Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(31)SG

Configuring Dynamic VLAN Membership

This chapter describes how to configure dynamic port VLAN membership by using the VLAN Membership Policy Server (VMPS).

This chapter includes the following major sections:

•Understanding VMPS

•Understanding VMPS clients

Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm.

Understanding VMPS

The following subsections describe what a VMPS server does and how it operates.

The following topics are included:

•VMPS Server Overview

•Security Modes for VMPS Server

•Fall-back VLAN

•Illegal VMPS client requests

VMPS Server Overview

A VLAN Membership Policy Server (VMPS) provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port. When the host moves from a port on one switch in the network to a port on another switch in the network, that switch dynamically assigns the new port to the proper VLAN for that host.

A Catalyst 4500 series switch running Cisco IOS software does not support the functionality of a VMPS. It can only function as a VLAN Query Protocol (VQP) client, which communicates with a VMPS through the VQP. For VMPS functionality, you need to use a Catalyst 4500 series switch (or Catalyst 6500 series switch) running Catalyst operating system (OS) software.

VMPS uses a UDP port to listen to VQP requests from clients, so, it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN mapping.

In response to a request, the VMPS takes one of the following actions:

•If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against this group and responds as follows:

–If the VLAN is allowed on the port, the VMPS sends the VLAN name to the client in response.

–If the VLAN is not allowed on the port and the VMPS is not in secure mode, the VMPS sends an "access-denied" response.

–If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a "port-shutdown" response.

•If the VLAN in the database does not match the current VLAN on the port and there are active hosts on the port, the VMPS sends an "access-denied" (open), a "fallback VLAN name" (open with fallback VLAN configured), a "port-shutdown" (secure), or a "new VLAN name" (multiple) response, depending on the secure mode setting of the VMPS.

If the switch receives an "access-denied" response from the VMPS, the switch continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address. If the switch receives a "port-shutdown" response from the VMPS, the switch disables the port. The port must be manually re-enabled by using the CLI, Cisco Visual Switch Manager (CVSM), or SNMP.

You can also use an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends an "access-denied" or "port-shutdown" response.

For more information on a Catalyst 6500 series switch VMPS running Catalyst operating system software, refer to the
"Configuring Dynamic Port VLAN Membership with VMPS" chapter at the URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_3/confg_gd/vmps.htm

Security Modes for VMPS Server

VMPS operates in three different modes. The way a VMPS server responds to illegal requests depends on the mode in which the VMPS is configured:

•Open mode

•Secure mode

•Multiple mode

Open mode

If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group:

•If the VLAN is allowed on the port, the VLAN name is returned to the client.

•If the VLAN is not allowed on the port, the host receives an "access denied" response.

•If a VLAN in the database does not match the current VLAN on the port and a fallback VLAN name is configured, VMPS sends the fallback VLAN name to the client.

•If a VLAN in the database does not match the current VLAN on the port and a fallback VLAN name is not configured, the host receives an "access denied" response.

Secure mode

If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group:

•If the VLAN is allowed on the port, the VLAN name is returned to the client.

•If the VLAN is not allowed on the port, the port is shut down.

•If a VLAN in the database does not match the current VLAN on the port, the port is shutdown, even if a fallback VLAN name is configured.

Multiple mode

Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN. If the link goes down on a dynamic port, the port returns to the unassigned state. Any hosts that come online through the port are checked again with VMPS before the port is assigned to a VLAN.

If multiple hosts connected to a dynamic port belong to different VLANs, the VLAN matching the MAC address in the last request is returned to the client, provided that multiple mode is configured on the VMPS server.

Note Although Catalyst 4500 series and Catalyst 6500 series switches running Catalyst operating system software support VMPS in all three operation modes, the Cisco network management tool URT (User Registration Tool) supports open mode only.

Fall-back VLAN

You can configure a fallback VLAN name on a VMPS server. If you connect a device with a MAC address that is not in the database, the VMPS sends the fallback VLAN name to the client. If you do not configure a fallback VLAN name and the MAC address does not exist in the database, the VMPS sends an "access-denied" response. If the VMPS is in secure mode, it sends a "port-shutdown" response, whether or not a fallback VLAN has been configured on the server.

