Catalyst 2960-XR Switch VLAN Configuration Guide, Cisco IOS Release 15.0(2)EX1
Configuring VMPS
Configuring VMPS

Configuring VMPS

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for VMPS

  • You should configure the VMPS before you configure ports as dynamic-access ports.

  • When you configure a port as a dynamic-access port, the spanning-tree Port Fast feature is automatically enabled for that port. The Port Fast mode accelerates the process of bringing the port into the forwarding state.

Restrictions for VMPS

  • IEEE 802.1x ports cannot be configured as dynamic-access ports. If you try to enable IEEE 802.1x on a dynamic-access (VQP) port, an error message appears, and IEEE 802.1x is not enabled. If you try to change an IEEE 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.

  • Trunk ports cannot be dynamic-access ports, but you can enter the switchport access vlan dynamic interface configuration command for a trunk port. In this case, the switch retains the setting and applies it if the port is later configured as an access port.

    You must turn off trunking on the port before the dynamic-access setting takes effect.

  • Dynamic-access ports cannot be monitor ports.

  • Secure ports cannot be dynamic-access ports. You must disable port security on a port before it becomes dynamic.

  • Private VLAN ports cannot be dynamic-access ports.

  • Dynamic-access ports cannot be members of an EtherChannel group.

  • Port channels cannot be configured as dynamic-access ports.

  • A dynamic-access port can participate in fallback bridging.

  • The VTP management domain of the VMPS client and the VMPS server must be the same.

  • The VLAN configured on the VMPS server should not be a voice VLAN.

Information About VMPS

Dynamic VLAN Assignments

The VLAN Query Protocol (VQP) is used to support dynamic-access ports, which are not permanently assigned to a VLAN, but give VLAN assignments based on the MAC source addresses seen on the port. Each time an unknown MAC address is seen, the switch sends a VQP query to a remote VLAN Membership Policy Server (VMPS); the query includes the newly seen MAC address and the port on which it was seen. The VMPS responds with a VLAN assignment for the port. The switch cannot be a VMPS server but can act as a client to the VMPS and communicate with it through VQP.

Each time the client switch receives the MAC address of a new host, it sends a VQP query to the VMPS. When the VMPS receives this query, it searches its database for a MAC-address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in open or secure mode. In secure mode, the server shuts down the port when an illegal host is detected. In open mode, the server denies the host access to the port.

If the port is currently unassigned (that is, it does not yet have a VLAN assignment), the VMPS provides one of these responses:

  • If the host is allowed on the port, the VMPS sends the client a vlan-assignment response containing the assigned VLAN name and allowing access to the host.

  • If the host is not allowed on the port and the VMPS is in open mode, the VMPS sends an access-denied response.

  • If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a port-shutdown response.

If the port already has a VLAN assignment, the VMPS provides one of these responses:

  • If the VLAN in the database matches the current VLAN on the port, the VMPS sends an success response, allowing access to the host.

  • If the VLAN in the database does not match the current VLAN on the port and active hosts exist on the port, the VMPS sends an access-denied or a port-shutdown response, depending on the secure mode of the VMPS.

If the switch receives an access-denied response from the VMPS, it continues to block traffic to and from the host MAC address. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new host address. If the switch receives a port-shutdown response from the VMPS, it disables the port. The port must be manually reenabled by using Network Assistant, the CLI, or SNMP.

Dynamic-Access Port VLAN Membership

A dynamic-access port can belong to only one VLAN with an ID from 1 to 4094. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database.

If there is a match, the VMPS sends the VLAN number for that port. If the client switch was not previously configured, it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS. If the client switch was previously configured, it includes its domain name in the query packet to the VMPS to obtain its VLAN number. The VMPS verifies that the domain name in the packet matches its own domain name before accepting the request and responds to the client with the assigned VLAN number for the client. If there is no match, the VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting).

Multiple hosts (MAC addresses) can be active on a dynamic-access port if they are all in the same VLAN; however, the VMPS shuts down a dynamic-access port if more than 20 hosts are active on the port.

If the link goes down on a dynamic-access port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN.

Dynamic-access ports can be used for direct host connections, or they can connect to a network. A maximum of 20 MAC addresses are allowed per port on the switch. A dynamic-access port can belong to only one VLAN at a time, but the VLAN can change over time, depending on the MAC addresses seen.

Default VMPS Client Configuration

The following table shows the default VMPS and dynamic-access port configuration on client switches.
表 1 Default VMPS Client and Dynamic-Access Port Configuration

Feature

Default Setting

VMPS domain server

None

VMPS reconfirm interval

60 minutes

VMPS server retry count

3

Dynamic-access ports

None configured

How to Configure VMPS

Entering the IP Address of the VMPS


(注)  


If the VMPS is being defined for a cluster of switches, enter the address on the command switch.


