Security mode and normal mode of voice vlans – H3C Technologies H3C S7500E Series Switches User Manual
Page 251
18-5
The default VLANs for all ports are VLAN 1. You can configure the default VLAN of a port and
configure a port to permit a certain VLAN to pass through with commands. For more information,
refer to
.
Use the display interface command to display the default VLAN of a port and the VLANs
permitted to pass through the port.
Security Mode and Normal Mode of Voice VLANs
Voice VLAN-enabled ports operate in security mode or normal mode, depending on their inbound
packet filtering mechanisms.
Normal mode: In this mode, voice VLAN-enabled ports receive packets carrying the voice VLAN
tag and forward packets in the voice VLAN without checking their source MAC addresses against
the OUI addresses configured for the device. If the default VLAN of the port is the voice VLAN and
the port works in manual VLAN assignment mode, the port forwards all received untagged
packets in the voice VLAN. In normal mode, the voice VLANs are vulnerable to traffic attacks.
Vicious users may forge a large amount of voice packets and send them to the device to consume
the voice VLAN bandwidth, affecting normal voice communication.
Security mode: In this mode, only voice packets whose source MAC addresses match the
recognizable OUI addresses can pass through the voice VLAN-enabled inbound port, while all
other packets are dropped.
In a safe network, you can configure the voice VLANs to operate in normal mode, thus reducing the
consumption of system resources due to source MAC addresses checking.
Table 18-2
How a voice VLAN-enabled port processes packets in security/normal mode
Voice VLAN
mode
Packet type
Packet processing mode
Untagged packets
Packets carrying the
voice VLAN tag
If the source MAC address of a packet matches an OUI
address configured for the device, it is forwarded in the voice
VLAN; otherwise, it is dropped.
Security mode
Packets carrying other
tags
Forwarded or dropped depending on whether the port allows
packets of these VLANs to pass through
Untagged packets
Packets carrying the
voice VLAN tag
The port does not check the source MAC addresses of
inbound packets. In this way, both voice traffic and non-voice
traffic can be transmitted in the voice VLAN.
Normal mode
Packets carrying other
tags
Forwarded or dropped depending on whether the port allows
packets of these VLANs to pass through