Thanks that clears some things up, but I'm a bit confused about the native VLAN here. You're saying that aside from the voice VLAN, the only other VLAN that can be allowed on this kind of unique/limited trunk port is the native one (thus untagged)? As I said we use 64 for our data, and that's what I would want the computer behind the phone to get... but you say it doesn't matter as long as it's untagged since that applies to everything? And VLAN 1 isn't really used much in our switch except as the default and in this case I guess native, since that wasn't changed. The only ports it is present on are the ports going to the VoIP phones.

The reason I ask is because each of these VLANs, with SVIs, is tied to a different subnet, with its own DHCP pool. So the voice subnet is 192.168.65.x and the data 192.168.64.x, etc. Is there a way to get the computer behind a phone on the correct VLAN and subnet in this fashion? While the phone also stays on its respective voice one?

"Are the ports actually configured as trunks or as Balaji shows?"

I saw that the word trunk didn't actually appear in the config or commands entered in his post (as in 'switchport mode trunk'), but essentially adding that voice vlan makes it a special kind of trunk, right? As I mentioned, right now they are in dynamic auto mode, which I guess means it can convert to a trunk link if the neighboring device is set to trunk or desirable... but in this case it's a phone (btw I'm using CP-8851 as an example here).

Have you tried that example posted about  ?

that is the standard setup used all over if the Cisco Phone CDP is good enough.

Sure Voice Phone get Voice VLAN, and Data PC gets Data VLAN as per the example.

You can test one port before you deploy in mass to understand is this working.

If you have Voice VLAN interface vlan X - make sure add ip-helper to get IP address, same way Data VLAN too (if the switch not handling the DHCP)

Any issue post the config you were configured and what was the outcome to troubleshoot with you.

I tried it but the phone seemed to be stuck in 'Detecting network' for a long while, and has now been in 'Phone is registering' for like over 20 minutes... might be something else impacting it.

But it didn't used to take this long.

Name: Gi3/0/14
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 64 (VLAN0064)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Voice VLAN: 65 (VLAN0065)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

I dont see wrong in your config, 
please share the show cdp neighbor, 

Thanks, this ended up working eventually!

Okay, let's cover some basics as your note you're "new" to VoIP.

For a switch that supports VLANs, we need some way to separate frames into different VLANs.  There are a few ways to do this, the most common being, you assign a port to a VLAN.  Frames going in/out that port look just like any other similar port's frames, but the switch logically segregates the frames.  For example, frames using ports 5 and 6 in VLAN 10 are not shared/intermingled with frames using ports 15 and 16, if those ports are defined to be in VLAN 20.  However, of course, fames using ports 5 and 6, or ports 15 and 16, can be shared/intermingled for ports in the same VLAN.  Again, frames going in/out these 4 ports, look "alike".

If you wanted to "share" VLANs 10 and 20 with another switch, keeping those VLANs separated, you might connect port 5 or 6 to another switch's port 10, if port 10 is also defined to be VLAN 10.  Likewise, port 15 or 16 might be connected to port 20, on the other switch, if port 20 is defined to be in VLAN 20.  Still, you cannot distinguish between VLAN 10 and VLAN 20 frames, looking at just the frames.

Using a port per VLAN to interconnect switches isn't very "nice" as you create more and more VLANs.  So, we define a way to tag frames with their VLAN ID, and since frames can now be distinguished they can be sent in/out the same port, which Cisco calls a trunk port.  Cisco's trunk ports allow you to work with any one single VLAN's frames without tags, which you configure as the "native" ("native" as its looks the same as any other untagged frame).  Basically, the "native" VLAN assigns untagged frames to use a particular VLAN the same as an access port assigns untagged frames to a particular VLAN.  The big difference, a trunk port can send other VLANs in/out the same port, as they will be tagged with a VLAN ID.

Basically, most modern VoIP phones have built-in "special/limited" VLAN capable switch.

Above, I mentioned how two switches could share multiple VLANs on the same port if the frames were tagged.  In Cisco's trunk implementation, you can also mix a single untagged set of frames, with the other tagged frames, because you configure the switch to assign untagged frames to a particular VLAN.

A VoIP phones, it designed like this too, although it only supports two VLANs, one untagged and one tagged.

Such a phone can interoperate with a Cisco trunk port, also configured to use just one untagged VLAN (native), and one tagged VLAN.  Since such a VoIP phone is limited to two VLANs, again, untagged and tagged, Cisco created an option for access ports to support one additional VLAN, tagged, in addition to their already untagged VLAN (this to avoid using a Cisco trunk port, for the same purpose - which, before there were access ports with "voice" VLANs, was how it could be done).