Illegal VMPS client requests

Two examples of illegal VMPS client requests are as follows:

•When a MAC-address mapping is not present in the VMPS database and "no fall back" VLAN is configured on the VMPS.

•When a port is already assigned a VLAN (and the VMPS mode is not "multiple") but a second VMPS client request is received on the VMPS for a different MAC-address.

Understanding VMPS clients

The following subsections describe how to configure a switch as a VMPS client and configure its ports for dynamic VLAN membership.

The following topics are included:

•Dynamic VLAN Membership Overview

•Default VMPS Client Configuration

•Configuring a Switch as a VMPS Client

•Administering and Monitoring the VMPS

•Troubleshooting Dynamic Port VLAN Membership

Dynamic VLAN Membership Overview

When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port. The VLAN is not statically assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port.

A dynamic port can belong to one VLAN only. When the link becomes active, the switch does not forward traffic to or from this port until the port is assigned to a VLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to the VMPS as part of the VQP request, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, the VMPS sends the VLAN number for that port. If there is no match, the VMPS either denies the request or shuts down the port (depending on the VMPS security mode setting). See the "Understanding VMPS" section for a complete description of possible VMPS responses.

Multiple hosts (MAC addresses) can be active on a dynamic port if all are in the same VLAN. If the link goes down on a dynamic port, the port returns to the unassigned state and does not belong to a VLAN. Any hosts that come online through the port are checked again with the VMPS before the port is assigned to a VLAN.

For this behavior to work, the client device must be able to reach the VMPS. A VMPS client sends VQP requests as UDP packets, trying a certain number of times before giving up. For details on how to set the retry interval, refer to section "Configuring the Retry Interval" on page 8.

The VMPS client also periodically reconfirms the VLAN membership. For details on how to set the reconfirm frequency, refer to section "Administering and Monitoring the VMPS" on page 8.

A maximum of 50 hosts are supported on a given port at any given time. Once this maximum is exceeded, the port is shut down, irrespective of the operating mode of the VMPS server.

Note The VMPS shuts down a dynamic port if more than 50 hosts are active on that port.

Default VMPS Client Configuration

Table 11-1 shows the default VMPS and dynamic port configuration on client switches.

Configuring a Switch as a VMPS Client

This section contains the following topics:

•Configuring the IP Address of the VMPS Server

•Configuring Dynamic Access Ports on a VMPS Client

•Reconfirming VLAN Memberships

•Configuring Reconfirmation Interval

•Reconfirming VLAN Memberships

Configuring the IP Address of the VMPS Server

To configure a Catalyst 4500 series switch as a VMPS client, you must enter the IP address or hostname of the switch acting as the VMPS.

To define the primary and secondary VMPS on a Catalyst 4500 series switch, perform this task:

Switch# configure terminal

Switch(config)# vmps server  
{ipaddress | hostname} primary

Switch(config)# vmps server  
{ipaddress | hostname}

Switch(config)# end

Switch# show vmps

This example shows how to define the primary and secondary VMPS devices:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# vmps server 172.20.128.179 primary

Switch(config)# vmps server 172.20.128.178

Switch(config)# end

Note You can configure up to four VMPS servers using this CLI on the VMPS client.

Switch# show vmps

VQP Client Status:

--------------------

VMPS VQP Version:   1

Reconfirm Interval: 60 min

Server Retry Count: 3

VMPS domain server: 172.20.128.179 (primary, current)

                    172.20.128.178

Reconfirmation status

---------------------

VMPS Action:         No Dynamic Port

Configuring Dynamic Access Ports on a VMPS Client

To configure a dynamic access port on a VMPS client switch, perform this task:

Switch# configure terminal

Switch(config)# interface interface

Switch(config-if)# switchport mode 
access

Switch(config-if)# switchport access 
vlan dynamic

Switch(config-if)# end

Switch# show interface interface 
switchport

This example shows how to configure a dynamic access port and then verify the entry:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface fa1/1

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan dynamic

Switch(config-if)# end

Switch# show interface fa1/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative mode: dynamic auto

Operational Mode: dynamic access

Administrative Trunking Encapsulation: isl

Operational Trunking Encapsulation: isl

Negotiation of Trunking: Disabled

Access Mode VLAN: 0 ((Inactive))

Trunking Native Mode VLAN: 1 (default)

