Configuring VMPS
This chapter describes how to configure the Cisco Industrial Ethernet 2000U Series (IE 2000U) and Connected Grid Switches, hereafter referred to as switch, as a client of the VLAN Membership Policy Server (VMPS).
The VLAN Query Protocol (VQP) supports dynamic-access ports, which are not permanently assigned to a VLAN, but give VLAN assignments based on the MAC source addresses seen on the port.
Note Only UNIs and ENIs can be configured as dynamic-access ports; NNIs cannot take part in VQP.
Each time an unknown MAC address is seen, the switch sends a VQP query to a remote VMPS. The query includes the newly seen MAC address and the port on which it was seen. The VMPS responds with a VLAN assignment for the port. The switch cannot be a VMPS server but can act as a client to the VMPS and communicate with it through VQP.
Note For complete syntax and usage information for the commands used in this chapter, see the documents listed in the “Related Documents” section.
This chapter includes the following sections:
Information About VMPS
Each time the client switch receives the MAC address of a new host, it sends a VQP query to the VMPS. When the VMPS receives this query, it searches its database for a MAC-address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in open or secure mode. In secure mode, the server shuts down the port when an illegal host is detected. In open mode, the server simply denies the host access to the port.
If the port is currently unassigned (that is, it does not yet have a VLAN assignment), the VMPS provides one of these responses:
- If the host is allowed on the port, the VMPS sends the client a vlan-assignment response containing the assigned VLAN name and allowing access to the host.
- If the host is not allowed on the port and the VMPS is in open mode, the VMPS sends an access-denied response.
- If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a port-shutdown response.
If the port already has a VLAN assignment, the VMPS provides one of these responses:
- If the VLAN in the database matches the current VLAN on the port, the VMPS sends an success response, allowing access to the host.
- If the VLAN in the database does not match the current VLAN on the port and active hosts exist on the port, the VMPS sends an access-denied or a port-shutdown response, depending on the secure mode of the VMPS.
If the switch receives an access-denied response from the VMPS, it continues to block traffic to and from the host MAC address. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new host address. If the switch receives a port-shutdown response from the VMPS, it disables the port. The port must be manually re-enabled by using the CLI or SNMP.
Dynamic-Access Port VLAN Membership
A dynamic-access port can belong to only one VLAN with an ID from 1 to 4094. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database.
Note Only UNIs or ENIs can be dynamic-access ports.
If there is a match, the VMPS sends the VLAN number for that port. If the client switch was not previously configured, it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS. If the client switch was previously configured, it includes its domain name in the query packet to the VMPS to obtain its VLAN number. The VMPS verifies that the domain name in the packet matches its own domain name before accepting the request and responds to the client with the assigned VLAN number for the client. If there is no match, the VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting).
Multiple hosts (MAC addresses) can be active on a dynamic-access port if they are all in the same VLAN; however, the VMPS shuts down a dynamic-access port if more than 20 hosts are active on the port.
If the link goes down on a dynamic-access port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN.
Dynamic-access ports can be used for direct host connections, or they can connect to a network. A maximum of 20 MAC addresses are allowed per port on the switch. A dynamic-access port can belong to only one VLAN at a time, but the VLAN can change over time, depending on the MAC addresses seen.
Prerequisites
- IP address of the switch acting as the primary VMPS
- IP connectivity to the VMPS for dynamic-access ports to work
Guidelines and Limitations
These guidelines and restrictions apply to dynamic-access port VLAN membership:
- You should configure the VMPS before you configure ports as dynamic-access ports.
- 802.1x ports cannot be configured as dynamic-access ports. If you try to enable 802.1x on a dynamic-access (VQP) port, an error message appears, and 802.1x is not enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.
- Trunk ports cannot be dynamic-access ports, but you can enter the switchport access vlan dynamic interface configuration command for a trunk port. In this case, the switch retains the setting and applies it if the port is later configured as an access port.
You must turn off trunking on the port before the dynamic-access setting takes effect.
- Dynamic-access ports cannot be monitor ports.
- Secure ports cannot be dynamic-access ports. You must disable port security on a port before it becomes dynamic.
- Private VLAN ports cannot be dynamic-access ports.
- Dynamic-access ports cannot be members of an EtherChannel group.
- Port channels cannot be configured as dynamic-access ports.
Default Settings
|
|
VMPS domain server |
None |
VMPS reconfirm interval |
60 minutes |
VMPS server retry count |
3 |
Dynamic-access ports |
None configured |
Configuring the VMPS Client
You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server.
Entering the IP Address of the VMPS
You must first enter the IP address of the server to configure the switch as a client.
BEFORE YOU BEGIN
Obtain the IP address of the VMPS.
Test for IP connectivity to the VMPS by pinging the IP address of the VMPS and verifying that you get a response.
DETAILED STEPS
|
|
|
Step 1 |
configure terminal |
Enter global configuration mode. |
Step 2 |
vmps server ipaddress primary |
Enter the IP address of the switch acting as the primary VMPS server. |
Step 3 |
vmps server ipaddress |
(Optional) Enter the IP address of the switch acting as a secondary VMPS server. You can enter up to three secondary server addresses. |
Step 4 |
end |
Return to privileged EXEC mode. |
Step 5 |
show vmps |
Verify your entries in the VMPS Domain Server field of the display. |
Step 6 |
copy running-config startup-config |
(Optional) Save your entries in the configuration file. |
EXAMPLE
This example shows how to enter the IP addresses of the primary and secondary VMPS servers on the VMPS client:
Switch(config)# vmps server 172.20.26.150 primary
Switch(config)# vmps server 172.20.26.152
Reconfirm Interval: 60 min
VMPS domain server: 172.20.26.152
172.20.26.150 (primary, current
Configuring Dynamic-Access Ports on VMPS Clients
BEFORE YOU BEGIN
Caution
D
ynamic-access port VLAN membership is for end stations or hubs connected to end stations. Connecting dynamic-access ports to other switches can cause a loss of connectivity.
