Security mode and normal mode of voice vlans – H3C Technologies H3C S12500 Series Switches User Manual
Page 49
36
Port link type
Voice VLAN
assignment
mode
Support for
untagged voice
traffic
Configuration requirements
Manual Yes
Configure the PVID of the port as the voice
VLAN and configure the port to permit
packets of the voice VLAN to pass through
untagged.
NOTE:
•
The PVIDs for all ports are VLAN 1. You can configure the PVID of a port and assign a port to certain
VLANs by using commands. For more information, see "Configuring VLANs."
•
Use the display interface command to display the PVID of a port and the VLANs to which the port is
assigned.
Security mode and normal mode of voice VLANs
Voice VLAN-enabled ports operate in security mode or normal mode, depending on their inbound
packet filtering mechanisms:
•
Normal mode—In this mode, voice VLAN-enabled ports receive packets carrying the voice VLAN
tag and forward packets in the voice VLAN without checking their source MAC addresses against
the OUI addresses configured for the switch. If the PVID of the port is the voice VLAN and the port
operates in manual VLAN assignment mode, the port forwards all received untagged packets in the
voice VLAN. In normal mode, the voice VLANs are vulnerable to traffic attacks. Vicious users might
forge a large amount of voice packets and send them to the switch to consume the voice VLAN
bandwidth, affecting normal voice communication.
•
Security mode—In this mode, only voice packets whose source MAC addresses match the
recognizable OUI addresses can pass through the voice VLAN-enabled inbound port, while all
other packets are dropped.
In a safe network, you can configure the voice VLANs to operate in normal mode, thus reducing the
consumption of system resources due to source MAC addresses checking.
H3C recommends not transmitting both voice traffic and non-voice traffic in a voice VLAN. If you have
to, make sure the voice VLAN security mode is disabled.
If you have configured the MAC learning limit, when the number of MAC addresses an interface has
learned reaches the limit, the device does not forward the VLAN-tagged packets whose source MAC
addresses have not been learned. For more information about the MAC address learning limit, see
"Configuring the MAC address table."
Table 4 How a voice VLAN-enabled port processes packets in security or normal mode
Voice VLAN
mode
Packet type
Packet processing mode
Security mode
Untagged packets
If the source MAC address of a packet matches an OUI
address configured for the switch, it is forwarded in the voice
VLAN; otherwise, it is dropped.
Packets carrying the
voice VLAN tag
Packets carrying other
tags
Forwarded or dropped depending on whether the port allows
packets of these VLANs to pass through