Security mode and normal mode of voice vlans – H3C Technologies H3C S5560 Series Switches User Manual

Page 206

Advertising

172

Port link

type

Voice VLAN assignment

mode

Support for tagged

voice traffic

Configuration requirements

Hybrid

Automatic Yes

The PVID of the port cannot be the voice
VLAN.

Manual Yes

The PVID of the port cannot be the voice
VLAN. Configure the port to forward the
packets from the voice VLAN with VLAN

tags.

Table 14 Configuration requirements for access/trunk/hybrid ports to support untagged voice traffic

Port link

type

Voice VLAN

assignment mode

Support for untagged

voice traffic

Configuration requirements

Access

Automatic No

N/A

Manual

Yes

Configure the voice VLAN as the PVID of the port.

Trunk

Automatic No

N/A

Manual Yes

Configure the voice VLAN as the PVID of the port.
Configure the port to forward the packets from
the voice VLAN.

Hybrid

Automatic No

N/A

Manual Yes

Configure the voice VLAN as the PVID of the port.
Configure the port to forward the packets from
the voice VLAN without VLAN tags.

If an IP phone sends out tagged voice traffic, and its accessing port is configured with 802.1X

authentication, guest VLAN, Auth-Fail VLAN, or critical VLAN, the VLAN ID must be different for the

following VLANs:

•

Voice VLAN.

•

PVID of the accessing port.

•

802.1X guest, Auth-Fail, or critical VLAN.

If an IP phone sends out untagged voice traffic, the PVID of the accessing port must be the voice VLAN.

As a result, 802.1X authentication is not supported.

Security mode and normal mode of voice VLANs

Depending on the incoming packet filtering mechanisms, a voice VLAN-enabled port can operate in one

of the following modes:

•

Normal mode—The port receives voice-VLAN-tagged packets and forwards them in the voice
VLAN without examining their MAC addresses. If the PVID of the port is the voice VLAN and the

port operates in manual VLAN assignment mode, the port forwards all the received untagged

packets in the voice VLAN.
In this mode, voice VLANs are vulnerable to traffic attacks. Malicious users might send large
quantities of forged voice-VLAN-tagged or untagged packets to consume the voice VLAN

bandwidth to affect normal voice communication.

•

Security mode—The port uses the source MAC addresses of voice packets to match the OUI
addresses of the device. Packets that fail the match will be dropped.

Advertising

This manual is related to the following products:

H3C S5130 Series Switches, H3C S5120 Series Switches, H3C SR8800, H3C SR6600-X, H3C SR6600, H3C MSR 5600, H3C MSR 50, H3C MSR 3600, H3C MSR 30, H3C MSR 2600, H3C MSR 20-2X[40], H3C MSR 20-1X, H3C MSR 930, H3C MSR 900, H3C WX6000 Series Access Controllers, H3C WX5000 Series Access Controllers, H3C WX3000 Series Unified Switches, H3C LSWM1WCM10 Access Controller Module, H3C LSWM1WCM20 Access Controller Module, H3C LSQM1WCMB0 Access Controller Module, H3C LSRM1WCM2A1 Access Controller Module, H3C LSBM1WCM2A0 Access Controller Module

Popular Brands

Popular manuals