GS1900-48HP Voice VLAN stopped working after firmware upgrade. . .

TiggerLAS Posts: 64  Ally Member
First Anniversary First Answer First Comment
edited August 2022 in Switch
Zyxel GS1900-48HP Rev A1

Moving from firmware 2.60(AAH0.1)CO
to firmware 2.60(AAH0.2)CO caused issues
with a previously working OUI / Voice VLAN.

Specifically -

With firmware 2.60(AAH0.1)CO, we had
the following VLAN details in place on several ports -

VLAN1   Untagged   (Default)
VLAN2   Excluded   (Voice)
VLAN3   Tagged
VLAN4   Tagged

Voice VLAN was set, and a custom OUI
for our phone system was in place -

With this configuration, our phones would start up,
would move to VLAN2, and would get DHCP from our router.

After upgrading to 2.60(AAH0.2)CO
the phones would not appear on VLAN2,
and of course would not get DHCP, etc.

Curiously, downgrading to 2.60(AAH0.1)CO
did not fix the problem.

I was finally able to resolve the problem
by changing VLAN2 on the affected ports
to "Tagged" instead of "Excluded".

This was puzzling, since it had been previously
working perfectly with ports set to "Excluded"

Any ideas as to why that would have changed?


All Replies

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @TimThom,

    Sorry for your confusion.
    Basically, "VLAN2   Excluded   (Voice)" is a wrong setting and should not work.
    It works before as we had an issue in the early firmware v2.50, which not following VLAN settings and will tagged out all VLAN for Voice.

    We'd already fixed this issue on firmware v2.60 patch0, this link is the release note for reference.
    As you've mentioned changing the VLAN2 to Tagged resolved the problem, because this actually is  the normal and correct settings.

  • TiggerLAS
    TiggerLAS Posts: 64  Ally Member
    First Anniversary First Answer First Comment


    Our Cisco switches required "Excluded" when using Auto-voice VLAN,
    so I had set up the Zyxel switch the same when we first got it quite some time ago.
    I guess the earlier firmware glitch that you mentioned just happened to be
    "good timing" on my part.   ;-)

    Thanks again for the follow-up.

  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Anniversary 10 Comments

    I have similar issues.  We have a Zyxel GS1900-48HP Rev B1 and NEC IP Phones. 
    And our firmware is V2.60(ABTQ.3) | 01/05/2021.
    We followed instructions on this website:

    We have also set the OUI for NEC IP phones.

    However, our voice VLAN didn't work no matter we set the port with IP phone 'excluded,' 'untagged,' or 'tagged.'
    All ports are still in VLAN1.  Could you advise?  

    Thank you.
  • TiggerLAS
    TiggerLAS Posts: 64  Ally Member
    First Anniversary First Answer First Comment
    edited February 2021

    Here's exactly how I have our switch set up -

    Our router handles both of our VLANS -

    Let's say VLAN1 is  for computers.
    And         VLAN2 is  for phones.

    We have TWO DCHP servers set up on the router,
    one for the         192.168.1.x subnet
    the other for the 192.168.2.x subnet

    We have our LAN port on the router set up as
    VLAN1, PVID1, Untagged
    VLAN2, Tagged


    Now, on the GS1900 switch, we have ONE port
    that connects to our router.

    It is also set as
    VLAN1, PVID1, Untagged.
    VLAN2, Tagged

    That is all we needed to link it to the router.


    To start out with, all of the ports on the GS1900 were
    already set as VLAN1, PVID1, Untagged.

    That meant that any computer we plugged into the
    rest of the ports on the GS1900 would get handed a
    192.168.1.x IP address, since PVID1 causes most
    (VLAN-Unaware) network devices to default to VLAN1.

    Now, to get the phones up and running, here's what we did -

    (Our phones needed Class of Service 6;
    your phones may need something different,
    so you can adjust to suit. . .)


    Above, we set up a custom OUI, based on the first 6 digits of our phone's MAC address.


    Then, below, we enabled the OUI functionality,
    but ONLY the ports that we needed it on.

