Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

VoIP handset deployment and automatic vlan assignment


VoIP handset deployment and automatic vlan assignment


I am currently using a "tagged voice + untagged data" vlan setup for a voip installation.

This works well apart from the first bootup of the phone (snom 360). The phone at this stage does not have its template indicating that (in my case) vlan 144 is the voice vlan, and that the untagged vlan can be passed through the phone to the data connector on the phone (which plugs into your laptop etc).

So the first time the phone boots, it boots into the untagged vlan, meaning it needs routes into the voice vlan to retrieve its config, it consumes a dhcp address on a scope to which it does not belong etc etc.

Second boot, it has its template, and everything works the way it should.

My question - is there any methods to avoid these "deployment time" problems?

Cisco CDP works well here because it runs at layer 2, meaning the phone can drop into the right vlan at boot time.

I udnerstand there exists another similar protocol LLDP-MED - does anyone know if it will help with my dilemma and potentially have config example.

I also understand that 802.1x may be the better way to do this (better security), but I don't have all the resources I need to implement this yet.

I appreciate any responses!

Matt Hobbs
Honored Contributor

Re: VoIP handset deployment and automatic vlan assignment

Me again. You're on the right path there Rod, LLDP-MED is the ideal way from what I've been led to believe. Looking up the snom phones they don't seem to support this though.

So with 802.1X you could set it up so that your RADIUS server authenticates the phone via it's mac-address and then returns the correct VLAN-ID back to the switch for the port to belong to.

Unless your regular clients were also going to use 802.1X authentication, then you may need to use the Open VLAN mode - which would allow those clients to still get access to the network without going through the 802.1X authentication process.

On a port, if a PC without 802.1X client plugged in, it would go into the Open VLAN - if a phone plugged in and it's mac-address was authenticated, it would go into the VLAN assigned by the RADIUS server, or the one specified as the authorised VLAN in your switch configuration.