Voice VLAN – Configuration, QoS & Best Practices for IP Phones

1. What Is a Voice VLAN?

A Voice VLAN is a dedicated VLAN configured on a switch port to carry IP phone (VoIP) traffic separately from regular PC data traffic, even though both the phone and the PC share the same physical cable and switch port. Without a Voice VLAN, voice and data packets compete for bandwidth and queue space, causing jitter, delay, and poor call quality.

The key mechanism is 802.1Q VLAN tagging: the IP phone sends its voice frames tagged with the Voice VLAN ID, while the PC connected through the phone’s built-in switch sends data frames untagged (which the switch assigns to the access VLAN). This allows a single switch port to cleanly service both device types simultaneously. 

  Physical connection:
  [PC] —— data port —— [IP Phone] —— single cable —— [Switch port Fa0/5]

  Logical traffic on the same cable:
  PC frames:    untagged ——————————— switch assigns to VLAN 10 (Data)
  Phone frames: 802.1Q tag VLAN 20 ——— switch assigns to VLAN 20 (Voice)

Related pages: VLANs | VLAN Tagging & 802.1Q | show vlan | DHCP | show interfaces | show cdp neighbors | QoS Marking (DSCP & CoS) | Voice VLAN Configuration Lab

2. How Voice VLAN Works – Traffic Flow

Traffic Type Source Device 802.1Q Tag VLAN Assigned QoS Marking
Data PC (plugged into phone’s PC port) Untagged Access VLAN (e.g., VLAN 10) Default / best-effort
Voice IP phone (internal processor) Tagged with Voice VLAN ID (e.g., VLAN 20) Voice VLAN (e.g., VLAN 20) CoS 5 / DSCP 46 (Expedited Forwarding)

The switch port handles both simultaneously: it behaves like an access port for the PC’s untagged frames and like a mini trunk for the phone’s tagged voice frames. This is sometimes called a multi-VLAN access port.

3. Benefits of Voice VLAN

Benefit Detail
QoS prioritisation Voice packets are tagged with CoS 5 / DSCP 46 (Expedited Forwarding); switches and routers queue and forward them ahead of lower-priority data, reducing jitter and latency
Improved call quality Isolating voice traffic eliminates competition with bursty data transfers; one-way delay stays under 150 ms and jitter under 30 ms (ITU G.114 recommendation)
Security segmentation PCs on the data VLAN cannot directly communicate with voice devices on the voice VLAN without passing through a router or firewall; reduces attack surface
Simplified deployment One cable and one switch port serve both the phone and the PC; moves, adds, and changes require updating only the switch port config
Easier troubleshooting Problems with voice quality can be quickly isolated to the voice VLAN without having to untangle mixed data traffic
PoE integration The same cable and port delivers both power (PoE) and tagged voice traffic, eliminating the need for a separate power adapter at every desk

4. Cisco IOS Configuration

Basic Voice VLAN Configuration

! Step 1: Create the VLANs (if not already existing)
Switch(config)# vlan 10
Switch(config-vlan)# name DATA
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name VOICE
Switch(config-vlan)# exit

! Step 2: Configure the access port for both data and voice
Switch(config)# interface FastEthernet0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10        ! PC traffic — untagged, VLAN 10
Switch(config-if)# switchport voice vlan 20         ! Phone traffic — tagged 802.1Q, VLAN 20
Switch(config-if)# spanning-tree portfast           ! Speeds up port bring-up for end devices
Switch(config-if)# spanning-tree bpduguard enable   ! Prevents rogue switches being plugged in

! Step 3: (Optional but recommended) Add port security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky

This port now carries untagged data frames (assigned to VLAN 10 by the switch) and 802.1Q-tagged voice frames in VLAN 20 simultaneously.

Applying QoS Trust for the Phone Port

! Tell the switch to trust the CoS markings sent by the IP phone
Switch(config)# interface FastEthernet0/5
Switch(config-if)# mls qos trust cos

! Or trust DSCP markings (depending on QoS model in use)
Switch(config-if)# mls qos trust dscp

! On newer IOS-XE (Catalyst 9000 series):
Switch(config-if)# auto qos voip cisco-phone

Without a QoS trust setting, the switch ignores the CoS/DSCP markings the phone sends and treats all traffic as best-effort.

