if)#ip address 192.168.100.1 255.255.255.0
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

! ── IP phone access ports ─────────────────────────────────
NetsTuts_SW1(config)#interface range FastEthernet0/1 - 3
NetsTuts_SW1(config-if-range)#description IPPhone-PC-Desk
NetsTuts_SW1(config-if-range)#switchport mode access
NetsTuts_SW1(config-if-range)#switchport access vlan 10
NetsTuts_SW1(config-if-range)#switchport voice vlan 100
NetsTuts_SW1(config-if-range)#mls qos trust cos
NetsTuts_SW1(config-if-range)#spanning-tree portfast
NetsTuts_SW1(config-if-range)#switchport port-security
NetsTuts_SW1(config-if-range)#switchport port-security maximum 2
NetsTuts_SW1(config-if-range)#switchport port-security mac-address sticky
NetsTuts_SW1(config-if-range)#switchport port-security violation restrict
NetsTuts_SW1(config-if-range)#exit

NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

8. Verification

show interfaces FastEthernet0/1 switchport

NetsTuts_SW1#show interfaces FastEthernet0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (DATA)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 100 (VOICE)

Key fields: Access Mode VLAN: 10 (DATA) confirms the data VLAN. Voice VLAN: 100 (VOICE) confirms the voice VLAN is assigned and will be advertised to the IP phone via CDP.

show vlan brief — Both VLANs Active

NetsTuts_SW1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
10   DATA                             active    Fa0/1, Fa0/2, Fa0/3
100  VOICE                            active    Fa0/1, Fa0/2, Fa0/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddi-default                     act/unsup
1005 trnet-default                    act/unsup

Both VLAN 10 and VLAN 100 are active with all three ports listed. Notice that access ports appear in both VLANs when a voice VLAN is configured — this is expected and correct.

show cdp neighbors — Confirm Phone Detected

NetsTuts_SW1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
SEP001122334455  Fas 0/1           162          P         7960      Port 1
SEP001122334456  Fas 0/2           158          P         7960      Port 1
SEP001122334457  Fas 0/3           160          P         7960      Port 1

CDP shows all three Cisco IP phones (Capability: P for Phone). Device IDs beginning with "SEP" are Cisco IP phones — SEP stands for Skinny Endpoint Protocol. This confirms CDP is running and the switch is communicating with the phones.

show ip interface brief — SVIs Up

NetsTuts_SW1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan10                 192.168.10.1    YES manual up                    up
Vlan100                192.168.100.1   YES manual up                    up
FastEthernet0/1        unassigned      YES unset  up                    up
FastEthernet0/2        unassigned      YES unset  up                    up
FastEthernet0/3        unassigned      YES unset  up                    up

show running-config interface FastEthernet0/1

NetsTuts_SW1#show running-config interface FastEthernet0/1
!
interface FastEthernet0/1
 description IPPhone-PC-Desk1
 switchport access vlan 10
 switchport voice vlan 100
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security violation restrict
 mls qos trust cos
 spanning-tree portfast
!

Verification Command Summary

Command	What It Confirms
`show interfaces [int] switchport`	Access VLAN and Voice VLAN assignments — key verification command for voice ports
`show vlan brief`	Both VLANs are active and access ports appear in both VLAN 10 and VLAN 100
`show cdp neighbors`	IP phones appear with capability "P" — confirms CDP is running and phones are discovered
`show ip interface brief`	Both SVIs (Vlan10 and Vlan100) are up/up with correct IP addresses
`show port-security interface [int]`	Confirms port security maximum, sticky MACs learned, and violation count
`show logging`	CDP voice VLAN advertisements and any port security violation events

