The VLAN Query
Protocol (VQP) is used to support dynamic-access ports, which are not
permanently assigned to a VLAN, but give VLAN assignments based on the MAC
source addresses seen on the port. Each time an unknown MAC address is seen,
the
switch sends a VQP query to a remote VLAN
Membership Policy Server (VMPS); the query includes the newly seen MAC address
and the port on which it was seen. The VMPS responds with a VLAN assignment for
the port. The
switch
cannot be a VMPS server but can act as a client to the VMPS and communicate
with it through VQP.
Each time the client
switch
receives the MAC address of a new host, it sends a VQP query to the VMPS. When
the VMPS receives this query, it searches its database for a
MAC-address-to-VLAN mapping. The server response is based on this mapping and
whether or not the server is in open or secure mode. In secure mode, the server
shuts down the port when an illegal host is detected. In open mode, the server
denies the host access to the port.
If the port is
currently unassigned (that is, it does not yet have a VLAN assignment), the
VMPS provides one of these responses:
-
If the host is
allowed on the port, the VMPS sends the client a vlan-assignment response
containing the assigned VLAN name and allowing access to the host.
-
If the host is not
allowed on the port and the VMPS is in open mode, the VMPS sends an
access-denied response.
-
If the VLAN is not
allowed on the port and the VMPS is in secure mode, the VMPS sends a
port-shutdown response.
If the port already
has a VLAN assignment, the VMPS provides one of these responses:
-
If the VLAN in the
database matches the current VLAN on the port, the VMPS sends an success
response, allowing access to the host.
-
If the VLAN in the
database does not match the current VLAN on the port and active hosts exist on
the port, the VMPS sends an access-denied or a port-shutdown response,
depending on the secure mode of the VMPS.
If the
switch
receives an access-denied response from the VMPS, it continues to block traffic
to and from the host MAC address. The
switch
continues to monitor the packets directed to the port and sends a query to the
VMPS when it identifies a new host address. If the
switch
receives a port-shutdown response from the VMPS, it disables the port. The port
must be manually reenabled by using Network Assistant, the CLI, or SNMP.