- Index
- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Supervisor Engine Redundancy using RPR and SSO
- Managing a Network of Switches
- Understanding and Configuring VLANs
- Configuring Dynamic VLAN Membership
- Configuring Layer 2 Ethernet Interfaces
- Configuring SmartPort Macros
- Understanding and Configuring STP
- Configuring STP Features
- Understanding and Configuring Multiple Spanning Trees
- Understanding and Configuring EtherChannel
- Configuring IGMP Snooping and Filtering
- Configuring 802.1Q and Layer 2 Protocol Tunneling
- Understanding and Configuring CDP
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Understanding and Configuring IP Multicast
- Configuring Policy-Based Routing
- Understanding and Configuring VTP
- Configuring VRF-lite
- Configuring QoS
- Configuring Voice Interfaces
- Understanding and Configuring 802.1X Port-Based Authentication
- Configuring Port Security
- Configuring DHCP Snooping and IP Source Guard
- Understanding and Configuring Dynamic ARP Inspection
- Configuring Network Security with ACLs
- Configuring Private VLANs
- Port Unicast and Multicast Flood Blocking
- Configuring Port-Based Traffic Control
- Environment Monitoring and Power Management
- Configuring SPAN and RSPAN
- Configuring NetFlow Statistics Collection
- Acronyms
Configuring Dynamic VLAN Membership
This chapter describes how to configure dynamic port VLAN membership by using the VLAN Membership Policy Server (VMPS).
This chapter includes the following major sections:
Note 
For complete syntax and usage information for the switch commands used in this chapter, look at the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html
If the command is not found in the Catalyst 4500 Command Reference, it will be found in the larger Cisco IOS library. Refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/ps6350/index.html
Understanding VMPS
The following subsections describe what a VMPS server does and how it operates.
The following topics are included:
•Security Modes for VMPS Server
VMPS Server Overview
A VLAN Membership Policy Server (VMPS) provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port. When the host moves from a port on one switch in the network to a port on another switch in the network, that switch dynamically assigns the new port to the proper VLAN for that host.
A Catalyst 4500 series switch running Cisco IOS software does not support the functionality of a VMPS. It can only function as a VLAN Query Protocol (VQP) client, which communicates with a VMPS through the VQP. For VMPS functionality, you need to use a Catalyst 4500 series switch (or Catalyst 6500 series switch) running Catalyst operating system (OS) software.
VMPS uses a UDP port to listen to VQP requests from clients, so, it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN mapping.
In response to a request, the VMPS takes one of the following actions:
•If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against this group and responds as follows:
–If the VLAN is allowed on the port, the VMPS sends the VLAN name to the client in response.
–If the VLAN is not allowed on the port and the VMPS is not in secure mode, the VMPS sends an "access-denied" response.
–If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a "port-shutdown" response.
•If the VLAN in the database does not match the current VLAN on the port and there are active hosts on the port, the VMPS sends an "access-denied" (open), a "fallback VLAN name" (open with fallback VLAN configured), a "port-shutdown" (secure), or a "new VLAN name" (multiple) response, depending on the secure mode setting of the VMPS.
If the switch receives an "access-denied" response from the VMPS, the switch continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address. If the switch receives a "port-shutdown" response from the VMPS, the switch disables the port. The port must be manually re-enabled by using the CLI, Cisco Visual Switch Manager (CVSM), or SNMP.
You can also use an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends an "access-denied" or "port-shutdown" response.
For more information on a Catalyst 6500 series switch VMPS running Catalyst operating system software, refer to the
"Configuring Dynamic Port VLAN Membership with VMPS" chapter at the URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_3/confg_gd/vmps.htm
Security Modes for VMPS Server
VMPS operates in three different modes. The way a VMPS server responds to illegal requests depends on the mode in which the VMPS is configured:
Open mode
If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group:
•If the VLAN is allowed on the port, the VLAN name is returned to the client.
•If the VLAN is not allowed on the port, the host receives an "access denied" response.
•If a VLAN in the database does not match the current VLAN on the port and a fallback VLAN name is configured, VMPS sends the fallback VLAN name to the client.