Trunking VLANs Enabled: NONE

Pruning VLANs Enabled: NONE 

Voice Ports

If a VVID (voice VLAN ID) is configured on a dynamic access port, the port can belong to both an access VLAN and a voice VLAN. Consequently, an access port configured for connecting an IP phone can have separate VLANs for the following:

•Data traffic to and from the PC that is connected to the switch through the access port of the IP phone (access VLAN)

•Voice traffic to and from the IP phone (voice VLAN)

Reconfirming VLAN Memberships

To confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS, perform this task:

Switch# vmps reconfirm 

Switch# show vmps

Configuring Reconfirmation Interval

VMPS clients periodically reconfirm the VLAN membership information received from the VMPS. You can set the number of minutes the VMPS client waits before reconfirming the VLAN-to-MAC-address assignments.

To configure the reconfirmation interval, perform this task:

Switch# configure terminal

Switch(config)# vmps reconfirm minutes

Switch(config)# end

Switch# show vmps

This example shows how to change the reconfirmation interval to 60 minutes and verify the change:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# vmps reconfirm 60

Switch(config)# end

Switch# show vmps

VQP Client Status:

--------------------

VMPS VQP Version:   1

Reconfirm Interval: 60 min

Server Retry Count: 10

VMPS domain server: 172.20.130.50 (primary, current)

Reconfirmation status

---------------------

VMPS Action:         No Host 

Configuring the Retry Interval

You can set the number of times that the VMPS client attempts to contact the VMPS before querying the next server.

To set the retry interval, perform this task:

Switch# configure terminal

Switch(config)# vmps retry count

Switch(config)# end

Switch# show vmps

This example shows how to change the retry count to 5 and to verify the change:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# vmps retry 5

Switch(config)# end

Switch# show vmps

VQP Client Status:

--------------------

VMPS VQP Version:   1

Reconfirm Interval: 60 min

Server Retry Count: 5

VMPS domain server: 172.20.130.50 (primary, current)

Reconfirmation status

---------------------

VMPS Action:         No Host 

Administering and Monitoring the VMPS

You can display the following information about the VMPS with the show vmps command:

The following example shows how to display VMPS information:

Switch# show vmps

VQP Client Status:

--------------------

VMPS VQP Version:   1

Reconfirm Interval: 60 min

Server Retry Count: 3

VMPS domain server:

Reconfirmation status

---------------------

VMPS Action:         other

The following example shows how to display VMPS statistics:

Switch# show vmps statistics

VMPS Client Statistics

----------------------

VQP  Queries:               0

VQP  Responses:             0

VMPS Changes:               0

VQP  Shutdowns:             0

VQP  Denied:                0

VQP  Wrong Domain:          0

VQP  Wrong Version:         0

VQP  Insufficient Resource: 0

Note Refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference for details on VMPS statistics.

Troubleshooting Dynamic Port VLAN Membership

VMPS errdisables a dynamic port under the following conditions:

•The VMPS is in secure mode, and it will not allow the host to connect to the port. The VMPS errdisables the port to prevent the host from connecting to the network.

•More than 50 active hosts reside on a dynamic port.

For information on how to display the status of interfaces in error-disabled state, refer to
Chapter 6, "Checking Port Status and Connectivity". To recover an errdisabled port, use the
errdisable recovery cause vmps global configuration command.

Dynamic Port VLAN Membership Configuration Example

Figure 11-1 shows a network with a VMPS servers and VMPS client switches with dynamic ports. In this example, these assumptions apply:

•The VMPS server and the VMPS client are separate switches.

•The Catalyst 4000 family Switch 1 (running CatOS) is the primary VMPS server.

•The Catalyst 6000 family Switch 3 (running CatOS) and the URT are secondary VMPS servers.

•End stations are connected to these clients:

–Catalyst 4500 series XL Switch 2 (running Catalyst IOS)

–Catalyst 4500 series XL Switch 9 (running Catalyst IOS)

•The database configuration file is called Bldg-G.db and is stored on the TFTP server with the IP address 172.20.22.7.