    (Ignore Port 1 in my examples, as we don't
    use Port 1 for phones in our office right now.)

    Note:   You only enable it on the ports that you are planning on plugging phones into.
                You do NOT enable it on the port that connects to your router.


    As you can see below, we have VLAN1 set as PVID1,
    and VLAN Trunk is disabled on all of our ports,
    since we don't need VLAN trunking for this.


    Now, let's adjust the VLAN tagging for the VOICE VLAN.
    Select VLAN2 from the drop-down.

    Older versions of the Zyxel firmware let you set
    these ports to Excluded, and it worked great.
    (This is the way that Cisco currently does it.)

    However, with the last release, you are required
    to manually set them all to "Tagged", as you can see below.


    Further down in the main menu, under the LLDP section,
    we had to add some DSCP and PRI settings for our phones.
    You may or may not need to do this for your phones;
    please refer to your documentation.


    Lastly, we applied the basic policies to the phone ports.


    Don't forget - when everything is working, that you have to
    visit the maintenance section and save/commit these settings,
    otherwise they'll be wiped out on the next reboot/power cycle.


    With these settings. . .  if you plug an IP phone into any
    of the ports that you just set up. . .   the switch should recognize
    your IP phone, based on the OUI information that you put in,
    and the phone should wind up being dumped directly onto VLAN2.

    Your phone should send out a DHCP request,
    and your router should hand it an IP address from VLAN2.


    If for some reason your phone does NOT get moved to VLAN2,
    and/or does not get an IP address,
    you'll have to do some troubleshooting.

    Here is one possible starting point -
    Let's see if we can PING your VLAN2 IP address on the router.

    For these examples, I'm using the same IP addresses
    I did at the start.   VLAN1 is 192.168.1.x
                        and   VLAN2 is 192.168.2.x
    (Adjust them accordingly to whatever your address ranges are.)

    Go back into your GS1900.

    Pick an available port on the switch for testing.

    Reverse the VLAN settings on the port.
    Make it VLAN2 Untagged, VLAN1 Tagged.

    Apply your settings, and plug a laptop into this port.

    Assuming that your router (and the ports that
    are connecting it to your switch) are set correctly,
    it SHOULD end up on VLAN2, and should be given
    a 192.168.2.x IP address from your router.

    If that doesn't work. . .  then go into your network settings
    on your laptop, and manually assign it an IP address
    in your VLAN2 address range.

    Let's say your router's VLAN2 settings
    have it at an IP address of

    Set your laptop's IP address manually to something like

    . . .and hit apply. . .

    Once the network connection is back up,
    drop to a DOS prompt, and try PINGing
    the router at

    If you don't get a reply, then something
    most likely isn't set correctly on the router,
    or on the port linking the switch to the router.

    That should be enough to go on for now.
    Let me know how it turns out, and if it still
    isn't working, we can try other things. . .


  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Anniversary 10 Comments
    Hi Tim,

    Thanks for your instructions.  It is very clear but I still have some questions.
    1.Can we put IP phones in the same subnet with our computers?  (We have PC connected behind the IP phones, like the topology showed at the end of this post.  I am wondering if PC and IP phones can be in different subnet in the case.)
    2.Our GS1900 is connected to our router/firewall via Port 1.  What state (forbidden, excluded, or..) should it be?
    3.I noticed that you have a policy called 'voice signaling.'  Is it necessary?

    voice vlan
  • TiggerLAS
    TiggerLAS Posts: 64  Ally Member
    First Anniversary First Answer First Comment

    Let's see. . .

    3.)   Voice signalling policy - This was needed for Mitel IP phones.
            I don't know if your IP phones need that functionality or not.
            In layman's terms, Mitel uses DSCP 46 / PRI 6 to prioritize
            voice data across the network, and uses DSCP 26 / PRI 3
            for lower-priority traffic across the network, such as chatter
            between the phone and the phone controller.

