Config Lab: Data and Voice VLANs 1
Creating a VLAN is simple: just configure the vlan number command. However, even in a small network with four switches, like the one used in this next lab, a VLAN config lab can give you a few things to think about beyond just creating the VLAN. This next lab asks you to configure a couple of VLANs, one for data, and one for IP phones (a voice VLAN). As usual, if you’ve already seen the commands, this exercise should take you 5-10 minutes on paper. Enjoy!
The Lab Exercise
Requirements
The network uses four layer 2 switches: two distribution switches and two access switches. The access switch ports connect to two devices in succession in a typical user cubicle: first to an IP phone and then to a desktop computer. Your job is to configure the two VLANs (a data VLAN and a voice VLAN), placing all phones in the voice VLAN and all PCs in the data VLAN. And you need to make the VLANs work so that they can send and receive traffic off-site through the WAN router shown at the top of the figure.
The specific rules for this lab are:
- Assign the PCs in the figure to use VLAN 10 as their data VLAN.
- Assign the IP Phones in the figure to use VLAN 20 as their voice VLAN.
- Configure VLANs correctly so that traffic in both VLAN 10 and 20 can flow through all four switches and up to the router (which acts as their default gateway.)
- Assumptions:
- All device interfaces shown in the lab are up and working.
- VLAN trunking is working between the switches.
- VTP is in transparent mode or off.
- All four switches are acting as layer 2 switches and not as layer 3 switches.
- The WAN router is already configured for router-on-a-stick (see the initial configuration.)
Â
Figure 1: Basic Switched IP Phone Topology
Initial Configuration
Examples 1, 2, 3, and 4 show the beginning configuration state of Dist1, Dist2, Access1, and Access2.
hostname Dist1
!
vtp mode transparent
!
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/4
switchport trunk encapsulation dot1q
switchport mode trunk
Example 1: Dist1 Config
hostname Dist2
!
vtp mode transparent
!
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/4
switchport trunk encapsulation dot1q
switchport mode trunk
Example 2: Dist2 Config
hostname Access1
!
vtp mode transparent
!
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
Example 3: Access1 Config
hostname Access2
!
vtp mode transparent
!
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
Example 4: Access2 Config
hostname WAN
!
interface gigabitEthernet0/1
no shutdown
!
interface GigabitEthernet0/1.10
encapsulation dot1q 10
ip address 10.1.1.99 255.255.255.0
!
interface GigabitEthernet0/1.20
encapsulation dot1q 20
ip address 10.1.20.99 255.255.255.0Example 5: (Relevant) WAN Router Config
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Download this lab’s CML file!
Network Device Info:
This table lists the interfaces used in the lab exercise documentation that differ from those used in the sample CML file.
| Device | Lab Port | Â CML Port |
| Dist1 | G1/1/1 | G0/1 |
| Dist1 | G1/1/2 | G0/2 |
| Dist1 | G1/1/3 | G0/3 |
| Dist1 | G1/1/4 | G1/0 |
| Dist2 | G1/1/1 | G0/1 |
| Dist2 | G1/1/2 | G0/2 |
| Dist2 | G1/1/3 | G0/3 |
| Access1 | G1/1/1 | G0/1 |
| Access1 | G1/1/2 | G0/2 |
| Access1 | G1/1/3 | G0/3 |
| Access1 | G1/1/4 | G1/0 |
| Access2 | G1/1/1 | G0/1 |
| Access2 | G1/1/2 | G0/2 |
| Access2 | G1/1/3 | G0/3 |
| Access2 | G1/1/4 | G1/0 |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
Figure 1: Basic Switched IP Phone Topology
vlan 10
!
vlan 20
Example 1: Dist1 Config
vlan 10
!
vlan 20
Example 2: Dist2 Config
vlan 10
!
vlan 20
!
interface GigabitEthernet1/1/3
switchport access vlan 10
switchport voice vlan 20
!
interface GigabitEthernet1/1/4
switchport access vlan 10
switchport voice vlan 20
Example 3: Access1 Config
vlan 10
!
vlan 20
!
interface GigabitEthernet1/1/3
switchport access vlan 10
switchport voice vlan 20
!
interface GigabitEthernet1/1/4
switchport access vlan 10
switchport voice vlan 20Example 4: Access2 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
Most LAN designs which include IP phones and other endpoint devices, use both a data and a voice VLAN on a single switch port. The switch access port acts as a trunk and tags voice traffic with an 802.1q tag when configured in this way. The IP phone connected in line with the PC will strip the 802.1Q tag off any frames destined to the attached PC and pass the frames along to the PC.
