Most office deployments connect an IP phone and a PC through the same wall jack. The phone has a built-in switch — the PC plugs into the back of the phone, and the phone plugs into the wall port. Without voice VLANs, both the phone and the PC land in the same VLAN, sharing the same broadcast domain and competing for the same bandwidth. Voice calls degrade instantly when a large file transfer or backup saturates the link.
Cisco's voice VLAN feature solves this by letting a single access port operate in two VLANs simultaneously: the data VLAN for the PC and the voice VLAN for the phone. The switch tells the phone (via CDP or LLDP) which VLAN to tag its traffic with, and QoS policies ensure voice packets get priority treatment through the network.
How Voice VLANs Work
A port configured with a voice VLAN behaves differently from a standard access port:
The PC sends untagged frames. The switch places these into the access (data) VLAN — VLAN 10 in the PingLabz Switching Lab.
The IP phone receives a CDP or LLDP message from the switch telling it to use VLAN 40 for voice traffic. The phone tags its own frames with an 802.1Q tag for VLAN 40 and a CoS value of 5 (by default). These tagged frames coexist on the same physical link as the PC's untagged frames.
From the switch's perspective, the port is simultaneously an access port for VLAN 10 and a mini-trunk carrying tagged VLAN 40 traffic. The MAC address table will show the phone's MAC in VLAN 40 and the PC's MAC in VLAN 10, both on the same physical port.
[DIAGRAM: Single wall jack to IP phone (with PC plugged into phone's pass-through port). The link from phone to switch carries both untagged VLAN 10 (data) and tagged VLAN 40 (voice) frames. Show the 802.1Q tag with CoS 5 on voice frames.]
Configuring Voice VLANs in the PingLabz Switching Lab
Voice VLAN 40 (10.10.40.0/24) is already created in the lab. IP phones connect to ACC-SW1 ports Gi1/0/1 through Gi1/0/12 alongside user PCs.
Step 1: Assign Data and Voice VLANs to Access Ports
ACC-SW1(config)# interface range GigabitEthernet1/0/1-12
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 10
ACC-SW1(config-if-range)# switchport voice vlan 40
ACC-SW1(config-if-range)# no shutdown
ACC-SW1(config-if-range)# exit
The switchport voice vlan 40 command tells the switch to:
- Send a CDP (or LLDP) message to the phone informing it to tag voice traffic with VLAN 40.
- Accept 802.1Q-tagged frames for VLAN 40 on this access port.
- Place untagged frames (from the PC) in VLAN 10 as usual.
The port is still technically an access port for VLAN 10 — it shows as access in show interfaces switchport. The voice VLAN is an overlay handled by CDP negotiation.
Step 2: Enable CDP (Usually Already On)
CDP is enabled globally by default on Catalyst switches. The phone relies on CDP to discover the voice VLAN. Verify it is not disabled:
ACC-SW1(config)# cdp run
ACC-SW1(config)# interface range GigabitEthernet1/0/1-12
ACC-SW1(config-if-range)# cdp enable
ACC-SW1(config-if-range)# exit
If your environment uses LLDP instead of CDP (common in multi-vendor environments), enable it:
ACC-SW1(config)# lldp run
LLDP uses the LLDP-MED extension to advertise the voice VLAN to phones that support it.
Step 3: Configure QoS Trust for Voice
By default, Catalyst 9000 switches trust CoS and DSCP markings on all ports. But to ensure voice traffic gets proper priority, verify the trust boundary and optionally configure auto QoS:
ACC-SW1(config)# interface range GigabitEthernet1/0/1-12
ACC-SW1(config-if-range)# auto qos voip cisco-phone
ACC-SW1(config-if-range)# exit
The auto qos voip cisco-phone command automatically:
- Trusts CoS markings from a Cisco IP phone (detected via CDP)
- Creates class maps and policy maps that prioritize voice traffic (DSCP EF / CoS 5)
- Applies ingress and egress service policies
- Sets the trust boundary at the phone — the PC behind the phone cannot inject high-priority markings
Without auto QoS, voice frames may get the same treatment as data frames, leading to jitter and dropped calls during congestion.
Step 4: Verify the Voice VLAN SVI on CORE-SW1
Ensure the gateway for VLAN 40 exists on CORE-SW1:
CORE-SW1(config)# interface Vlan40
CORE-SW1(config-if)# ip address 10.10.40.1 255.255.255.0
CORE-SW1(config-if)# ip helper-address 10.10.20.10
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
The ip helper-address is critical — IP phones typically use DHCP to get their IP address, TFTP server location, and call manager settings. Without the relay, DHCP discovers from VLAN 40 never reach the DHCP server in VLAN 20.
Verification
show interfaces switchport
ACC-SW1# show interfaces GigabitEthernet1/0/1 switchport
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Users)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 40 (Voice)
Administrative private-vlan host-association: none
...