5. How IP Phones Learn the Voice VLAN – CDP and LLDP-MED

An IP phone does not need to be manually told its Voice VLAN ID. The switch advertises it automatically using discovery protocols:

Protocol Standard How It Works Vendor Support
CDP Cisco proprietary Switch advertises the Voice VLAN ID in CDP messages; Cisco IP phone reads the VLAN ID and immediately begins tagging its voice frames with that VLAN Cisco devices only
LLDP-MED IEEE 802.1AB + ANSI/TIA-1057 Switch advertises Voice VLAN, QoS policy (DSCP/CoS), and PoE power budget in LLDP-MED TLVs; phone reads these and configures itself automatically All major vendors (Polycom, Avaya, Yealink, Cisco, etc.)

Negotiation sequence (CDP example):

  1. IP phone connects to switch port and powers up (via PoE or adapter)
  2. Phone sends a CDP request or listens for CDP advertisements
  3. Switch sends a CDP message containing: Voice VLAN ID = 20
  4. Phone reads the VLAN ID and immediately begins sending all voice RTP frames tagged with VLAN 20 and CoS 5
  5. PC traffic passing through the phone’s built-in switch continues to flow untagged to the switch (VLAN 10)

6. QoS and Voice Traffic Prioritisation

Separating voice into its own VLAN is only the first step. QoS markings ensure that at every queuing point in the network, voice packets are forwarded before data packets:

QoS Mechanism Layer Value for Voice Value for Data Purpose
CoS (Class of Service) Layer 2 (802.1Q tag PCP bits) 5 0 (default) Prioritises frames within the same LAN segment; value is in the 3-bit PCP field of the 802.1Q tag
DSCP (Differentiated Services Code Point) Layer 3 (IP header ToS/DS field) 46 (EF — Expedited Forwarding) 0 (default) End-to-end QoS; survives routing; routers and WAN devices honour DSCP 46 as the highest forwarding class
IP Precedence Layer 3 (legacy ToS field) 5 0 Older QoS mechanism; superseded by DSCP; still understood by legacy devices

QoS requirements for acceptable VoIP quality (ITU G.114): one-way delay < 150 ms, jitter < 30 ms, packet loss < 1%. Without Voice VLAN and QoS, a single large file download can cause call quality to drop from MOS 4.0 to below 3.5 (perceptibly degraded).

7. Power over Ethernet (PoE) and Voice VLAN

Most enterprise IP phone deployments combine Voice VLAN with PoE (Power over Ethernet). The switch port delivers up to 15.4 W (PoE, IEEE 802.3af) or 30 W (PoE+, IEEE 802.3at) over the Ethernet cable, eliminating the need for a mains power adapter at every desk. The same cable that carries the 802.1Q-tagged voice traffic also powers the phone.

PoE Standard Max Power per Port Typical Use
IEEE 802.3af (PoE) 15.4 W Most IP desk phones, basic wireless APs
IEEE 802.3at (PoE+) 30 W Video IP phones, dual-radio APs, PTZ cameras
IEEE 802.3bt (PoE++) 60–100 W Thin clients, high-power APs, digital signage

PoE and Voice VLAN work independently — configuring one does not automatically configure the other — but they are almost always deployed together in VoIP environments.

8. DHCP and Call Manager Integration

The voice VLAN typically has a dedicated DHCP scope that delivers phone-specific options alongside the IP address. Without these DHCP options, the phone cannot locate the call manager and will display “Configuring IP” or “No Service” indefinitely.

DHCP Option Purpose Example Value
Option 3 Default gateway for the voice VLAN subnet 10.20.0.1
Option 6 DNS server IP address 10.0.0.53
Option 66 TFTP server hostname or IP (generic; used by many vendors) tftp.example.com
Option 150 TFTP server IP address (Cisco-specific; used by Cisco IP phones to locate the CUCM/TFTP server for firmware and configuration download) 10.0.0.100

Cisco IP phone boot sequence (simplified):

  1. Phone powers up via PoE; runs POST
  2. Receives Voice VLAN ID via CDP/LLDP-MED from switch
  3. Sends DHCP Discover on the Voice VLAN
  4. Receives IP address + DHCP Option 150 (TFTP server IP)
  5. Contacts TFTP server; downloads firmware image and configuration file (SEPxxxx.cnf.xml)
  6. Registers with Cisco Unified Communications Manager (CUCM)
  7. Phone is ready to make and receive calls