9. Troubleshooting Voice VLAN Issues

Problem	Symptom	Cause	Fix
Phone does not register with call manager	Phone shows "Configuring IP" or "No Service" on screen	Voice VLAN SVI is down or DHCP not reachable on the voice subnet	Verify `show ip interface brief` — Vlan100 must be up/up. Confirm DHCP pool exists for 192.168.100.0/24
Phone places traffic on wrong VLAN	Voice traffic appears on VLAN 10 instead of VLAN 100	CDP not running on the port, or `switchport voice vlan 100` not configured — phone has not received voice VLAN advertisement	Verify `show interfaces switchport` shows Voice VLAN: 100. Check CDP with `show cdp neighbors`
Port security violation on phone port	Violation counter incrementing or port err-disabled shortly after phone connects	Port security maximum set to 1 — phone (VLAN 100) and PC (VLAN 10) together exceed the limit	Increase maximum to at least 2: `switchport port-security maximum 2`. Some phones need 3.
Poor call quality — choppy audio	Calls break up during network congestion	`mls qos trust cos` not configured — switch is not honoring the phone's CoS 5 marking	Add `mls qos trust cos` under the interface. Also verify QoS policies on uplink ports. Consider DHCP Snooping to prevent rogue devices generating ARP storms that consume voice bandwidth
Phone slow to register after power cycle	Phone takes 30–60 seconds to get an IP and register after being plugged in	PortFast not configured — port going through full STP convergence before forwarding	Add `spanning-tree portfast` to the interface. See PortFast & BPDU Guard
Voice VLAN not shown in show vlan brief	VLAN 100 is missing or shows as inactive	Voice VLAN was not created in the VLAN database — only the `switchport voice vlan` command was entered	Create the VLAN explicitly: `vlan 100` → `name VOICE` in global config

Key Points & Exam Tips

A voice VLAN port carries two VLANs on one access port — untagged data traffic (for the PC) and 802.1Q tagged voice traffic (for the IP phone). This is not a trunk port.
CDP tells the connected IP phone which VLAN to tag its voice traffic with. Without CDP, the phone sends all traffic untagged on the data VLAN.
The IP phone tags its own voice frames with the voice VLAN ID and CoS 5. Use mls qos trust cos to ensure the switch honors this priority marking.
Both VLANs must be created in the VLAN database — switchport voice vlan 100 alone does not create VLAN 100.
Each VLAN needs its own Layer 3 SVI for routing and DHCP. The voice SVI is the default gateway for IP phones.
Always add PortFast to voice VLAN ports — IP phones register with Cisco Unified Communications Manager on power-up and cannot wait 50 seconds for STP convergence. See Spanning Tree for why convergence takes so long without PortFast.
When combining port security with voice VLAN, set maximum to at least 2 (phone MAC + PC MAC). Some phone models need 3.
show interfaces [int] switchport is the primary verification command — it shows both the Access Mode VLAN (data) and the Voice VLAN in one output.
show cdp neighbors confirms IP phones are discovered — phones appear with capability P and device IDs starting with SEP.
On the CCNA exam, know that voice VLAN ports are access ports, not trunk ports — and that CDP is the mechanism that communicates the voice VLAN ID to the phone.

Next Steps: With voice and data traffic separated into dedicated VLANs, continue to DHCP Server Configuration to set up separate DHCP pools for the data and voice subnets. To carry both VLANs across inter-switch uplinks, configure Trunk Ports. For securing management access to the switch itself, revisit SSH Configuration and Console & VTY Line Security. For QoS policies that enforce voice priority on uplink ports see QoS Queuing.

TEST WHAT YOU LEARNED

1. A port is configured with `switchport access vlan 10` and `switchport voice vlan 100`. What type of port is this and how does it handle traffic from each device?

A. It is a trunk port — VLAN 10 is the native VLAN and VLAN 100 is a tagged VLAN B. It is a hybrid port — it must be set to switchport mode trunk for both VLANs to work C. It is an access port — PC frames arrive untagged and are placed in VLAN 10, while IP phone frames arrive tagged with VLAN 100 (set by the phone via CDP advertisement) D. It is an access port that only carries VLAN 10 — VLAN 100 requires a separate physical cable

Correct answer is C. Despite carrying two VLANs, this is configured as an access port (switchport mode access). The PC connects through the phone's built-in switch port and sends untagged frames — the switch places these in the access VLAN (10). The IP phone learns the voice VLAN ID via CDP and tags its own voice frames with VLAN 100 + CoS 5 before sending them to the switch.