Appliance trust: none
The Voice VLAN: 40 line confirms the voice VLAN is configured. The port mode remains static access for VLAN 10.
show mac address-table interface
ACC-SW1# show mac address-table interface GigabitEthernet1/0/1
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0050.7966.6800 DYNAMIC Gi1/0/1
40 0023.04ee.be01 DYNAMIC Gi1/0/1
Total Mac Addresses for this criterion: 2
Two MAC addresses on the same port — the PC in VLAN 10 and the IP phone in VLAN 40. This confirms the voice VLAN is operational and the phone is tagging correctly.
show cdp neighbors
ACC-SW1# show cdp neighbors GigabitEthernet1/0/1 detail
-------------------------
Device ID: SEP002304EEBE01
Entry address(es):
IP address: 10.10.40.11
Platform: Cisco IP Phone 8845, Capabilities: Host Phone
Interface: GigabitEthernet1/0/1, Port ID (outgoing port): Port 1
Version:
sip8845.12-7-1-0001-394
VoIP VLAN ID: 40
...
CDP confirms the phone's device ID (SEP + MAC), IP address in VLAN 40, and the voice VLAN ID it is using.
show auto qos
ACC-SW1# show auto qos interface GigabitEthernet1/0/1
GigabitEthernet1/0/1
auto qos voip cisco-phone
QoS Trust: trust device cisco-phone
QoS Trust device: Cisco different phone
Interface class-default policy:
police rate 10000000 bps
...
This confirms auto QoS is active and trusting CoS markings only from detected Cisco phones.
Voice VLAN Options
The switchport voice vlan command supports several modes beyond a specific VLAN ID:
| Command | Behavior |
|---|---|
switchport voice vlan 40 |
Phone tags with VLAN 40 (most common) |
switchport voice vlan dot1p |
Phone tags with VLAN 0 (uses 802.1p priority tagging only, no VLAN separation) |
switchport voice vlan untagged |
Phone sends untagged frames (same VLAN as data — defeats the purpose) |
switchport voice vlan none |
Disables voice VLAN; phone falls back to its own configuration |
For almost all production deployments, use a specific VLAN ID. The dot1p and untagged options exist for edge cases and legacy phone compatibility.
Trunking the Voice VLAN
The voice VLAN must be included in the trunk allowed list on all switch-to-switch links. If VLAN 40 is pruned from a trunk between ACC-SW1 and DIST-SW1, voice traffic from the phones will be dropped at the trunk boundary:
ACC-SW1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/23 on 802.1q trunking 99
Gi1/0/24 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi1/0/23 10,20,30,40,50,99
Gi1/0/24 10,20,30,40,50,99
Port Vlans allowed and active in management domain
Gi1/0/23 10,20,30,40,50,99
Gi1/0/24 10,20,30,40,50,99
VLAN 40 is in the allowed and active list — voice traffic will traverse the trunks.
Troubleshooting
Symptom: IP phone does not get an IP address in VLAN 40. Cause: CDP is disabled on the port or globally, so the phone never learns the voice VLAN ID. It falls back to the access VLAN or its last-known VLAN. Fix: Verify CDP: show cdp interface Gi1/0/1. If disabled, enable with cdp enable on the interface and cdp run globally. Check show cdp neighbors to confirm the phone is detected.
Symptom: Phone registers but voice quality is poor (choppy audio, one-way audio). Cause: QoS is not configured, so voice packets compete with data traffic. Alternatively, auto QoS was applied but the phone is not Cisco (so trust is not granted). Fix: Verify show auto qos interface. If using non-Cisco phones, use auto qos voip trust instead of auto qos voip cisco-phone to trust all CoS markings on the port regardless of CDP device detection.
Symptom: Phone shows voice VLAN but PC behind the phone has no connectivity. Cause: The access VLAN (VLAN 10) is not assigned to the port, or the VLAN does not exist on the switch. The phone works (VLAN 40 via tagging) but the PC's untagged frames land in a nonexistent or wrong VLAN. Fix: Verify show interfaces switchport to confirm the access VLAN is correct. Run show vlan brief to confirm the VLAN exists. If the VLAN was deleted, ports assigned to it go inactive.
Symptom: show mac address-table shows the phone's MAC in VLAN 10 instead of VLAN 40. Cause: The phone is not tagging its frames — likely because it did not receive the voice VLAN via CDP/LLDP. This happens if CDP is disabled or if the phone does not support CDP and LLDP is not enabled. Fix: Enable LLDP (lldp run) for multi-vendor phone environments. Verify the phone's configuration — some phones have static VLAN settings that override CDP.
Key Takeaways
- Voice VLANs allow a single access port to carry data traffic (untagged, in the access VLAN) and voice traffic (tagged, in the voice VLAN) simultaneously.
- The switch uses CDP or LLDP to tell the IP phone which VLAN to tag with. Without CDP/LLDP, the phone cannot discover the voice VLAN.
- Use
auto qos voip cisco-phoneto automatically trust CoS markings from Cisco phones and apply priority queuing for voice traffic. - The voice VLAN must be carried across all trunk links in the path — if it is pruned from a trunk, voice traffic is silently dropped.
- Verify with
show mac address-table— you should see two MACs on the port: one in the data VLAN (PC) and one in the voice VLAN (phone).
Next: Private VLANs on Cisco Catalyst Switches covers micro-segmentation within a single subnet for DMZ and shared-hosting environments.