9. Security Considerations

A Voice VLAN that is poorly secured can be exploited: an attacker who plugs a laptop into a phone port and spoofs CDP/LLDP messages can gain access to the voice VLAN and eavesdrop on or inject VoIP calls. Apply these protections on all voice ports:

Threat Mitigation IOS Command
VLAN hopping via DTP Disable DTP negotiation on all user-facing ports so they cannot be talked into becoming trunk ports switchport nonegotiate
Unauthorized device on voice port Limit the number of MAC addresses allowed per port (max 2: phone + PC); use sticky MAC learning switchport port-security maximum 2
switchport port-security mac-address sticky
Rogue switch connected to phone port Enable PortFast and BPDU Guard to shut down the port immediately if STP BPDUs are received spanning-tree portfast
spanning-tree bpduguard enable
Eavesdropping on voice traffic Apply ACLs on the voice VLAN SVI to restrict which hosts can communicate with the voice VLAN; route voice VLAN traffic only to the CUCM and PSTN gateway ip access-group <ACL> in on voice SVI
DHCP starvation on voice VLAN Enable DHCP snooping on the voice VLAN to block unauthorised DHCP servers and rate-limit DHCP requests ip dhcp snooping vlan 20

10. Multi-Vendor Considerations

Vendor / Scenario Discovery Protocol Configuration Notes
Cisco switches + Cisco phones CDP (primary) or LLDP-MED switchport voice vlan <id> automatically advertises via CDP; enable LLDP globally with lldp run if non-Cisco phones are also present
Cisco switches + non-Cisco phones (Polycom, Avaya, Yealink) LLDP-MED Enable LLDP globally; LLDP-MED Network Policy TLV automatically advertises Voice VLAN, CoS, and DSCP to the phone; no manual phone configuration needed
Non-Cisco switches + Cisco phones LLDP-MED or manual config Configure LLDP-MED on the switch with the Voice VLAN and QoS policy; if LLDP-MED is unavailable, manually configure the VLAN ID on the phone via its LCD menu
All-non-Cisco environment LLDP-MED All IEEE 802.1AB-compliant switches and phones interoperate via LLDP-MED without any proprietary protocol; Voice VLAN, QoS, and PoE are negotiated automatically

11. Troubleshooting Voice VLAN Issues

Symptom Probable Cause Command to Run What to Look For
Phone shows “No Service” or cannot register with CUCM Wrong Voice VLAN ID; DHCP not providing Option 150; VLAN not active on switch show interfaces switchport Confirm “Voice VLAN” shows correct VLAN ID (e.g., 20) and “Access Mode VLAN” shows data VLAN (e.g., 10)
Phone does not get an IP address DHCP scope for voice VLAN not configured; DHCP relay not set; wrong VLAN on port show ip dhcp binding; show vlan brief Check DHCP bindings for Voice VLAN subnet; confirm VLAN 20 is active and port is a member
Phone does not learn Voice VLAN automatically CDP disabled on port; LLDP not enabled; phone model requires LLDP-MED show cdp neighbors detail; show lldp neighbors detail Confirm CDP or LLDP sees the phone; verify Voice VLAN ID is being advertised
Poor voice quality (choppy audio, echo, drops) QoS trust not configured; CoS/DSCP markings ignored; insufficient bandwidth show mls qos interface Fa0/5; show interfaces counters Confirm CoS trust is set; check for input/output drops; verify interface is not saturated
PC cannot reach network after phone added Access VLAN not configured; port security triggering on PC MAC show interfaces switchport; show port-security interface Fa0/5 Confirm access VLAN is set; check port-security maximum (should be at least 2)
Port security violation shutting down port More MACs than allowed (phone + PC + another device); sticky MAC address mismatch after phone swap show port-security interface Fa0/5 Check last violation MAC; clear sticky MACs with clear port-security sticky if phone was replaced

Key Verification Commands

! Confirm voice VLAN and access VLAN are correctly assigned
Switch# show interfaces FastEthernet0/5 switchport

! Check which VLANs are active and which ports belong to each
Switch# show vlan brief