2. What is the role of CDP in voice VLAN configuration, and what happens if CDP is disabled on the port?

A. CDP advertises the configured voice VLAN ID to the IP phone. Without CDP, the phone never learns which VLAN to tag voice traffic with — it sends all traffic untagged on the data VLAN, mixing voice and data together B. CDP is not required — the phone reads the voice VLAN from the DHCP response C. CDP is only used for neighbor discovery — it plays no role in voice VLAN assignment D. Without CDP the phone falls back to LLDP-MED to discover the voice VLAN automatically

Correct answer is A. CDP is the mechanism by which the switch tells the IP phone which VLAN ID to tag its voice traffic with. When CDP is running, the switch sends a CDP advertisement containing the voice VLAN ID. The phone reads this and starts tagging voice frames with that VLAN. If CDP is disabled, the phone has no way to learn the voice VLAN and all traffic — both voice and data — flows untagged on the data VLAN, completely defeating the purpose of voice VLAN separation.

3. Port security is enabled on a voice VLAN port with `maximum 1`. The IP phone is connected and its MAC is learned. A PC is then plugged into the phone's access port. What happens?

A. The PC is accepted — it uses the data VLAN so it does not count against the voice VLAN MAC limit B. The phone automatically disables its PC port to prevent the violation C. The PC traffic is silently dropped — the port keeps the phone working normally D. A security violation is triggered — the PC's MAC is a second address on the port, exceeding the maximum of 1. The violation mode response (shutdown/restrict/protect) activates

Correct answer is D. Port security counts all MAC addresses across both VLANs on a port — the voice MAC and data MAC are both counted toward the total maximum. With maximum 1, the phone's MAC fills the limit. When the PC sends a frame (a different MAC on VLAN 10), port security detects a violation. The fix is to set switchport port-security maximum 2 to accommodate both the phone and PC.

4. An IP phone is connected but all voice traffic appears on VLAN 10 instead of VLAN 100. `show interfaces Fa0/1 switchport` shows "Voice VLAN: none". What is the cause?

A. VLAN 100 was not created in the VLAN database B. switchport voice vlan 100 was never entered on the interface — the port has no voice VLAN configured and nothing is advertised to the phone via CDP C. The phone's firmware does not support CDP D. PortFast must be enabled before the voice VLAN command takes effect

Correct answer is B. "Voice VLAN: none" in show interfaces switchport directly shows that the switchport voice vlan command was never entered on the interface. Without this command, the port has no voice VLAN configured, CDP does not advertise any voice VLAN, and the phone places all traffic — including voice — on the data VLAN untagged. Adding switchport voice vlan 100 fixes this immediately.

5. What does `mls qos trust cos` do on a voice VLAN port, and what happens without it?

A. It enables 802.1Q tagging on the port — without it, voice frames are not tagged B. It assigns CoS 5 to all frames on the port regardless of their original marking C. It instructs the switch to honor the CoS value already set by the IP phone. Without it, the switch may remark or ignore the CoS 5 marking, causing voice frames to be treated as best-effort traffic and degrading call quality under congestion D. It enables DSCP-to-CoS mapping for voice traffic classification

Correct answer is C. The IP phone marks its voice frames with CoS 5 (high priority) in the 802.1Q tag. mls qos trust cos tells the switch to trust and preserve this marking as the frame travels through the switch and onto uplink ports. Without this command, the switch's default QoS policy may overwrite the CoS value with 0 (best effort) — stripping the priority and causing voice frames to compete equally with data traffic during congestion.

6. An engineer enters `switchport voice vlan 100` on a port but VLAN 100 was never created with the `vlan 100` command. What will `show vlan brief` show?