•If a VLAN in the database does not match the current VLAN on the port and a fallback VLAN name is not configured, the host receives an "access denied" response.
Secure mode
If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group:
•If the VLAN is allowed on the port, the VLAN name is returned to the client.
•If the VLAN is not allowed on the port, the port is shut down.
•If a VLAN in the database does not match the current VLAN on the port, the port is shutdown, even if a fallback VLAN name is configured.
Multiple mode
Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN. If the link goes down on a dynamic port, the port returns to the unassigned state. Any hosts that come online through the port are checked again with VMPS before the port is assigned to a VLAN.
If multiple hosts connected to a dynamic port belong to different VLANs, the VLAN matching the MAC address in the last request is returned to the client, provided that multiple mode is configured on the VMPS server.
Note Although Catalyst 4500 series and Catalyst 6500 series switches running Catalyst operating system software support VMPS in all three operation modes, the Cisco network management tool URT (User Registration Tool) supports open mode only.
Fall-back VLAN
You can configure a fallback VLAN name on a VMPS server. If you connect a device with a MAC address that is not in the database, the VMPS sends the fallback VLAN name to the client. If you do not configure a fallback VLAN name and the MAC address does not exist in the database, the VMPS sends an "access-denied" response. If the VMPS is in secure mode, it sends a "port-shutdown" response, whether or not a fallback VLAN has been configured on the server.
Illegal VMPS client requests
Two examples of illegal VMPS client requests are as follows:
•When a MAC-address mapping is not present in the VMPS database and "no fall back" VLAN is configured on the VMPS.
•When a port is already assigned a VLAN (and the VMPS mode is not "multiple") but a second VMPS client request is received on the VMPS for a different MAC-address.
Understanding VMPS clients
The following subsections describe how to configure a switch as a VMPS client and configure its ports for dynamic VLAN membership.
The following topics are included:
•Dynamic VLAN Membership Overview
•Default VMPS Client Configuration
•Configuring a Switch as a VMPS Client
•Administering and Monitoring the VMPS
•Troubleshooting Dynamic Port VLAN Membership
Dynamic VLAN Membership Overview
When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port. The VLAN is not statically assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port.
A dynamic port can belong to one VLAN only. When the link becomes active, the switch does not forward traffic to or from this port until the port is assigned to a VLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to the VMPS as part of the VQP request, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, the VMPS sends the VLAN number for that port. If there is no match, the VMPS either denies the request or shuts down the port (depending on the VMPS security mode setting). See the "Understanding VMPS" section for a complete description of possible VMPS responses.
Multiple hosts (MAC addresses) can be active on a dynamic port if all are in the same VLAN. If the link goes down on a dynamic port, the port returns to the unassigned state and does not belong to a VLAN. Any hosts that come online through the port are checked again with the VMPS before the port is assigned to a VLAN.
For this behavior to work, the client device must be able to reach the VMPS. A VMPS client sends VQP requests as UDP packets, trying a certain number of times before giving up. For details on how to set the retry interval, refer to section "Configuring the Retry Interval" on page 8.
The VMPS client also periodically reconfirms the VLAN membership. For details on how to set the reconfirm frequency, refer to section "Administering and Monitoring the VMPS" on page 8.
A maximum of 50 hosts are supported on a given port at any given time. Once this maximum is exceeded, the port is shut down, irrespective of the operating mode of the VMPS server.
Note The VMPS shuts down a dynamic port if more than 50 hosts are active on that port.
Default VMPS Client Configuration
Table 9-1 shows the default VMPS and dynamic port configuration on client switches.
Configuring a Switch as a VMPS Client
This section contains the following topics:
•Configuring the IP Address of the VMPS Server
•Configuring Dynamic Access Ports on a VMPS Client
•Reconfirming VLAN Memberships
•Configuring Reconfirmation Interval
•Reconfirming VLAN Memberships
Configuring the IP Address of the VMPS Server
To configure a Catalyst 4500 series switch as a VMPS client, you must enter the IP address or hostname of the switch acting as the VMPS.