! Verify CDP sees the IP phone and is advertising the correct Voice VLAN
Switch# show cdp neighbors detail

! Verify LLDP-MED is advertising the Voice VLAN to non-Cisco phones
Switch# show lldp neighbors detail

! Check port security status and violation counters
Switch# show port-security interface FastEthernet0/5

! Verify PoE is delivering power to the phone
Switch# show power inline FastEthernet0/5

! Confirm QoS trust settings
Switch# show mls qos interface FastEthernet0/5

12. Complete Configuration Example – Office Desk Port

Scenario: A Cisco IP phone on FastEthernet0/5 with a PC plugged into the phone’s PC port. Data VLAN 100, Voice VLAN 200. 

! Create VLANs
Switch(config)# vlan 100
Switch(config-vlan)# name DATA
Switch(config)# vlan 200
Switch(config-vlan)# name VOICE

! Configure the phone port
Switch(config)# interface FastEthernet0/5
Switch(config-if)# description IP-Phone-Desk-A01
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 100       ! PC untagged → VLAN 100
Switch(config-if)# switchport voice vlan 200        ! Phone tagged → VLAN 200
Switch(config-if)# spanning-tree portfast           ! Fast port bring-up
Switch(config-if)# spanning-tree bpduguard enable   ! Block rogue switches
Switch(config-if)# mls qos trust cos               ! Trust phone CoS markings
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport nonegotiate           ! Disable DTP
Switch(config-if)# no shutdown

Expected result:

  • PC traffic: VLAN 100, untagged, no QoS marking
  • Phone voice traffic: VLAN 200, 802.1Q tagged, CoS 5 / DSCP 46
  • Phone powered by PoE (if switch supports it)
  • Phone learns VLAN 200 automatically via CDP
  • Port secured: maximum 2 MACs; violations restricted (log but not shut)

13. Summary Reference Table

Aspect Voice VLAN Behaviour
Data traffic Untagged; switch assigns to access VLAN (e.g., VLAN 10)
Voice traffic 802.1Q tagged with Voice VLAN ID (e.g., VLAN 20)
QoS marking CoS 5 (Layer 2) / DSCP 46 / EF (Layer 3 — Expedited Forwarding)
VLAN negotiation CDP (Cisco) or LLDP-MED (multi-vendor) — phone learns VLAN ID automatically
Power delivery PoE (802.3af — 15.4 W) or PoE+ (802.3at — 30 W) over the same cable
DHCP Dedicated voice VLAN DHCP scope; Option 150 provides TFTP server IP for Cisco phones
Key IOS command switchport voice vlan <vlan-id>
Security Port security (max 2 MACs), disable DTP (switchport nonegotiate), BPDU Guard, DHCP snooping, ACLs on voice SVI
Primary troubleshooting show interfaces switchport, show cdp neighbors detail, show vlan brief, show power inline

14. Key Points & CCNA Exam Tips

  • A Voice VLAN allows a single switch port to carry both untagged PC data (access VLAN) and 802.1Q-tagged IP phone voice (voice VLAN) simultaneously
  • The Cisco IOS command is switchport voice vlan <vlan-id> — applied in addition to switchport access vlan <vlan-id>
  • Cisco IP phones learn the voice VLAN ID automatically via CDP; non-Cisco phones use LLDP-MED
  • Voice QoS markings: CoS 5 (Layer 2, 802.1Q PCP bits) and DSCP 46 / EF (Layer 3, IP header DS field — Expedited Forwarding)
  • Configure mls qos trust cos on the port to honour the CoS markings the phone sets; without this the switch ignores them
  • DHCP Option 150 provides the TFTP server IP to Cisco IP phones so they can download firmware and register with CUCM
  • PoE (802.3af = 15.4 W; 802.3at = 30 W) powers IP phones over the Ethernet cable — no separate power adapter needed
  • Use switchport port-security maximum 2 on voice ports — one MAC for the phone, one for the PC
  • Disable DTP with switchport nonegotiate to prevent VLAN hopping attacks on voice ports
  • Key verification commands: show interfaces switchport (confirms voice VLAN and access VLAN IDs), show cdp neighbors detail (confirms phone sees VLAN), show power inline (confirms PoE)
  • The port behaves like a multi-VLAN access port — not a trunk — even though it carries two VLANs; this is a common exam distractor

Voice VLAN Quiz

1. What is the main purpose of a Voice VLAN?

Correct answer is C. A Voice VLAN isolates IP phone traffic into a dedicated VLAN on the same physical port as the PC. This enables the switch to apply QoS (CoS 5 / DSCP 46) to voice frames, improving call quality by reducing jitter and delay, while also providing security segmentation between voice and data devices.

