A Cisco IP Phone 7941/7961/7970 can insert VLAN tags (802.1q header) on
ingress packets from the PC port when the PC voice VLAN access setting is set
to disable. The behavior outlined in this document might interrupt network
service to a host connected to the PC port of a phone if the access-VLAN on a
switch port is changed at any time for any reason.
Cisco recommends that you have knowledge of these topics:
Configuring InterVLAN Routing, Understanding How InterVLAN Routing
Inter-Switch Link and IEEE 802.1Q Frame Format IEEE 802.1Q
Cisco Unified IP Phone Administration Guide for Cisco Unified
CallManager 5.1 (SCCP), Cisco Unified IP Phones 7961G/7961G-GE and
7941G/7941G-GE Security Configuration Menu
Cisco Unified IP Phone 7970G/7971G-GE Administration Guide for Cisco
Unified CallManager 6.0 (SCCP and SIP) Security Configuration
This document is not restricted to specific software.
The information in this document is restricted to these Cisco IP Phone
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
The particular built-in switch architecture of the phone model types
listed in this document will cause the phone to insert the Voice VLAN tags in
untagged ingress packets with the Voice VLAN.1q header when the phone is set to
PC access voice VLAN disabled to avoid VLAN hopping. See this diagram:
Although this document makes reference to 7971 documentation, this is
not affected by this behavior.
This section describes the solution to this problem.
Complete these steps:
Navigate to the Cisco Unified Communications Manager (formerly
CallManager) Admin page, select device > phone and locate
the phone in question.
Set the PC Voice VLAN access parameter to
The implication of doing this means that a PC has the ability to
dot1q-tag traffic equivalent to the Voice-VLAN on the switch in an effort to
launch an attack. It is recommended to employ the use of authentication in such
circumstances, for example, Multi-Domain-Authentication on Cisco Catalyst