はじめる前に

You must first enter the IP address of the server to configure the switch as a client.

手順の概要

    1.    configure terminal

    2.    vmps server ipaddress primary

    3.    vmps server ipaddress

    4.    end

    5.    show vmps

    6.    copy running-config startup-config


手順の詳細
     コマンドまたはアクション目的
    ステップ 1configure terminal


    例:
    
    Switch# configure terminal
    
    
     

    Enters the global configuration mode.

     
    ステップ 2vmps server ipaddress primary


    例:
    Switch(config)# vmps server 10.1.2.3 primary
    
    
     

    Enters the IP address of the switch acting as the primary VMPS server.

     
    ステップ 3vmps server ipaddress


    例:
    Switch(config)# vmps server 10.3.4.5
    
    
     

    (Optional) Enters the IP address of the switch acting as a secondary VMPS server.

    You can enter up to three secondary server addresses.

     
    ステップ 4end


    例:
    Switch(config)# end
    
    
     

    Returns to privileged EXEC mode.

     
    ステップ 5show vmps


    例:
    Switch# show vmps
    
    
     

    Verifies your entries in the VMPS Domain Server field of the display.

     
    ステップ 6copy running-config startup-config


    例:
    Switch# copy running-config startup-config
    
    
     

    (Optional) Saves your entries in the configuration file.

     

    Configuring Dynamic-Access Ports on VMPS Clients


    注意    


    Dynamic-access port VLAN membership is for end stations or hubs connected to end stations. Connecting dynamic-access ports to other switches can cause a loss of connectivity.


    If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch.

    はじめる前に

    You must have IP connectivity to the VMPS for dynamic-access ports to work. You can test for IP connectivity by pinging the IP address of the VMPS and verifying that you get a response.


    (注)  


    To return an interface to its default configuration, use the default interface interface-id interface configuration command. To return an interface to its default switchport mode (dynamic auto), use the no switchport mode interface configuration command. To reset the access mode to the default VLAN for the switch, use the no switchport access vlan interface configuration command.


    手順の概要

      1.    configure terminal

      2.    interface interface-id

      3.    switchport mode access

      4.    switchport access vlan dynamic

      5.    end

      6.    show interfaces interface-id switchport

      7.    copy running-config startup-config


    手順の詳細
       コマンドまたはアクション目的
      ステップ 1configure terminal


      例:
      
      Switch# configure terminal
      
      
       

      Enters the global configuration mode.

       
      ステップ 2interface interface-id


      例:
      Switch(config)# interface gigabitethernet 1/0/1
      
      
       

      Specifies the switch port that is connected to the end station, and enters interface configuration mode.

       
      ステップ 3switchport mode access


      例:
      Switch(config-if)# switchport mode access
      
      
       

      Sets the port to access mode.

       
      ステップ 4switchport access vlan dynamic


      例:
      Switch(config-if)# switchport access vlan dynamic
      
      
       

      Configures the port as eligible for dynamic VLAN membership.

      The dynamic-access port must be connected to an end station.

       
      ステップ 5end


      例:
      Switch(config)# end
      
      
       

      Returns to privileged EXEC mode.

       
      ステップ 6show interfaces interface-id switchport


      例:
      Switch# show interfaces gigabitethernet 1/0/1 switchport
      
      
       

      Verifies your entries in the Operational Mode field of the display.

       
      ステップ 7copy running-config startup-config


      例:
      Switch# copy running-config startup-config
      
      
       

      (Optional) Saves your entries in the configuration file.

       

      Reconfirming VLAN Memberships

      This task confirms the dynamic-access port VLAN membership assignments that the switch has received from the VMPS.

      手順の概要

        1.    vmps reconfirm

        2.    show vmps


      手順の詳細
         コマンドまたはアクション目的
        ステップ 1vmps reconfirm


        例:
        Switch# vmps reconfirm
        
        
         

        Reconfirms dynamic-access port VLAN membership.

         
        ステップ 2show vmps


        例:
        Switch# show vmps
        
        
         

        Verifies the dynamic VLAN reconfirmation status.

         

        Changing the Reconfirmation Interval

        VMPS clients periodically reconfirm the VLAN membership information received from the VMPS. You can set the number of minutes after which reconfirmation occurs.


        (注)  


        If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch. You also must first use the rcommand privileged EXEC command to log in to the member switch.


        手順の概要

          1.    configure terminal

          2.    vmps reconfirm minutes

          3.    end

          4.    show vmps

          5.    copy running-config startup-config


        手順の詳細
           コマンドまたはアクション目的
          ステップ 1configure terminal


          例:
          
          Switch# configure terminal
          
          
           

          Enters the global configuration mode.

