VOIP VLAN on Cascaded SG300-xx Switches

I'm adding VOIP on an existing site that uses either Cisco SRW20xx or SG300-xx switches.  I'd like you to comment on my plan for doing this:

The VOIP will be coming in from the internet on it's own connection / firewall and will be using a separate local area subnet.
It will generally be distributed through all the switches unless there's no phone at all, just computers or network devices.

There is a central LAN switch that feeds into other switches in cascade.  I will refer to this as the TOP switch here.

My plan for the downstream switches is this:
Assign VOIP VLAN 100 to all the switch ports along with the Default VLAN 1.
Trunk all the switch ports.
Tag VOIP VLAN 100.

My plan for the TOP switch is this (there being only Default VLAN 1 and VOIP VLAN 100):
Trunk all the switch ports that feed downstream switches.
Trunk any switch ports that directly feed a VOIP phone.
Leave any other ports on Default VLAN 1 in Access Mode.
Assign VOIP VLAN 100 to a single switch port that goes to the firewall.  
Make this a General Mode port joined to VOIP VLAN 100.
Manually tag this port <<< is that right?
Internet Port Setting / TaggedThe VOIP firewall won't have any VLANs set up, just a generic LAN.

Since I've never done this before, I'm a bit unclear as to whether the VOIP firewall port needs to be tagged or not BUT the port sure needs to be part of the VOIP VLAN 100 ONLY with no interVLAN routing / connection.  I want the traffic on the two VLANs to be completely separate so it looks like this:

Main Firewall > TOP LAN Switch > Computers, etc.  using Default VLAN 1

VOIP Firewall> TOP LAN Switch<>Trunked Ports<> Phones using VOIP VLAN 100 and related computers using Default VLAN 1.

Does this look OK or are there suggestions / cautions?
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?
Aaron TomoskyConnect With a Mentor SD-WAN SimplifiedCommented:
Yes, so the voip FW is untagged. On the top switch going to that FW, untagged 100 and pvid 100 (that means untagged inbound gets tagged 100). Then everywhere else 100 is tagged.
Aaron TomoskySD-WAN SimplifiedCommented:
Personally I like to make things really simple, always tag vlan100 everywhere unless you specifically need it untagged, like for a pc running on the voip vlan for management software or something. Depending on the voip firewall config you may need it untagged there as well.
Fred MarshallPrincipalAuthor Commented:
I guess I wasn't clear:

I'm not sure which firewall will be used for the VOIP internet connection.  It may be a fairly simple one.  So I'm not assuming any VLAN capability on the firewall at all .. for now.
So my thought was that it would provide a LAN with DHCP like any commodity router.

My next thought would be that this "LAN" for VOIP would connect into the switches and (I was hoping) be tagged THERE (and not at the firewall) in the TOP switch.  I don't know if this is possible.  So I ask.
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Fred MarshallPrincipalAuthor Commented:
Aaron: Thanks!  It appears that's all set up and so far no disruption of service.  No phones yet.  No VOIP firewall yet.
Fred MarshallPrincipalAuthor Commented:
Thanks again!
Aaron TomoskySD-WAN SimplifiedCommented:
Yup, glad to help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.