To define the primary and secondary VMPS on a Catalyst 4500 series switch, perform this task:
This example shows how to define the primary and secondary VMPS devices:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# vmps server 172.20.128.179 primary
Switch(config)# vmps server 172.20.128.178
Switch(config)# end
Note You can configure up to four VMPS servers using this CLI on the VMPS client.
Switch# show vmps
VQP Client Status:
--------------------
VMPS VQP Version: 1
Reconfirm Interval: 60 min
Server Retry Count: 3
VMPS domain server: 172.20.128.179 (primary, current)
172.20.128.178
Reconfirmation status
---------------------
VMPS Action: No Dynamic Port
Configuring Dynamic Access Ports on a VMPS Client
To configure a dynamic access port on a VMPS client switch, perform this task:
This example shows how to configure a dynamic access port and then verify the entry:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fa1/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan dynamic
Switch(config-if)# end
Switch# show interface fa1/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative mode: dynamic auto
Operational Mode: dynamic access
Administrative Trunking Encapsulation: isl
Operational Trunking Encapsulation: isl
Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: NONE
Pruning VLANs Enabled: NONE
Voice Ports
If a VVID (voice VLAN ID) is configured on a dynamic access port, the port can belong to both an access VLAN and a voice VLAN. Consequently, an access port configured for connecting an IP phone can have separate VLANs for the following:
•Data traffic to and from the PC that is connected to the switch through the access port of the IP phone (access VLAN)
•Voice traffic to and from the IP phone (voice VLAN)
Reconfirming VLAN Memberships
To confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS, perform this task:
|
|
|
|
|---|---|---|
Step 1 |
Switch# vmps reconfirm |
Reconfirms dynamic port VLAN membership. |
Step 2 |
Switch# show vmps |
Verifies the dynamic VLAN reconfirmation status. |
Configuring Reconfirmation Interval
VMPS clients periodically reconfirm the VLAN membership information received from the VMPS. You can set the number of minutes the VMPS client waits before reconfirming the VLAN-to-MAC-address assignments.
To configure the reconfirmation interval, perform this task:
This example shows how to change the reconfirmation interval to 60 minutes and verify the change:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# vmps reconfirm 60
Switch(config)# end
Switch# show vmps
VQP Client Status:
--------------------
VMPS VQP Version: 1
Reconfirm Interval: 60 min
Server Retry Count: 10
VMPS domain server: 172.20.130.50 (primary, current)
Reconfirmation status
---------------------
VMPS Action: No Host
Configuring the Retry Interval
You can set the number of times that the VMPS client attempts to contact the VMPS before querying the next server.
To set the retry interval, perform this task:
This example shows how to change the retry count to 5 and to verify the change:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# vmps retry 5
Switch(config)# end
Switch# show vmps
VQP Client Status:
--------------------
VMPS VQP Version: 1
Reconfirm Interval: 60 min
Server Retry Count: 5
VMPS domain server: 172.20.130.50 (primary, current)
Reconfirmation status
---------------------
VMPS Action: No Host
Administering and Monitoring the VMPS
You can display the following information about the VMPS with the show vmps command:
The following example shows how to display VMPS information:
Switch# show vmps
VQP Client Status:
--------------------
VMPS VQP Version: 1
Reconfirm Interval: 60 min
Server Retry Count: 3
VMPS domain server:
Reconfirmation status
---------------------
VMPS Action: other
The following example shows how to display VMPS statistics:
Switch# show vmps statistics
VMPS Client Statistics
----------------------
VQP Queries: 0
VQP Responses: 0
VMPS Changes: 0
VQP Shutdowns: 0
VQP Denied: 0
VQP Wrong Domain: 0
VQP Wrong Version: 0
VQP Insufficient Resource: 0
Note Refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference for details on VMPS statistics.
Troubleshooting Dynamic Port VLAN Membership
VMPS errdisables a dynamic port under the following conditions:
•The VMPS is in secure mode, and it will not allow the host to connect to the port. The VMPS errdisables the port to prevent the host from connecting to the network.
•More than 50 active hosts reside on a dynamic port.
For information on how to display the status of interfaces in error-disabled state, refer to
Chapter 5, "Checking Port Status and Connectivity". To recover an errdisabled port, use the
errdisable recovery cause vmps global configuration command.
Feedback