Security mode and normal mode of voice vlans – H3C Technologies H3C S10500 Series Switches User Manual

153

NOTE:
•

The PVID is VLAN 1 for all ports by default. You can configure the PVID of a port and assign a port to
certain VLANs by using commands. For more information, see the chapter “VLAN configuration.”

•

Use the display interface command to display the PVID of a port and the VLANs to which the port is
assigned.

Security mode and normal mode of voice VLANs

Depending on their inbound packet filtering mechanisms, voice VLAN-enabled ports operate in the

following modes:

•

Normal mode: Voice VLAN-enabled ports receive packets that carry the voice VLAN tag, and
forward packets in the voice VLAN without comparing their source MAC addresses against the OUI

addresses configured for the device. If the PVID of the port is the voice VLAN and the port works in

manual VLAN assignment mode, the port forwards all received untagged packets in the voice
VLAN. In normal mode, voice VLANs are vulnerable to traffic attacks. Malicious users might send

large quantities of forged voice packets to consume the voice VLAN bandwidth, affecting normal

voice communication.

•

Security mode: Only voice packets whose source MAC addresses match the recognizable OUI
addresses can pass through the voice VLAN-enabled inbound port, but all other packets are

dropped.

In a safe network, you can configure the voice VLANs to operate in normal mode, reducing the

consumption of system resources due to source MAC addresses checking.

TIP:

H3C does not recommend you transmit both voice traffic and non-voice traffic in a voice VLAN. If you
must transmit both voice traffic and nonvoice traffic, ensure that the voice VLAN security mode is disabled.

Table 18 How a voice VLAN-enabled port processes packets in security and normal mode

Voice VLAN

mode

Packet type

Packet processing mode

Untagged packets

Packets that carry the voice
VLAN tag

If the source MAC address of a packet matches an OUI
address configured for the device, it is forwarded in the voice

VLAN; otherwise, it is dropped.

Security mode

Packets that carry other
tags

Forwarded or dropped depending on whether the port allows
packets of these VLANs to pass through

Untagged packets

Packets that carry the voice
VLAN tag

The port does not determine the source MAC addresses of
inbound packets. In this way, both voice traffic and non-voice

traffic can be transmitted in the voice VLAN.

Normal mode

Packets that carry other
tags

Forwarded or dropped depending on whether the port allows
packets of these VLANs to pass through