Difference between trunk and access/voice port

Question

Is there a difference between the following two configurations on a cisco device?

int g0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 20

and

int g0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20

Environment:

Cisco Port ---> IP Phone ---> Client Computer

Which configuration do I have to use and why? If there is no difference, which method is the preferred one?

Thanks in advance koron54

The former is "automatic" (with cisco phones), the later requires manual setup. — Ricky, Feb 13 '15 at 00:45
Also 'spanning-tree portfast' applies to the first config, to support portfast/edge ports on a trunk you need to use the not-so-well-known 'spanning-tree portfast trunk' command. And the global spanning-tree portfast configuration supports access ports with voice vlan, but not trunked interfaces. — cpt_fink, Feb 17 '15 at 07:59

score 2 · Answer 1 · answered Feb 12 '15 at 13:39

The voice VLAN feature is supported only on access ports. Voice VLAN permits the switch to accept tagged traffic on an access (normally untagged) link. CDP is used to negotiate the voice VLAN between the phone and the network switch (the switch signals the phone; this voice VLAN is a separate TLV in the CDP standard).

The integrated switch on the back of the phone transmits the "data" packets (the port connected to the PC) as "native VLAN" (e.g. untagged packets, the access VLAN). The voice packets are transmitted tagged, and the tag is read by the access switch and put in the correct VLAN.

On a trunk port, the phone should detect the trunk and both access and voice VLAN packets should be tagged.

The template for Cisco phone configurations in some Cisco switches is to configure the port as an access port. Configuring the port as a trunk port may be dangerous without the appropriate security features; allowed VLAN is only part of an effective switchport security strategy. Sticky MAC addresses might be a good next step.

CDP can be used in full cisco environment, but in mixed networks (with non-Cisco phones) we can use LLDP. — pyatka, Feb 17 '15 at 15:10

HAL · Answer 2 · 2015-02-17T14:17:44.843

0

int g0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 20

The above is the preferred configuration for VoiP phones connected to a client computer. Trunking was apparently the configuration used for older VoIP equipment. When configured as an access port, you can apply QOS to the vlan, prevent loops with STP, and lock down the PC/VOiP phone with port security.

FYI, for PC/VoiP phones, you'll need to enable switchport port security max 2 to allow for 2 macs on the access port.

This link specifically shows the access port configuration.

As for the difference between Trunks and Access ports, a trunk does add dot1q or ISL tags directly to frames and can exist on all or multiple vlans. While an access port only passes traffic from a set vlan but does not modify the frame with a vlan tag.

edited Feb 17 '15 at 14:17

answered Feb 12 '15 at 14:02

HAL

1,679
1
13
23

Port-security needs to be set to 3 (2 on access vlan, 1 on voice vlan) to function correctly. Also the trunked port does tag vlan traffic, think of a trunk port sending a frame received from an untagged access port with no 802.1q tag attached... – cpt_fink Feb 17 '15 at 08:02
I don't see where you are getting that port-security max needs to be set to three. There are only two mac-addresses incvolves, the phone's and the computers... – HAL Feb 17 '15 at 14:01
Except the phone shows up on both the data vlan and the voice vlan... Even if it is only during boot-up it is necessary for proper operation. – cpt_fink Feb 18 '15 at 04:02
I have not seen this behavior in any of the polycom phones used here; the ports are still set to max 2. Please provide reference. – HAL Feb 18 '15 at 14:02
https://supportforums.cisco.com/discussion/10984956/mac-address-ip-phone-two-vlans, among others... – cpt_fink Feb 18 '15 at 17:43
Cpt_fink, please take a look at what you posted. There are still only 2 mac addresses present. The port is still only binding two mac addresses. There is no need to set a max of greater than 2. What you link also shows a configuration with max 2.... – HAL Feb 18 '15 at 20:10

score 0 · Answer 3 · answered Feb 16 '15 at 20:22

Whenever you connect a Cisco IP phone to a Cisco switch you should do the first method of defining it as an access port and then using the additional switchport voice vlan configuration.

There is really not that much difference between the two configs though. The first method is actually a dot1q trunk as well (just as all switchports are trunk ports regardless of whether you set them to access or trunk) despite what Cisco calls this setup.

There may be issues when the phone first connects if you are using the second method though. While the connection between the phone is a dot1q tagged trunk, Cisco has some additional minor changes. It might affect the POE negotiation, the COS that gets applied to the voice VLAN on the phone, and possibly the COS trust barrier on the switch. I am not a CCIE Vo or Collab so I do not know/remember as much details to really state the actual ramifications if any.

In short - use the first methodology.

Difference between trunk and access/voice port

3 Answers3