           
          ステップ 2vmps reconfirm minutes


          例:
          Switch(config)# vmps reconfirm 90
          
          
           

          Sets the number of minutes between reconfirmations of the dynamic VLAN membership. The range is 1 to 120. The default is 60 minutes.

          (注)     

          To return the switch to its default setting, use the no vmps reconfirm global configuration command.

           
          ステップ 3end


          例:
          Switch(config)# end
          
          
           

          Returns to privileged EXEC mode.

           
          ステップ 4show vmps


          例:
          Switch# show vmps
          
          
           

          Verifies the dynamic VLAN reconfirmation status in the Reconfirm Interval field of the display.

           
          ステップ 5copy running-config startup-config


          例:
          Switch# copy running-config startup-config
          
          
           

          (Optional) Saves your entries in the configuration file.

           

          Changing the Retry Count

          Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server.

          手順の概要

            1.    configure terminal

            2.    vmps retry count

            3.    end

            4.    show vmps

            5.    copy running-config startup-config


          手順の詳細
             コマンドまたはアクション目的
            ステップ 1configure terminal


            例:
            
            Switch# configure terminal
            
            
             

            Enters the global configuration mode.

             
            ステップ 2vmps retry count


            例:
            Switch(config)# vmps retry 5
            
            
             

            Changes the retry count. The retry range is 1 to 10; the default is 3.

            (注)     

            To return the switch to its default setting, use the no vmps retry global configuration command.

             
            ステップ 3end


            例:
            Switch(config)# end
            
            
             

            Returns to privileged EXEC mode.

             
            ステップ 4show vmps


            例:
            Switch# show vmps
            
            
             

            Verifies your entry in the Server Retry Count field of the display.

             
            ステップ 5copy running-config startup-config


            例:
            Switch# copy running-config startup-config
            
            
             

            (Optional) Saves your entries in the configuration file.

             

            Troubleshooting Dynamic-Access Port VLAN Membership

            問題    The VMPS shuts down a dynamic-access port under these conditions:
            • 問題    The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts down the port to prevent the host from connecting to the network.
            • 問題    More than 20 active hosts reside on a dynamic-access port.
            解決法    To reenable a disabled dynamic-access port, enter the shutdown interface configuration command followed by the no shutdown interface configuration command.

            Monitoring the VMPS

            You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS:

            • VMPS VQP Version—The version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP Version 1.

            • Reconfirm Interval—The number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments.

            • Server Retry Count—The number of times VQP resends a query to the VMPS. If no response is received after this many tries, the switch starts to query the secondary VMPS.

            • VMPS domain server—The IP address of the configured VLAN membership policy servers. The switch sends queries to the one marked current. The one marked primary is the primary server.

            • VMPS Action—The result of the most recent reconfirmation attempt. A reconfirmation attempt can occur automatically when the reconfirmation interval expires, or you can force it by entering the vmps reconfirm privileged EXEC command or its Network Assistant or SNMP equivalent.

            This is an example of output for the show vmps privileged EXEC command:

            Switch# show vmps
            VQP Client Status:
            --------------------
            VMPS VQP Version:   1
            Reconfirm Interval: 60 min
            Server Retry Count: 3
            VMPS domain server: 172.20.128.86 (primary, current)
                                172.20.128.87 
             
            Reconfirmation status
            ---------------------
            VMPS Action:         other
            
            

            Configuration Example for VMPS

            Example: VMPS Configuration

            図 1. Dynamic Port VLAN Membership Configuration. This network has a VMPS server switch and VMPS client switches with dynamic-access ports with this configuration:
            • The VMPS server and the VMPS client are separate switches.

            • The Catalyst 6500 series Switch A is the primary VMPS server.

            • The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers.

            • End stations are connected to the clients, Switch B and Switch I.

            • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7.





            Where to Go Next

            You can configure the following:

            • VTP

            • VLANs

            • VLAN Trunking

            • Private VLANs

            • Tunneling

            • Voice VLANs

            Additional References

            Related Documents

            Related Topic Document Title

            For complete syntax and usage information for the commands used in this chapter.

            Catalyst 2960-XR Switch VLAN Management Command Reference

            Standards and RFCs

            Standard/RFC Title

            MIBs

            MIB MIBs Link

            All supported MIBs for this release.

            To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

            http:/​/​www.cisco.com/​go/​mibs

            Technical Assistance

            Description Link

            The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

            To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

            Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

            http:/​/​www.cisco.com/​support

            Feature History and Information for VMPS

            Release Modification

            Cisco IOS 15.0(2)EX1

            This feature was introduced.