Cisco's implementation "names" the tagged VLAN "voice", because that's generally what it's always used for, but the switch port really doesn't care.  All it cares about is that you assigned one VLAN for untagged frames (classical access port - and much like a trunk port's native assignment) and one VLAN for tagged frames (unlike a trunk port, as they, by default, carry all VLANs known on the switch, but can be restricted to just one VLAN).

So, what my prior reference to another thread showed, from a VLAN and frame tagging perspective, an access port defined with a "voice" VLAN is very much like a trunk port using just two VLANs, one of which is "native" or untagged (actually there are other differences too, dealing with "control", but for "our traffic", they don't normally matter).

This is why I mention, VLAN 1, 64, 65, etc., doesn't matter.  You determine what your VLANs are, how they are to be used, and, as they use the port, whether frames are tagged for not.

BTW, another way to setup up VoIP phones, is they and your PCs, each, have their own port connections.  Sharing a port, like a trunk, vs. one per, between switches, for each VLAN, just reduces edge port requirements.

Further, whether VoIP phones share a port with a PC, or have their own ports, you can have VoIP phones with their own VLAN or they can share a VLAN with PCs.

I.e. you can mix and match shared VLANs vs. separate VLANs for VoIP phones and PCs along with VoIP phones and PCs having separate edge ports vs. sharing an edge port.

As a VoIP phone's built-in "special/limited" VLAN switch (to my knowledge) always uses untagged frames for downstream devices.  Further, if the VoIP phone is also using tagged frames (to my knowledge) it always used for the VoIP phone, itself.  Again, it's up to you configure your edge port as desired, i.e. whether to use only untagged frames or untagged and tagged, and VLAN assignments for what you're using.

As to VoIP phone "knowing" whether to use tagged frames for themselves, and if so, what the VLAN tags should be, that varies a bit by brand of VoIP phone and/or configuration options on the phone.  For example, VoIP phone might use CDP and/or LLDP to determine if edge port is providing a tagged VLAN, and if it does, VoIP phones assumes it's for exclusive use of the phone.  Or, phone might be "hard coded" to use a particular VLAN tagged frames.  Or, phone might get a DHCP option string which indicates it should use a particular tagged VLAN ID for its traffic.

Hopefully, the above might help you better understand how VoIP phones use untagged or tagged frames.

If you have questions on the above, feel free to post them.

Thanks Joseph, that does explain a lot more. I had some prior limited exposure to VoIP systems that were non-Cisco (Polycom), but the configurations were all very basic and had more to do with settings on the phones themselves rather than the networking aspects.

Anyway, so to clarify, native VLANs are set on a per-port basis? Meaning there can be a different native VLAN for each port? I was just using Balaji's example, who indicated to use 64 for the access VLAN, but based on what you say, anything other than the voice VLAN would be untagged so it wouldn't be necessary to specify that anyway.

The other thing was about DHCP and subnets: would it find its way to the right DHCP pool from the configuration of that switch edge port? Even if 64 wasn't specified and it was all untagged aside from the voice one? How would it know otherwise? Because we have other subnets aside from just voice that need to be differentiated. Could you maybe elaborate a little more on this option string?

Before trying this configuration, the computer attached to the phone would always just get the same VLAN as the phone (65) and be in that subnet/pool, although that is the voice subnet, which we don't want.

Now it just isn't registering and hanging up on the port I'm testing with, but I'll try to troubleshoot it more and compare what's different from the other ports that do work.

I'm looking at the settings of the phone that is hung up registering (which are still accessible), and in Ethernet setup I see the Operation VLAN ID is 65, the Admin VLAN ID is blank, and the PC VLAN field is also blank but greyed out.

OK after some more troubleshooting I found that for some reason DHCP was turned off on the phone, which I never did and they are usually not set that way. Then I still had some problems but after a while got it to work. The phone is in its VLAN and respective subnet while the computer is in its own, as intended. So essentially Balaji's commands did work ultimately. Just had to tweak some other things on the phone and switch in my case.

Thanks.

BTW, @MHM Cisco World, just (very) quickly skimming your reference, the author is presenting, what I believe is incorrect information.

"I have been looking into this like a madman and must admit that Voice combined with QOS is not the easiest to understand."

Yea, so many seem to struggle with QoS.  I think the problem is the way QoS is presented.  This author still doesn't, I believe, really understand.

If you're interested, perhaps I'll detail the specific (what I believe) are errors.

check link I share it sure explain to you the use of trunk/tag/untag/VoiceVlan