A. VLAN 100 is automatically created and active as soon as the voice VLAN command is entered B. The voice VLAN command is rejected — IOS requires the VLAN to exist first C. VLAN 100 appears as active but with no name assigned D. VLAN 100 may not appear as an active VLAN — the SVI for VLAN 100 will remain down and phones cannot get DHCP addresses since the voice gateway does not exist

Correct answer is D. IOS accepts the switchport voice vlan 100 command even if VLAN 100 does not exist in the database — it does not auto-create the VLAN. Without VLAN 100 in the database, the SVI for VLAN 100 remains inactive, phones cannot reach the voice gateway, and DHCP requests for the voice subnet fail. Always explicitly create the VLAN with vlan 100 and then configure the SVI.

7. Why must PortFast be enabled on IP phone ports?

A. IP phones register with Cisco Unified Communications Manager immediately on power-up — the standard STP convergence delay of up to 50 seconds prevents the phone from obtaining an IP address and registering in time, causing "No Service" errors B. PortFast is needed so the phone can tag voice frames with CoS 5 C. Without PortFast, CDP advertisements are suppressed on the port D. PortFast is required for the mls qos trust cos command to take effect

Correct answer is A. IP phones behave like PCs — they need network connectivity immediately on power-up to contact a DHCP server and register with Cisco Unified Communications Manager (CUCM). Without PortFast, the port goes through Blocking → Listening → Learning (up to 50 seconds total) before forwarding. The DHCP client and CUCM registration process often time out during this delay, leaving the phone showing "No Service." PortFast sends the port directly to Forwarding in ~1 second.

8. In `show cdp neighbors`, IP phones appear with a device ID beginning with "SEP". What does SEP stand for and what capability letter identifies a phone?

A. SEP = SIP Endpoint Protocol — capability letter S B. SEP = Skinny Endpoint Protocol — capability letter P (for Phone) C. SEP = Switch Extension Port — capability letter H (for Host) D. SEP = Serial Ethernet Port — capability letter V (for VoIP)

Correct answer is B. SEP stands for Skinny Endpoint Protocol — "Skinny" (SCCP) is the Cisco-proprietary call control protocol used by older Cisco IP phones to communicate with Cisco Unified Communications Manager. The device ID is derived from the phone's MAC address prefixed with SEP. In show cdp neighbors, the capability column shows P to identify the device as a Phone — distinct from routers (R), switches (S), and hosts (H).

9. A network engineer checks `show vlan brief` and sees that Fa0/1 appears in both VLAN 10 and VLAN 100. Is this correct?

A. No — a port can only belong to one VLAN. This indicates a misconfiguration. B. No — the port should only appear in the voice VLAN (100), not the data VLAN C. No — both VLANs should only appear in show interfaces trunk output, not show vlan brief D. Yes — this is expected. When a voice VLAN is configured, the port is associated with both VLANs. VLAN 10 for untagged data traffic and VLAN 100 for tagged voice traffic

Correct answer is D. When both switchport access vlan 10 and switchport voice vlan 100 are configured on the same port, Cisco IOS lists the port under both VLANs in show vlan brief. This is normal and expected behavior — it reflects that the port handles traffic for both VLANs simultaneously. It is not a misconfiguration.

10. What Layer 3 infrastructure is required on the switch to ensure IP phones receive DHCP addresses and can route calls between the voice and data subnets?

A. A static route pointing to the phone's IP address B. A trunk port to an external router configured with subinterfaces for each VLAN C. An SVI for each VLAN with an IP address serving as the default gateway — VLAN 10 SVI for PCs and VLAN 100 SVI for phones — with ip routing enabled on the Layer 3 switch D. No Layer 3 configuration is needed — voice VLANs operate independently of IP routing

Correct answer is C. Each VLAN is a separate broadcast domain and needs its own Layer 3 gateway for DHCP reachability and inter-VLAN routing. On a multilayer switch, this means creating two SVIs: one for VLAN 10 (e.g., 192.168.10.1/24) as the PC gateway, and one for VLAN 100 (e.g., 192.168.100.1/24) as the phone gateway. With ip routing enabled, the switch routes between both subnets at wire speed. A DHCP server (or DHCP helper) must also be reachable from each SVI to provide IP addresses to phones and PCs.

Back to Home