This lab tasks you to create two new VLANs, 10 and 20, and assign all PCs into VLAN 10 and all IP phones into VLAN 20. But you also need to add those VLANs to the two distribution switches, because otherwise those distribution switches will not know of the existence of VLANs 10 and 20 and will not forward frames in those VLANs.
To create a VLAN, use the vlan vlan command in global configuration mode. Because all switches use VTP transparent mode, all four switches need this command to create each VLAN. Note that all four switches list both the vlan 10 command and the vlan 20 commands.
Switch Access1’s G1/1/3 and G1/1/4 interfaces connect to PC1 and PC2 and their respective IP phones. To configure PC1 and PC2’s data VLAN use the switchport access vlan 10 command. To configure the voice VLAN to be used by the IP phones, use the switchport voice vlan 20 command. Similarly, switch Access2’s G1/1/3 and G1/1/4 interfaces connect to PC3 and PC4 and their respective IP phones, and so Access2’s ports use the same two commands to assign the data and voice VLANs.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
| # | Summary | Detail |
| 1 | Phones testing requires more work. | The lab asks you to configure the voice and data VLANs. However, to make the phones work in Packet Tracer, you need to configure Call Manager Express along with a DHCP server. See this sample answer for this lab, and look for the DHCP server config in the WAN router and the CME config in the CME router. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.Â
Use the show interfaces interface switchport command on the access switches for the interfaces connected to the PCs and IP Phones. This command’s output will list the configured data and voice VLAN.
why you put pc 3 and pc 4,in the vlan 20 subnet in packet tracer file?
Hi Saheb,
It was a mistake. I fixed the .pkt file. Thanks for letting me know about the error!
Wendell
Great exercise! I was playing around with packet tracer and I have a couple of questions about VLAN management in general, if I may ask. What is the difference between using the following commands to create and bring up or shutdown a VLAN?
SW1(config)# vlan 10
SW1(config)# interface vlan 10
Also, I noticed that packet tracer doesn’t appear to have the shutdown function for VLANs in either interface config mode or global config mode. In real equiptment, which modes is the command typically available in?
Thank you for your help!
Hey Bayron,
Trying to catchup on the blog today…
1) vlan 10 creates the vlan in the switch. A VLAN is a layer 2 concept, a broadcast domain. “interface vlan 10” is a layer 3 interface on which you can configure an IP address. It’s the switch’s IP interface connected to VLAN 10.
2) You know, my old brain doesn’t index Packet Tracer oddities like that! 🙂 That’s why I put them in the blog posts as they come up. The only one I know that works is the age old interface mode. EG, you can shut/no shut routing protocols on real gear, and I think PT doesn’t support those either.
Hello, Certskills
Great config lab,but I had two questions.What is the default gateway of the router? Why is int g1/1/1 of Dist1 blocking and int g1/1/1 of Access1 is blocking.
Hi Courtney,
1) Routers don’t use a default gateway. Instead, they have routing tables, filled with routes to connected subnets plus routes learned with routing protocols. Feel free to say more about what you’re looking for.
2) As for STP in this lab, I believe we ignored any STP settings for this lab. So, the STP topology landed whereever it would depending on which switch became root based on their default settings. Looks like Access1 becomes root in this case, so it will not block.
Hi.
I have one doubt on this lab. In the Lab Answers you only show 2 lines per interface:
switchport access vlan 10
switchport voice vlan 20
but in your ccna 200-301 book chapter 8, section “Data and Voice VLAN Concepts” you mention a third command in the “Config. Checklist”: “switchport mode access”.
So, what’s the difference in this scenario if we type or miss this third command?
Thanks in advance.
Hi Vicente,
Great question.
So, a port can be an access port (which means “not a trunk”) or a trunk port.
