Security mode and normal mode of voice VLANs
Depending on the incoming packet filtering mechanisms, a voice VLAN-enabled port can operate in one of the following modes:
Normal mode—The port receives voice-VLAN-tagged packets and forwards them in the voice VLAN without examining their MAC addresses. If the PVID of the port is the voice VLAN and the port operates in manual VLAN assignment mode, the port forwards all the received untagged packets in the voice VLAN.
In this mode, voice VLANs are vulnerable to traffic attacks. Malicious users might send large quantities of forged voice-VLAN-tagged or untagged packets to consume the voice VLAN bandwidth to affect normal voice communication.
Security mode—The port uses the source MAC addresses of voice packets to match the OUI addresses of the device. Packets that fail the match will be dropped.
In a safe network, you can configure the voice VLANs to operate in normal mode to reduce the system resource consumption in source MAC address checking.
TIP: As a best practice, do not transmit both voice traffic and non-voice traffic in a voice VLAN. If you must transmit different traffic in a voice VLAN, make sure the voice VLAN security mode is disabled. | ||
Table 14: Packet processing on a voice VLAN-enabled port in normal and security mode
Voice VLAN mode | Packet type | Packet processing |
---|---|---|
Normal | Untagged packets or packets with the voice VLAN tags | The port does not examine the source MAC addresses of incoming packets. Both voice traffic and non-voice traffic can be transmitted in the voice VLAN. |
Packets with other VLAN tags | Forwarded or dropped depending on whether the port allows packets from these VLANs to pass through. | |
Security | Untagged packets or packets with the voice VLAN tags |
|
Packets with other VLAN tags | Forwarded or dropped depending on whether the port allows packets from these VLANs to pass through. |