DETAILED STEPS
|
|
|
Step 1 |
configure terminal |
Enter global configuration mode. |
Step 2 |
interface interface-id |
Specify the switch port that is connected to the end station, and enter interface configuration mode. Note The port must be a UNI or an ENI. |
Step 3 |
no shutdown |
Enable the port. |
Step 4 |
port-type { uni | eni } |
Configure the port as a UNI or ENI. |
Step 5 |
switchport mode access |
Set the port to access mode. |
Step 6 |
switchport access vlan dynamic |
Configure the port as eligible for dynamic VLAN membership. The dynamic-access port must be connected to an end station. |
Step 7 |
end |
Return to privileged EXEC mode. |
Step 8 |
show interfaces interface-id switchport |
Verify your entries in the Operational Mode field of the display. |
Step 9 |
copy running-config startup-config |
(Optional) Save your entries in the configuration file. |
To return an interface to its default configuration, use the default interface interface-id interface configuration command. To reset the access mode to the default VLAN for the switch, use the no switchport access vlan interface configuration command.
EXAMPLE
This example shows how to configure a port as a dynamic-access port:
Switch(config)# interface GigabitEthernet1/1
Switch(config-if)# port-type uni
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan dynamic
Reconfirming VLAN Memberships
A reconfirmation attempt can occur automatically when the reconfirmation interval expires, or you can force it by entering the vmps reconfirm privileged EXEC command. Follow this procedure to to confirm the dynamic-access port VLAN membership assignments that the switch has received from the VMPS.
DETAILED STEPS
|
|
|
Step 1 |
vmps reconfirm |
Reconfirm dynamic-access port VLAN membership. |
Step 2 |
show vmps |
Verify the dynamic VLAN reconfirmation status. |
EXAMPLE
This example shows how to immediately send VQP queries to the VMPS:
Changing the Reconfirmation Interval
VMPS clients periodically reconfirm the VLAN membership information received from the VMPS.You can set the number of minutes after which reconfirmation occurs.
DETAILED STEPS
|
|
|
Step 1 |
configure terminal |
Enter global configuration mode. |
Step 2 |
vmps reconfirm minutes |
Enter the number of minutes between reconfirmations of the dynamic VLAN membership. The range is 1 to 120. The default is 60 minutes. |
Step 3 |
end |
Return to privileged EXEC mode. |
Step 4 |
show vmps |
Verify the dynamic VLAN reconfirmation status in the Reconfirm Interval field of the display. |
Step 5 |
copy running-config startup-config |
(Optional) Save your entries in the configuration file. |
To return the switch to its default setting, use the no vmps reconfirm global configuration command.
EXAMPLE
This example shows how to set the VQP client to reconfirm dynamic VLAN entries every 20 minutes:
Switch(config)# vmps reconfirm 20
Changing the Retry Count
Follow this procedure to change the number of times that the switch attempts to contact the VMPS before querying the next server.
DETAILED STEPS
|
|
|
Step 1 |
configure terminal |
Enter global configuration mode. |
Step 2 |
vmps retry count |
Change the retry count. The retry range is 1 to 10; the default is 3. |
Step 3 |
end |
Return to privileged EXEC mode. |
Step 4 |
show vmps |
Verify your entry in the Server Retry Count field of the display. |
Step 5 |
copy running-config startup-config |
(Optional) Save your entries in the configuration file. |
To return the switch to its default setting, use the no vmps retry global configuration command.
EXAMPLE
This example shows how to set the retry count to 7:
Switch(config)# vmps retry 7
Verifying Configuration
You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS:
- VMPS VQP Version—the version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP Version 1.
- Reconfirm Interval—the number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments.
- Server Retry Count—the number of times VQP resends a query to the VMPS. If no response is received after this many tries, the switch starts to query the secondary VMPS.
- VMPS domain server—the IP address of the configured VLAN membership policy servers. The switch sends queries to the one marked current. The one marked primary is the primary server.
- VMPS Action—the result of the most recent reconfirmation attempt. A reconfirmation attempt can occur automatically when the reconfirmation interval expires, or you can force it by entering the vmps reconfirm privileged EXEC command.
This is an example of output for the show vmps privileged EXEC command:
Reconfirm Interval: 60 min
VMPS domain server: 172.20.128.86 (primary, current)
Troubleshooting Dynamic-Access Port VLAN Membership
The VMPS shuts down a dynamic-access port under these conditions:
- The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts down the port to prevent the host from connecting to the network.
- More than 20 active hosts reside on a dynamic-access port.
To disable and re-enable a disabled dynamic-access port, enter the shutdown interface configuration command followed by the no shutdown interface configuration command.
Configuration Example
Figure 6-1 shows a network with a VMPS server switch and VMPS client switches with dynamic-access ports. In this example, these assumptions apply:
- The VMPS server and the VMPS client are separate switches.
- The Catalyst 6500 series Switch A is the primary VMPS server.
- The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers.
- End stations are connected to the clients, Switch B and Switch I.
- The database configuration file is stored on the TFTP server with the IP address 172.20.22.7.
Figure 6-1 Dynamic Port VLAN Membership Configuration
Feature History
|
|
IE 2000U |
Cisco IOS Release 15.0(2)EH |
CGS 2520 Switch |
Cisco IOS Release 12.2(53)EX |
Ethernet Switch Module (ESM) for CGR 2010 |
Cisco IOS Release 12.2(53)EX |