            Since I don't know what phone system you're using,
            I can't really say if it needs that policy or not.
            Search your documentation, and see if your phones
            utilize "DSCP" at all, or if you can find anything that
            mentions different priorities or class-of-services.

    2.)   If Port 1 of your GS1900. . . .

           In a basic network setup, ALL ports should be set to:
           VLAN1, PVID1, Untagged
           (Including the port that connects to your router.)

            This will allow computers, printers, etc,
            to communicate with each other, and to the internet.

            Port 1, since it connects to your router, and
            ostensibly provides VLAN2 with DHCP, etc.,
            should also be set to VLAN2 Tagged.

            Then, any port that a phone is connected to
            should also be set to VLAN2 - Tagged.

            In theory, you could set ALL of your ports
            to VLAN2 Tagged. . .  then it wouldn't matter
            which port you plugged a phone into.

            However, it's usually best practice to just enable
            VLANS on the ports that you're using them on.

           The port on your Router should be set the same way.
            VLAN1, PVID1, Untagged
            VLAN2, Tagged

           (I have been assuming that your router supports VLANs,
            and that you have it already set up with firewall rules,
            and have created a separate DHCP service on it for VLAN2.
            Please let me know if this is not the case.)

    And, finally -

    1.)    There's no reason you couldn't have the phones
             and your PC's on VLAN1.  

             I think most folks use a 2nd VLAN
             for easier traffic shaping and troubleshooting.

             When you have a phone that has a PC Pass-thru
             port on the back. . .it's kind of like having a 3-port,
             VLAN-aware switch built into your phone.
             Your network comes in on external Port 1,
             your PC connects on external Port 2,
             and your phone connects to internal Port 3.

             Since your PC most likely isn't VLAN-aware,
             it's going to end up on VLAN1 by default.

             So, even if the VLAN setup for your phones
             isn't working right now, your PC (in the your diagram above)
             should be able to power up, and reach the internet
             without any trouble.


    Let's say that you haven't done anything to set up VLAN2
    at this point. . .  what would (should) happen, is that
    your phone should start up. . .   and send out a DHCP
    request. . .  since you haven't set up VLANS, it will make
    that request on VLAN1. . . and your VLAN1 DHCP server
    will give it an IP address. . .   then the phone will try to
    reach out (Via VLAN1) to whatever phone system
    you have in place.    If your phone system isn't on
    the same subnet as your PC's and stuff. . .then it will
    never connect to it, to finish starting up.

    Once the Telephony OUI is set up correctly,
    and you have Voice/VLAN enabled, etc.,
    then when your phones start up, the GS1900
    will see that it's MAC address is part of your Telephony OUI,
    and it will dump your phones (and only your phones)
    onto VLAN2 right away.  At that point, data to/from
    your phone (and only your phone) will be tagged for VLAN2.
    So, as it continues to start up, and it makes its initial DHCP request,
    it will be expecting a response from the DHCP server that
    you created for VLAN2.   If it finds your VLAN2 DHCP server,
    then it will end up with an IP address on your VLAN2 subnet.

    (The PC connected to the back of that phone
    will be completely oblivious to all of this, as it
    is happily communicating as Untagged traffic
    on VLAN1. . .)

    Now, it is important to remember -
    IP Phones will need to know how to reach your phone system.
    They typically get this information via the DHCP server
    on your Voice subnet.

    For Mitel phones, we create DHCP option 43, and give it
    a string of data to pass to the phones, which tell it
    the address of the phone system.

    So, when the phone gets its IP address, it will also receive
    the string of data from Option 43, and from there, it will then
    reach out to your phone system for further startup instructions.

  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Anniversary 10 Comments
    Hi Tim,

    Thanks. We have done all the settings except subnet.
    We have NEC IP phones and our firewall/router is Fortigate. At this moment we manual set their IP addresses (in the same 192.168.0.x subnet with our PC, printers, and servers.).  According to your advises that's the root cause why our Voice VLAN isn't up and running.