Then Cisco made a port that has a phone on it be a sort-of-trunk, but really an access port. Causing more than a little confusion.
So, taking a step back from that context, ignore the fact that there’s a phone there for now.
– The switchport mode command has a default on each switch, often “switchport mode dynamic auto” on access switches.
– That means the port is willing to negotiate trunking with the device on the other end of the cable.
– If trunking is not negotiated, the port operates as an access port.
Now, think about the phone again. While it does some trunking behavior, it does not negotiate trunking with the switch. So the switch port operates as an access port. So including the “Switchport mode access” command, or not, has no effect.
The book shows “switchport mode access”, I think, to emphasize that the port operates as an access port.
In real life, I’d probably also configure “switchport mode access” if I was building a standard config.
Sorry for the long answer, hope it’s helpful.
Regards,
Wendell
Dear Wendell,
you’re great. understood. thank you
I had a little confusion about this as well but your clarification wiped the dirt off the table. That was awesome. Thanks sir.
Should we be able to ping both router subinterfaces in this lab? I believe we need an IP on the data or voice vlan on both Access 1 and Access 2 in order to ping correct?
Gabriel,
You should be able to connect to the command prompt on all four PCs and ping the IP address of both ROAS interfaces on the routers and ping the other PCs as well. The access switches serve as only layer 2 switches and do not need any IP addresses to support IP traffic between the endpoint hosts and the router.
Wendell
I went back and re-reviewed this lab and found my issue after I missed it the second time. The distribution switches were missing the layer 2 vlan 10 and vlan 20 commands. I was able to ping from any PC after adding those 2 commands.
Hi,
is it ok that I cannot see interface Gig1/1/3 two times in “show vlan brief” per vlan, as it supossed to assign this port to two differents vlans.
I excpected to see Gig 1/1/3 in both vlan
#show
10 dataVlan active Gig1/1/3
20 voice active
but I only see it in vlan 10 .
I expected to see Gig 1/1/3 in both vlan 10 and 20 .
Hi Luis,
The short answer is yes, it’s ok and expected. That command lists the ports organized by access vlan (configured with switchport access vlan x). The show vlan brief command does not list ports per their voice VLAN assignments.
Hi, Out of the two IP addresses of the WAN router, one is, 10.1.1.99, the other is 10.1.20.99. Are they OK? It is because usually some kind of symmetry is visible in these addresses.
Hi Punya,
Yep, they’re ok. There’s no requirement that the IP addresses follow any easy-to-correlate numbering plan. I do that when I create examples in part for readers and in part to avoid confusing myself!! But there’s nothing implied by the choice of numbers here. They follow the rules of assigning IP addresses, so it’s fine.
Dear Wendell
You are great, your response for my query, indeed boosts my confidence. Tks v much.
I use the the ccna portable command book and I must say its way more confusing than whats in the ccna cert guide specially if you look at configuring the data and voice vlan, I had a strong idea on how to complete the lab but I missed it on the configuring the Distribion layers but I went back to finish it off silly me. I also created VLANs and named them 10 was data and 20 was voice I feel that was unnecessary now. any tips on improving and walking towards being a network engineer
Hi Abraham,
Thanks for the post!
The main bit of advice I’ll steal from others… we tend to overestimate how much we can accomplish in the short term, but underestimate what we can accomplish in the long term. So make good study habits, learn something every day, and you’ll be better at learning – which is important in networking and most any IT job.
In packet tracer it seems like Dist1,Dist2,Access1,Access1 is not configured as described in inital configuration on interfaces
interface GigabitEthernet1/1/1
switchport mode trunk
!
interface GigabitEthernet1/1/2
switchport mode trunk
..
switchport trunk encapsulation dot1q
..
When trying to adjust to Intial configuration, I get
Access2(config-if)#switchport trunk encapsulation dot1q
^
% Invalid input detected at ‘^’ marker.
That should work in packet tracer ?