Figure 11-1 Dynamic Port VLAN Membership Configuration

In the following procedure, the Catalyst 4000 and Catalyst 6000 series switches (running CatOS) are the VMPS servers. Use this procedure to configure the Catalyst 4500 series switch clients in the network:

Step 1 Configure the VMPS server addresses on Switch 2, the client switch.

a. Starting from privileged EXEC mode, enter global configuration mode:

switch# configuration terminal

b. Enter the primary VMPS server IP address:

switch(config)# vmps server 172.20.26.150 primary

c. Enter the secondary VMPS server IP addresses:

switch(config)# vmps server 172.20.26.152

d. To verify your entry of the VMPS IP addresses, return to privileged EXEC mode:

switch#(config) exit

e. Display VMPS information configured for the switch:

switch# show vmps

VQP Client Status:

--------------------

VMPS VQP Version:   1

Reconfirm Interval: 60 min

Server Retry Count: 3

VMPS domain server: 172.20.26.152

                    172.20.26.150 (primary, current

Step 2 Configure port Fa0/1 on Switch 2 as a dynamic port.

a. Return to global configuration mode:

switch# configure terminal

b. Enter interface configuration mode:

switch(config)# interface fa2/1

c. Configure the VLAN membership mode for static-access ports:

switch(config-if)# switchport mode access

d. Assign the port dynamic VLAN membership:

switch(config-if)# switchport access vlan dynamic

e. Return to privileged EXEC mode:

switch(config-if)# exit

switch#

Step 3 Connect End Station 2 on port Fa2/1. When End Station 2 sends a packet, Switch 2 sends a query to the primary VMPS server, Switch 1. Switch 1 responds with the VLAN ID for port Fa2/1. Because spanning-tree PortFast mode is enabled by default on dynamic ports, port Fa2/1 connects immediately and begins forwarding.

Step 4 Set the VMPS reconfirmation period to 60 minutes. The reconfirmation period is the number of minutes the switch waits before reconfirming the VLAN to MAC address assignments.

switch# config terminal

switch(config)# vmps reconfirm 60

Step 5 Confirm the entry from privileged EXEC mode:

switch# show vmps

VQP Client Status:

--------------------

VMPS VQP Version:   1

Reconfirm Interval: 60 min

Server Retry Count: 3

VMPS domain server:

Reconfirmation status

---------------------

VMPS Action:         No Dynamic Port

Step 6 Repeat Steps 1 and 2 to configure the VMPS server addresses, and assign dynamic ports on each VMPS client switch.

VMPS Database Configuration File Example

This example shows a sample VMPS database configuration file as it appears on a VMPS server. A VMPS database configuration file is an ASCII text file that is stored on a TFTP server accessible to the switch that functions as the VMPS server.

!vmps domain <domain-name>

! The VMPS domain must be defined.

!vmps mode { open | secure }

! The default mode is open.

!vmps fallback <vlan-name>

!vmps no-domain-req { allow | deny }

!

! The default value is allow.

vmps domain WBU

vmps mode open

vmps fallback default

vmps no-domain-req deny

!

!

!MAC Addresses

!

vmps-mac-addrs

!

! address <addr> vlan-name <vlan_name>

!

address 0012.2233.4455 vlan-name hardware

address 0000.6509.a080 vlan-name hardware

address aabb.ccdd.eeff vlan-name Green

address 1223.5678.9abc vlan-name ExecStaff

address fedc.ba98.7654 vlan-name --NONE--

address fedc.ba23.1245 vlan-name Purple

!

!Port Groups

!

!vmps-port-group <group-name>

! device <device-id> { port <port-name> | all-ports }

!

vmps-port-group WiringCloset1

 device 198.92.30.32 port Fa1/3

 device 172.20.26.141 port Fa1/4

vmps-port-group "Executive Row"

 device 198.4.254.222 port es5%Fa0/1

 device 198.4.254.222 port es5%Fa0/2

 device 198.4.254.223 all-ports

!

!VLAN groups

!

!vmps-vlan-group <group-name>

! vlan-name <vlan-name>

!

vmps-vlan-group Engineering

vlan-name hardware

vlan-name software

!

!VLAN port Policies

!

!vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }

! { port-group <group-name> | device <device-id> port <port-name> }

!

vmps-port-policies vlan-group Engineering

 port-group WiringCloset1

vmps-port-policies vlan-name Green

 device 198.92.30.32 port Fa0/9

vmps-port-policies vlan-name Purple

 device 198.4.254.22 port Fa0/10

 port-group "Executive Row"