    So the next step is to use DHCP option 43?   
    And my problem would be how to setup a second DHCP server in the same FortiGate firewall and assigns IP only to the IP phone.  We also don' have much knowledge on this part

    Thank you~

  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Anniversary 10 Comments
    Hi one more question:. 
    In your example, how does GS1900 know that 192.168.2.x is with VLAN2?
  • YiHsien
    YiHsien Posts: 25  Freshman Member
    First Anniversary 10 Comments
    Hi Tim,

    One more thing:  
    You mentioned 'They typically get this information via the DHCP server.  
    However, it is recommended in our NEC SL2100 manual that static IP is preferred.  Is it possible that we use static IP (in the same or different subnet)?
  • TiggerLAS
    TiggerLAS Posts: 64  Ally Member
    First Anniversary First Answer First Comment

    Alrighty. . .   let's see. . .

    If you only have a handful of IP Phones, then perhaps
    the static IP method that you mentioned might be easier
    than trying to mess with DHCP options, etc.

    Let's assume that you're NOT going to use DHCP;
    that you're going to keep your static IP settings
    on your NEC phones for the moment.

    We haven't really talked about your physical
    NEC Phone System / Controller yet.

    I'm assuming it is set to a static IP address.
    It will need to be able to communicate with VLAN2.

    This can be accomplished 1 of 2 ways.

    1.)   Routing via your FortiGate (less desireable)
    2.)   Placing it onto VLAN2 directly.  (preferred)

    Let's assume it will be placed directly onto VLAN2.
    For purposes of this discussion, I'll assume that it
    is manually set with the following IP information -
    IP address:
    Gateway:   <<< More on this later.

    Now, let's go back into your GS1900,
    and modify TWO network ports, as follows -

    VLAN2, PVID2, Untagged
    VLAN1 Forbidden

    (This will cause whatever is plugged into these ports
    to communicate, by default, on your VLAN2 subnet.)

    One of these ports will be the permanent home
    of your NEC phone system controller.

    The other port, we'll use for diagnostic purposes.
    More on that later.

    Now, let's jump over to your FortiGate -

    I don't know the model of your Fortigate,
    so I can't tell you the exact process.

    Here's a link I found for a VM64 -

    Here, you'd set your VLAN ID, and the port number
    that it is associated with.

    Select type "VLAN" as shown above.
    Then select whichever port is connected to your GS1900.
    Then Select VLAN2 for your phones.

    Keep the role as LAN.
    No need to mess with the "Add Tag Category".

    Keep the addressing mode at "Manual".

    Under IP/Network Mask, enter -      /

    Under "Administrative Access",
    check-mark HTTPS and PING.
    More on that later as well.

    What that will do is create a virtual IP address
    on your Fortigate of

    This is what will actually define your VLAN2
    subnet for the rest of your network.

    Your devices on VLAN2 will use the
    address as their gateway.

    So, you'd go into one of your phones, and set it's
    IP address to an arbitrary IP address, such as
    with a subnet mask of,
    and a gateway IP address of

    Now, any traffic from that phone will use
    the virtual IP address of as its gateway.
    Any other IP settings in there (along with the IP settings
    on the NECphone system itself) would need to be adjusted for
    the 192.168.2.x subnet. . .  and the gateway.


    How does the GS1900 know that 192.168.2.x is associated
    with VLAN2?  Well, it doesn't really, at least not in any sense
    that you need to be concerned about.

    At a very basic level, the switch is only looking for VLAN tags.

    Your Fortigate, which is operating as your router/gateway device
    is what defines the 192.168.2.x address range as being associated
    with VLAN2.   The GS1900 is just looking at the VLAN2 tags,
    and moving the traffic to the appropriate ports on the switch.


    I'm going to continue to use the following assumptions,
    with regards to your Subnet, VLAN, and phone setup.
    Adjust these values accordingly, to meet your needs.

    192.168.1.x       VLAN1       Your computers, printers, etc.
    192.168.2.x       VLAN2       Your IP phones.       The (VLAN1) IP address of your FortiGate.
                               This is currently the "Gateway" address that
                               your computers receive via DHCP.        The (VLAN2) IP address of your FortiGate.
                               This is the "virtual" IP address that we created earlier.     The IP address of your actual NEC phone system/controller.      A random IP phone on your network.


