VLAN Design for Voice Networks — Separating Voice, Data, and Management
Most network problems in UCaaS deployments aren’t caused by the phone system. They’re caused by the network the phone system is sitting on. Specifically, they’re caused by voice traffic sharing a VLAN with everything else — competing for bandwidth with workstation traffic, getting caught in broadcast storms, and losing out to data when congestion hits.
Proper VLAN segmentation is the foundation every voice deployment is built on. This article covers how to design it correctly from the start.
Why Voice Gets Its Own VLAN
Voice traffic has requirements that general data traffic doesn’t. It’s real-time, it’s latency-sensitive, and it fails visibly — bad audio quality is immediately obvious to every person on the call in a way that a slow file transfer isn’t.
Putting voice on a dedicated VLAN accomplishes three things:
Broadcast domain isolation. Every VLAN is its own broadcast domain. Voice endpoints on VLAN 20 don’t see broadcast traffic from workstations on VLAN 10. In a flat network, broadcast storms and high ARP traffic are common causes of jitter and packet loss on VoIP calls — problems that disappear entirely once you segment properly.
QoS enforcement. You can’t apply meaningful QoS policy to voice traffic if it’s mixed with data on the same VLAN. A dedicated voice VLAN gives you a clean boundary to mark, queue, and police traffic at the access layer before it hits your uplinks. QoS without segmentation is guesswork. For the full QoS configuration that builds on this segmentation, see QoS for VoIP — How to Actually Configure It End to End.
Security boundary. Voice infrastructure — call managers, SBCs, gateways — shouldn’t be reachable from end-user workstations without an explicit ACL allowing it. Segmentation gives you that control by default. Flat networks give attackers lateral movement they shouldn’t have.
The VLAN Structure
A production voice deployment needs at minimum three segments working together: voice, data, and management. Everything else — wireless, servers, DMZ, guest — layers on top of that foundation.
Here’s the full recommended structure:
| VLAN ID | Name | Purpose | Subnet |
|---|---|---|---|
| 10 | Data | End-user workstations and laptops | 10.10.10.0/24 |
| 20 | Voice | IP phones and softphones | 10.10.20.0/24 |
| 30 | Wireless | Corporate Wi-Fi SSIDs | 10.10.30.0/23 |
| 40 | Servers | Internal servers and file shares | 10.10.40.0/24 |
| 50 | Management | Network device management (OOB) | 10.10.50.0/26 |
| 60 | Printers | Shared print devices | 10.10.60.0/27 |
| 70 | DMZ | Externally accessible services | 10.10.70.0/28 |
| 99 | Guest | Guest / BYOD isolation | 10.10.99.0/24 |
A few notes on the sizing decisions:
Management is a /26 — 62 usable hosts. Unless you’re managing hundreds of network devices from a single subnet, that’s sufficient. Management VLANs get over-provisioned constantly. Size it for your device count, not for comfort.
Printers are a /27 — 30 usable hosts. Same logic. Printers don’t need a /24.
DMZ is a /28 — 14 usable hosts. Externally accessible services should be few and deliberately placed. If you need more than 14 hosts in your DMZ, that’s a design conversation, not a subnet sizing conversation.
Wireless is a /23 — 510 usable hosts. Corporate Wi-Fi typically carries the highest endpoint density on the network. SSIDs for voice-enabled wireless devices can be mapped to VLAN 20 directly if your wireless infrastructure supports per-SSID VLAN assignment, or handled through a separate wireless voice VLAN depending on your platform.
Access Port Configuration
At the access layer, every port needs to be assigned to the right VLAN for its connected device. For IP phones with a PC passthrough port, you use a voice VLAN configuration — the phone tags its own traffic to VLAN 20, and the PC connected through the phone’s passthrough port lands on VLAN 10 untagged.
Cisco IOS — Access port with voice VLAN:
interface GigabitEthernet1/0/1
description IP Phone + PC Passthrough
switchport mode access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
no shutdown
The switchport access vlan 10 carries untagged data traffic from the PC. The switchport voice vlan 20 tells the switch to accept tagged traffic from the phone on VLAN 20 and apply CDP/LLDP to instruct the phone which VLAN to use. Spanning-tree portfast is standard on access ports — you don’t want a 30-second STP convergence delay every time a phone reboots.
Aruba CX — Access port with voice VLAN:
interface 1/1/1
description IP Phone + PC Passthrough
no shutdown
vlan access 10
vlan voice 20
spanning-tree bpdu-guard
Same behavior, different syntax. Aruba CX uses vlan voice to designate the voice VLAN on an access port.
For ports connected to softphone-only endpoints — a workstation running Teams or Webex with no physical phone — there’s no voice VLAN needed at the port level. The softphone traffic gets marked at the application layer and relies on QoS policy to handle prioritization. The workstation stays on VLAN 10.
Trunk Port Configuration
Inter-switch links and uplinks to your distribution or core layer need to carry all VLANs. Trunk ports carry multiple VLANs tagged, with one native VLAN for untagged traffic.
Cisco IOS — Trunk port:
interface GigabitEthernet1/0/48
description Uplink to Distribution
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30,40,50,60,70,99
no shutdown
Two things worth noting here. The native VLAN is set to 999 — a VLAN that has no endpoints assigned to it. Never use VLAN 1 as your native VLAN on trunk ports. VLAN 1 is the default native on most Cisco gear and a well-known attack vector for VLAN hopping. Explicitly set your native VLAN to something unused and unrouted.