Regards
Stig
Encapsulation dotq1 is activated by default on these switches, if u run the command show interfaces gigabitEthernet 1/1/3 switchport you should read:
Name: Gig1/1/3
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
You can also use the command show interfaces trunk and you should see:
Port Mode Encapsulation Status Native vlan
Gig1/1/1 on 802.1q trunking 1
Gig1/1/2 on 802.1q trunking 1
Gig1/1/4 on 802.1q trunking 1
High. Although I have configured the switches exactly as shown,(or so
i believe) the switches are not trunking. From PC1 I can ping PC2, and from PC3 I can ping PC4, but I am not able to ping PC3 from PC1 and I am not able to ping the default gatewAY…
Hi Dimitris,
Sorry for the delay in replying. If you’re still interested, feel free to list your config here. I opened the lab and configured as shown, and all PCs can ping. I’m using CPT Version 8.2.2.
thank you very much for your response. I solved it by just shuting down the interfaces and the switching them on. Thanks again!
Why did you opt to not setup truncking on four interfaces in the example? Is it because we would have to change the mode on the interface?
Which four interfaces? The interfaces that need to trunk – the links between switches – are preconfigured to trunk. I’m a confused as to which interfaces you’re referencing.
Hello Mr. Wendell!
Thank you for the practice labs. For people like me who are more of a “hands on” learner, these are gold. When I did my configuration on the access switches, I created vlan 10 and vlan 20 dynamically from the interface subcommands. I noticed that on the answers, vlan 10 and vlan 20 were created manually from the global config on the same switches. Does this make a difference and/or will impact anything?
Thanks!
Hi Mizael,
You’re welcome.
The short answer: It makes no difference. By the way, if you use the interface subcommand (switchport access vlan x), and the switch automatically creates VLAN x for you, it adds the global command “vlan x“. So the answer section that shows the vlan 10 and vlan 20 commands is accurate vs. what you’ll see in the output of show running-config.
Thank you for the reply and for clarifying!
Sure thing, Mizael!
Hello Mr. Odom,
thanks for your great teaching efforts! I have a question about this lab: as you wrote in a answer to an earlier question, the PCs should be able to ping both interfaces of the router. That works in my packet tracer setup, so it seems to be alright. But usually it should not be possible to ping from vlan 10 to vlan 20? Is this a special behaviour caused by the phones acting as a pseudo trunk for the PCs?
Kind regards,
Johannes
Hi Johannes,
You’re welcome!!
The reason the PC1 ping to 10.1.20.99 works doesn’t have anything to do with the pseudotrunks to the phone. Instead, it’s about the fact that the WAN router is preconfigured with IP addresses in two subnets, so it’s ready to route between those subnets.
The logic in that case:
PC1 pings R1’s other address (10.1.20.99)
PC1 sends packet to its default router (10.1.1.99)
The address exists on that router – no need to forward
R1 replies.
Now, had PC1 pinged a host in subnet 10.1.20.0/24, the ping would still have worked. You could add that to the design: Add a PC, give it an address like 10.1.20.11, default route 10.1.20.99 (WAN router’s address in that subnet) and pings between the preexisting PCs and that new one should work.
Hi Wendell,
thanks for your explanation, which is perfectly understandable. As I am a newby, I thought that getting from one vlan to the other is a bad security issue. But in this labs real-life example, the vlans are not about security, but making the management of the phone/PC setup easier?
Kind regards,
Johannes
Hi Johannes,
Sorry, I thought my reply, but didn’t type it! So here it is…
Yes.
Longer answer:
There are many factors that factor into choosing to use VLANs and how to use them. In this case, managing the phones is easier. But related to that is the application of some services can be applied per VLAN, or per subnet (thinking of VLAN and subnet as different ideas but the same set of interfaces.) EG, QoS or ACLs could be applied differently on those VLANs/Subnets.
Thanks for also including the sample answer lab with the CME stuff, that was pretty neat. I noticed only 2 of the 4 ephones were showing up on the CME router. CDP was not enabled on Access2, so phones 3 and 4 didnt make it into the voice vlan and their MACs were not in the CAM table. Once CDP was started, the ephones were auto created in CME and I just specified type as 7960 and assigned them a DN and they registered 🙂
Hey Jeff,
Glad it was helpful! When I get a minute, maybe I’ll go fix the file and repost. I’m sure that missing bit was just something I missed when I threw it together back years ago. It is cool to see, though! 🙂