    Assuming that you've set up your GS1900
    as previously discussed, then here is what will transpire -

    You plug your IP phone into the network, and it powers up.

    The GS1900 will see the MAC address of the phone
    show up on the network.

    Since the phone has a MAC address that matches the one
    set up in your Telephony (Voice-VLAN) OUI settings, it will start
    tagging the traffic (from JUST the phone) with VLAN2.

    So now, the phone with is on VLAN2,
    and will be using its manually-set gateway of

    The phone will attempt to reach the phone system,
    via the FortiGate gateway that we set up.

    Assuming that the phone system has been set correctly.
    the two devices will start communicating with each other.


    So, here is how I would proceed, initially.

    1.)   Set up the two ports mentioned earlier on the GS1900
           1 permanent port for the phone system
           1 temporary port for diagnostics
           VLAN2, PVID2, Untagged
           VLAN1, Forbidden

           (Don't move your phone system to this port just yet.)

    2.)   Log into your FortiGate, and create VLAN2
           as discussed earlier.

    3.)   For testing, grab a laptop or PC, and manually set
           its IP address to an arbitrary IP address, such as
  / /
           (Under DNS servers, use as well.)

           Then, plug it into the temporary diagnostic port.

           If setup of the FortiGate and the GS1900 is correct,
           you should be able to PING
           and get a response back from the FortiGate.

           (You shouldn't be able to get to the internet at this point,
             but you SHOULD be able to acccess the FortiGate via
   , since we enabled HTTP access earlier.)

    4.)   Don't proceed any further unless the testing is successful.

    5.)    Log into your phone system, controller,
            and set its IP address to:
     /   /
            You can use whatever address you prefer;
             I tend to place network gear at the top end
             of the address range, others prefer the low end.

    6.)     Once set, plug your phone system controller
              into the permanent port that we created earlier.

    7.)      You should now be able to PING your phone controller
               at its new address.

    8.)      Don't proceed any further if you can't ping the phone controller.

    9.)      Plug one of your IP phones into one of the ports that we
              set up with the Telephony/Voice-VLAN settings
              from our previous conversations.

    10.)    Go into the menu settings of the phone, and set it to
              an arbitrary IP address, such as
     / /

              You'll have to tell the phone the new address of the
              NEC Phone controller as well.

              I don't know if there is a manual VLAN setting
              inside the NEC phones or not.

              If there is, let's just leave it alone for now, and see what happens.
              The phone may try to discover the correct VLAN, in which case
              the GS1900 switch should assign it automatically.

    11.)    Let's see if the phone starts up, and can reach the phone system.
              If not, go back into the phone settings, and manually update
              the VLAN to VLAN2, and try again.

    If everything works up to this point, then well done.

    The next step is to allow DNS / Internet connectivity
    to your phones and phone system, which is often needed
    for firmware updates, access to NTP time servers, etc.

    That will be a separate discussion though,
    as I'm getting a little punchy, and need some sleep.   ;-)

    For ease of set-up,I'd need to know where
    your network gets its DNS information from.

    1.)   You have your own, separate in-house DNS server.
    2.)   The FortiGate is acting as the DNS server for your network.
    3.)   Your PC's get their DNS directly from an external DNS server.

    If you're not familiar with how to determine that,
    the quickest way is to drop down to a DOS prompt
    (from one of your regularly-connected PC's)
    and type in:    NSLOOKUP    and hit enter.

    It should give you an IP address.

    If the IP address isn't within your existing 192.168.1.x
    subnet, then your computers are reaching out directly
    to external DNS servers.

    If the IP address matches the IP address of your FortiGate,
    then your FortiGate is providing the DNS for your office,
    which is a fairly common method.

    If the IP address is for some other machine inside your office,
    then obviously, you have your own in-house DNS server.

    Hope this helps, for now.