The allowed VLAN list is explicit — only the VLANs that need to traverse this trunk are permitted. Don’t leave trunks open to all VLANs by default. Every VLAN that crosses a trunk unnecessarily is broadcast traffic and potential lateral movement you didn’t authorize.
Aruba CX — Trunk port:
interface 1/1/48
description Uplink to Distribution
no shutdown
vlan trunk native 999
vlan trunk allowed 10,20,30,40,50,60,70,99
Inter-VLAN Routing and ACLs
VLANs are isolated by default — a host on VLAN 10 can’t reach a host on VLAN 20 without a routed path between them. That routing happens at your Layer 3 switch or router, typically through SVIs (Switched Virtual Interfaces).
Cisco IOS — SVI configuration:
interface Vlan10
description Data
ip address 10.10.10.1 255.255.255.0
ip helper-address 10.10.40.10
no shutdown
interface Vlan20
description Voice
ip address 10.10.20.1 255.255.255.0
ip helper-address 10.10.40.10
no shutdown
interface Vlan50
description Management
ip address 10.10.50.1 255.255.255.192
no shutdown
The ip helper-address points to your DHCP server on the Servers VLAN. DHCP requests are broadcast — they don’t cross VLAN boundaries without a helper address forwarding them to the server.
Where ACLs matter for voice:
Your call manager, SBC, or cloud gateway needs to be reachable from VLAN 20. Your workstations on VLAN 10 should not have unrestricted access to your voice infrastructure. A basic ACL applied to VLAN 10 outbound traffic blocks workstation-initiated connections to the voice subnet while allowing return traffic.
This isn’t a full security hardening guide — ACL design for voice infrastructure is a topic in its own right — but the principle is straightforward: default deny between data and voice, explicit permit for what needs to cross.
DHCP Scope Design for Voice
Voice endpoints need DHCP scopes that hand out the right gateway, DNS, and optionally provisioning options depending on your deployment model. For a deeper look at production DHCP configuration including Windows Server and Cisco IOS scope design, failover, and troubleshooting, see DNS and DHCP for Enterprise Networks.
Option 150 is Cisco-specific — it points IP phones to the CUCM TFTP server for config file download. This is relevant for on-premises call manager deployments with physical Cisco endpoints. Cloud-only deployments using Teams or Webex softphones don’t use DHCP options for provisioning — authentication happens through the cloud at sign-in.
Option 66 is the vendor-neutral equivalent — a TFTP server address in plain string format rather than IP. Some physical desk phones deployed against cloud platforms (Teams-certified phones, Webex Room devices) use option 66 for initial provisioning and firmware management depending on the manufacturer. Check your phone vendor’s provisioning guide before deciding whether to include it in your scope.
ip dhcp pool VOICE
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 10.10.40.10
option 150 ip 10.10.40.20
option 66 ascii tftp.yourdomain.com
lease 1
Lease time on the voice scope is set to 1 day versus the standard 8 days on data scopes. Voice endpoints tend to move more frequently than workstations, and shorter leases keep your IP inventory cleaner.
Common Mistakes
Leaving voice on VLAN 1. VLAN 1 is the default on most gear and carries management traffic, STP, CDP, and everything else the switch generates natively. Putting voice endpoints on VLAN 1 is putting them in the worst possible broadcast environment on your network. It’s also a security problem. Move voice to a dedicated VLAN before you deploy a single phone.
Inconsistent voice VLAN IDs across sites. Pick a scheme and use it everywhere. VLAN 20 for voice at every site, every building, every closet. When VLAN IDs differ between sites, trunk configurations get complicated, documentation becomes unreliable, and troubleshooting takes three times as long because you can’t assume anything.
Forgetting the native VLAN. Default native VLAN 1 on trunk ports is one of the most common configurations left unchanged in production networks. Set your native VLAN explicitly on every trunk to an unused, unrouted VLAN. It takes 30 seconds and eliminates an entire class of VLAN hopping vulnerability.
Not pruning trunk allowed VLANs. Open trunks carrying all VLANs by default flood broadcast traffic from every VLAN across every inter-switch link, even where those VLANs have no endpoints. Explicitly limit allowed VLANs on every trunk to only what’s needed on that link.
Softphone endpoints on the voice VLAN. Softphones run on general-purpose computers. Putting the entire workstation on VLAN 20 because it runs Teams or Webex defeats the purpose of segmentation — now your data VLAN endpoints are mixed back into your voice VLAN. Softphone workstations stay on VLAN 10. QoS handles traffic prioritization at the application layer.
The Config Pack
If you’ve got your VLAN structure planned and you’re ready to build, the Enterprise VLAN Config Pack has production-ready configuration templates for everything covered in this article — VLAN creation, access ports, trunk ports, SVIs, and DHCP scopes — formatted for both Cisco IOS and Aruba CX.
Use the Subnet & IP Planning Calculator to finalize your addressing, swap in your subnets, and deploy.
Get the Enterprise VLAN Config Pack →
What Comes Next
What Comes Next
VLAN segmentation gets your traffic separated. QoS is what ensures voice traffic wins when the network gets busy. QoS for VoIP — How to Actually Configure It End to End covers DSCP marking, queuing policy, and how to apply it across Cisco and Aruba infrastructure — starting from the access port where your phones live.
For the firewall rules that protect your segmented voice traffic at the network edge, Firewall Rules for Teams and Webex covers the full port and protocol requirements for both platforms.
Before go-live, run through the Network Readiness Assessment for UCaaS — VLAN segmentation is one of the first checks on the pre-deployment checklist.