2. How does a Voice VLAN handle data and voice traffic on the same physical port?

Correct answer is A. The PC connected through the phone sends untagged frames; the switch assigns these to the access VLAN (e.g., VLAN 10). The IP phone sends its own voice frames tagged with an 802.1Q VLAN ID (e.g., VLAN 20). The switch port processes both simultaneously, making it a multi-VLAN access port even though the switchport mode is set to access.

3. Which protocols do Cisco IP phones use to learn the voice VLAN ID from the switch?

Correct answer is D. Cisco IP phones learn the Voice VLAN ID automatically: on Cisco switches, CDP advertises it and the phone reads it and begins tagging voice frames immediately. In multi-vendor environments, LLDP-MED (an extension to IEEE 802.1AB) performs the same function — the switch’s LLDP-MED Network Policy TLV carries the Voice VLAN ID, CoS, and DSCP values to any compliant IP phone.

4. Which QoS markings are used to prioritise voice traffic in a Voice VLAN?

Correct answer is B. Voice RTP packets are marked with CoS 5 in the 802.1Q tag’s 3-bit PCP field (Layer 2) and DSCP 46 (Expedited Forwarding) in the IP header’s DS field (Layer 3). These markings tell every switch and router in the path to forward voice packets before data packets, keeping one-way delay under 150 ms and jitter under 30 ms as required by ITU G.114.

5. How does PoE relate to Voice VLAN deployments?

Correct answer is C. PoE (IEEE 802.3af — 15.4 W, or 802.3at PoE+ — 30 W) delivers electrical power over the Ethernet cable to the IP phone. This means only a single cable is needed at each desk: the same cable carries both the 802.1Q-tagged voice traffic and the power to run the phone. PoE and Voice VLAN are configured independently but are almost always deployed together.

6. Which DHCP option provides Cisco IP phones with the TFTP server address for firmware and CUCM registration?

Correct answer is A. DHCP Option 150 is a Cisco-specific extension that delivers the TFTP server IP address to Cisco IP phones. The phone uses this address to download its firmware, dial plan, and configuration file, and then registers with Cisco Unified Communications Manager (CUCM). Option 66 (TFTP server name) is the generic equivalent used by other vendors.

7. What does a switch do when it receives an untagged frame on a port configured with both an access VLAN and a voice VLAN?

Correct answer is D. On a port configured with both switchport access vlan and switchport voice vlan, untagged frames — which come from the PC connected through the phone — are assigned to the access VLAN. Only frames arriving with the correct 802.1Q tag (the Voice VLAN ID) are treated as voice traffic.

8. Which security measure best prevents unauthorised devices from accessing the voice VLAN on a phone port?

Correct answer is C. Port security with switchport port-security maximum 2 limits the port to the phone MAC and the PC MAC. A third device (e.g., an attacker’s laptop) triggers a security violation. Adding switchport nonegotiate (disables DTP) and spanning-tree bpduguard enable completes the hardening. Enabling DTP (option D) is a vulnerability, not a protection.

9. Which command best shows whether the voice VLAN is correctly configured on a Cisco switch port?

Correct answer is B. show interfaces switchport (or show interfaces FastEthernet0/5 switchport) displays the “Access Mode VLAN” (data VLAN) and the “Voice VLAN” field for the port. This is the definitive command to confirm both VLANs are correctly set. show vlan brief shows which ports belong to which VLAN but does not show voice VLAN assignments.

10. In a voice VLAN configuration, which traffic type is 802.1Q tagged?

Correct answer is A. Only voice traffic from the IP phone is 802.1Q tagged (with the Voice VLAN ID, e.g., VLAN 20). The PC’s data traffic passes through the phone’s built-in switch port and arrives at the switch untagged, where the switch assigns it to the access VLAN (e.g., VLAN 10). This asymmetric tagging is the defining characteristic of a voice VLAN port.

← Back to Home