How do I configure tagging for VLAN's with IP phones?

Hi all,

I am trying to implement VLAN's in my network. Currently everything is on a flat /24 network, and I am nearly out of IP's. It is definitely time to redesign the network to allow for future growth, and I think the best way to do that is to use VLAN's.

I have Cisco Small Business series switches with PoE, a SonicWall NSA 2400 firewall and Mitel IP phones with integrated switches (1 port for network, 1 port for PC). All Sites are connected via TLS.

I need help in understanding how  to configure the VLAN tagging in order to accomplish this. The goal is to have each site's data and voice traffic on it's own VLAN, yet be able to communicate with servers on the management LAN - to have the IP phones get their IP from DHCP on one VLAN, and the connected PC get it's IP from DHCP in another scope. DHCP is from a Windows Server with the new scopes already created and activated.

Again, everything is currently on the /24 network
Here's how I would like it to be:
VLAN 1 -   MGMT    /24
VLAN 10 - Site 1 Data /24
VLAN 11 - Site 1 Voice /24
VLAN 20 - Site 2 Data /24
VLAN 21 - Site 2 Voice /24
VLAN 30 - Site 3 Data /24
VLAN 31 - Site 3 Voice /24
And so on, for a total of 8 Sites

I wish I could give more than 500 points; looking forward to your advice!
I want to use my Layer 3 switch for the intervlan routing. It is the middle one in the diagram and it is in L3 mode, so routing is enabled.
That's fine. Any questions on the other stuff?
What about communicating with DHCP server and PBX controller on different VLAN's? How should the tagging be configured for that? The port mode options on the Cisco SBS switches are General, Access, Trunk or Customer. I can only tag one VLAN on access mode, and only one untagged VLAN in Trunk mode. General mode I can tag/untag whatever I need.
For dhcp you can add a nic for each vlan to the vm or do the vlans inside the vm as the vmxnet3 knows tagging.

For the switch I prefer to manually allow but I don't have as many as you do.
What should the PVID be on the ports where I want to connect an IP phone on VLAN 11 and a PC through the phone on VLAN 10?
How should I configure the trunk ports (PVID, tagged, untagged)?

So I will need a NIC on the DHCP server for every VLAN I want to use DHCP with?
It should be 10

Trunk port should be tagged, PVID on tagged port should be your management vlan, usually it is VLAN 1
Okay I need to first work on the NIC's for DHCP server... then I'll test this out.
Okay, definitely not an option to add a NIC for each VLAN - I think I should be able to use IP helper or DHCP Relay to accomplish this, just trying to learn how.
I have DHCP Relay enabled on all switches, scopes built on server, but DHCP is not working on a host connected to an IP phone which is plugged into port 13 on the bottom L2 switch. The port is set to trunk, PVID 10, 11 tagged.
if you give the pc a static in the vlan10 range, does it work?
Yes but need DHCP working.

Here's what I did:

I set the port host 2 is on to General mode with 10UP, 11U
I set the port DHCP server is on to General mode with 1UP, 10U, 11U
LAG's between switches are set to Trunk mode with 1UP, 10T, 11T
Port 26 on L3 switch (to firewall) set to trunk mode with 1UP, 10T, 11T

I added routing statements in the firewall for the VLAN networks, with L3 switch VLAN interfaces as default gateway.

Host in VLAN 10 now gets an IP from DHCP correctly and interVLAN routing is working!!

I added the IP phone into the mix and the phone and PC both get an IP from VLAN 10... however I want the voice traffic to be on VLAN 11. I just need to get DHCP working properly for the IP phones now.
so the problem is that the dhcp server doesn't know if the dhcp request is coming from vlan10 or 11 so it always hands out 10. The only way I know how to handle this is to tag 10 and 11 to the dhcp server, but that means you need a nic that understands tags or two nics, one per vlan. If it's all in vmware (this is how I have mine setup) you just add a second virtual nic, one to a vswitch on vlan10 and one to a vswitch on vlan 11, with only one cable from the switch to the esxi hosts.
I don't have VMWare so I can't add vnics on the DHCP server. If I change the PVID of the port to 11, both the PC and phone get an IP from VLAN 11, but I then need the PC in VLAN 10. Still trying to figure out why the phones aren't being redirected to VLAN 11 after obtaining an IP from the default VLAN when it's set to 10.

Here's what my IP phones do:

Power up
Run ‘Boot' code
Request IP address (untagged) through DHCP
Receive IP address from default VLAN (data VLAN) and specific phone and system options
Check VLAN information - This isn't happening... or if it is, it is not getting the correct information - the phone shows 'VLAN none Priority none' although Option 125 in DHCP is suppose to tell it to use VLAN 11, priority 6
Relinquish IP address (untagged)
Request IP address on voice VLAN (tagged)
Receive IP address from voice VLAN and specific phone and system options again
Check VLAN information matches, if not repeat until it is.
Locate TFTP server
Get running code
Register with call control

I believe this is a Mitel issue, I'm trying to contact their support.
I think it's because the port going to the dhcp server is untagged for 10 and untagged for 11. So even if the phones and everything do it correctly, the tags are being stripped off leaving the port for the dhcp server. You have two choices:
1. have a nic in the dhcp server that understands vlan tags, and tag both 10 and 11 on that switch port
2. add a nic for each vlan.

There may be another way, like using a different dhcp server, but I'm not familier with that route.
I changed settings on the switchport the DHCP server is connected to from 1UP, 10U, 11U to 1UP, 10T, 11T. The switchport that the test host connects to is configured with 10UP, 11U

Same results as before... phone and PC get IP from VLAN 10 and can communicate with VLAN 1.
The IP Helper is ok I think, as requests are being forwarded properly to my DHCP server on VLAN 1. But the phone for some reason simply will not assign the appropriate VLAN information that it is supposed to get from DHCP Option 125 (possibly a firmware issue), where it should be VLAN 11 instead of the PVID of 10. I guess my workaround is to provide a separate network connection for the PC and the phone; they will get proper VLAN from DHCP according to PVID of the switch port... and also offer 1Gbps speed opposed to 100Mbps through the phone switchport.

Closing this question as it has gone from a tagging issue to a Mitel IP phone DHCP issue. splitting points between fgasimzade and aarontomosky.