Endpoint Manager and VLANs

I’m running FreePBX and EPM I have two VLANs configured on my router, VLAN id 1 for data and id 10 for voice. In the default template in EPM I have the following settings on the VLAN tab:

LLDP: Disable
802.1Q VLAN Tag: 10
802.1p Priority Value: 1
Data VLAN Tag: 1
VLAN DHCP: Disable
802.1X Mode: Disable

The problem is the phone (Sangoma S400) pulls an IP address from VLAN 1. If I look at the phone config I see under Network->Advanced->VLAN:

WAN Port Active: Disable
VID: 10
Priority: 1
PC Port Active: Enable
VID: 1
DHCP VLAN Acitve: Disable
Voice Qos: 46
SIP Qos: 26

If I manually change WAN Port Active to Enable, the phone then obtains an IP from the correct VLAN (10) and the PC connected to the phone’s port obtains an IP from VLAN 1 as expected.

Is this the desired behavior? It seems that if I set the 802.1Q VLAN Tag in EPM it should set the WAN Port Active to Enable on the phone. Am I missing something obvious here? I can manually set all the phones, but that doesn’t seem correct. Thank you for the insight.


Can you post screenshots from your EPM template?

The default Sangoma basefile has variables for the VLAN


Those values are tied to what you set here.

Here are the screenshots.

Yes, I understand the basefile values are set by the EPM, but I don’t see the option to actually enable the WAN port on the phone for VLAN. You can see the phone setting in the screenshot. What correlates to that setting in EPM? The phone is not tagging on the WAN port unless “WAN Port Active” is set to “Enable”.

Hi @msobik looks like a bug in EPM. Could you please open a commercial support ticket here! for us to dig further. thanks.

Hi, I think your issue is you are trying to fix a problem to late in the game. by the time the phone gets a config from the pbx, it already has an ip address, so switching vlans is too late.
what you need to do is configure your switch to automatically switch your phone on to vlan 10.
Cisco and HP, do this by recognizing the lldp packet sent out by the phone and automatically putting that traffic on the designated voice vlan. I don’t know what switch you are using but that has to be configured before anything else will work.
With that in place, your phone will dhcp on vlan 10, get a vlan 10 ip address and the epm config will never need to bother with vlan 10.

good luck

That is not entirely true. See you have to tell the phone where to get its config and once it has its config it will then update itself and reboot to apply the new config settings. So if you put the phone on the network and it gets on VLAN1 (generally the mgtmt/untagged traffic) it will get the config, update itself and reboot.

Now as long as your config is correct when it reboots, it will have VLAN10 assigned to the WAN port and leave the PC port untagged (VLAN1) and since it has the WAN port tagged with VLAN10 it will then send its DHCP request over VLAN10.

While setting the default VLAN ID to 10 on the switch port will work that now means that all untagged traffic will be tagged on VLAN10 which also means that anything plugged into the PC port will be untagged and the switch will go “Oh I need to tag this with VLAN10” so even the data will be on VLAN10 which is probably not the desired result.

The phone has to be able to do VLAN10 and VLAN1 (or whatever the data VLAN is) so at least one of those ports needs to be marked on the device so the device puts the WAN (voice) traffic on the correct VLAN and the PC (data) traffic on the correct VLAN as well.

1 Like

Tom, the way we set up our phone systems (freepbx or cucm) is that the switch is configured to treat the mac of the phone as untagged on the designated voice vlan. you then configure a dhcp scope on that vlan to hand out (option 66) the config server to the phone. the config server send the config to the phone which does NOT configure the phone to tag on a vlan.
everything works that way. Most major switch vendors support this type of vlan assignment for phones via lldp

1 Like

You obviously have no idea how VLAN works. His description of the process and results is spot on.

Your solution defeats the purpose of using a VLAN is anything is ever plugged into the PC port of the phones.

Jared, I disagree. I work on this daily and this is the standard way to configure business switches when you have a computer plugged into a phone. here is an example of a cisco config:

vlan 1
name data
vlan 10
name voice
lldp run

int g1/0/1
switchport mode access
switchport access vlan 1
switchport voice vlan 10
spanning-tree portfast

using this config, when the switch sees an lldp packet from the phone, it will relay vlan 10 traffic to the phone untagged while still communicating with the computer connected to the phone (also untagged) on vlan 1. Vlan 10, however, will remain a separate vlan throughout the rest of the network.
This is the standard way to implement phones on a shared line to a computer.

1 Like

@tonyg and @sorvani

Gentlemen. Information can be exchanged without ad hominem speculations. May I draw your attention to the edit feature for forum posts.


Lorne, I agree, and that is what I am trying to do. but this is not the first time. I will edit my post

1 Like

OK so while there is nothing wrong with how you are doing things to say that it is standard is incorrect. You are using LLDP, which is not a requirement or even needed for VLANs. This is like that old adage “All lawyers are sharks but not all sharks are lawyers”. So while you may use LLDP in addition to your VLANs not everyone has to use LLDP to use VLANs.

Saying this is a standard way of configuring switches for Phone/PC combos is just incorrect as one does not require the other to be used.

Tom, I thought about what you said, I understand what you are saying. So, please let me clarify my initial comments.
I did not mean to imply that using this method was the only way to make this work. In fact, years ago, I used to set these networks up the way you described. I would configure the switch port untagged for data, and tagged for the voice vlan. we would then have to configure the phone for tagged vlan. that works without issue.
I do, however, think the new way is better (assuming your switch supports it) because it avoids the issue that Michael is having. his problem is that he is getting an ip from vlan 1 and then gets a config that tells it to start tagging on vlan 10. The fix he has implemented is to manually setting the phone to vlan 10 to start and then it gets a ip addr on vlan 10.
i think that using the lldp way is better because it allows you to put a blank phone on the port and have it work.
I guess this is all just my opinion, for what its worth

1 Like

+1 (And of course your phone)

Will do. Thank you Kapil. I have some S550s I’ll test on as well.

That is indeed how it works if I set the VLAN ID to 10 on the switch. The phone needs to tag the voice VLAN on the WAN port and leave the data port untagged. The switch needs to be set to trunk mode with untagged traffic receiving the data VLAN ID. When that all happens, everything works correctly.

So this turned out to be a bug with an older version of EPM that appeared to affect only my s400 phone. My s505 phones correctly applied the EPM settings. I updated EPM to and factory reset the phone. When it pulled and applied the template “WAN Port Active” was set to Enable. Thanks everyone.


1 Like

I’m using FreePBX and EPM 14.0.37. I do not see any VPN tab on the Enpoint Template. Here’s a screenshot:

Does anyone know where this functionality was relocated?

He was referring to Sangoma templates.
Yealink you’ll have to do it from the basefile section.