Configuring Dynamic VLAN Membership
This chapter describes how to configure dynamic port VLAN membership by using the VLAN Membership Policy Server (VMPS).
This chapter includes the following major sections:
•Understanding VMPS
•Understanding VMPS clients
Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm.
Understanding VMPS
The following subsections describe what a VMPS server does and how it operates.
The following topics are included:
•VMPS Server Overview
•Security Modes for VMPS Server
•Fall-back VLAN
•Illegal VMPS client requests
VMPS Server Overview
A VLAN Membership Policy Server (VMPS) provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port. When the host moves from a port on one switch in the network to a port on another switch in the network, that switch dynamically assigns the new port to the proper VLAN for that host.
A Catalyst 4500 series switch running Cisco IOS software does not support the functionality of a VMPS. It can only function as a VLAN Query Protocol (VQP) client, which communicates with a VMPS through the VQP. For VMPS functionality, you need to use a Catalyst 4500 series switch (or Catalyst 6500 series switch) running Catalyst operating system (OS) software.
VMPS uses a UDP port to listen to VQP requests from clients, so, it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN mapping.
In response to a request, the VMPS takes one of the following actions:
•If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against this group and responds as follows:
–If the VLAN is allowed on the port, the VMPS sends the VLAN name to the client in response.
–If the VLAN is not allowed on the port and the VMPS is not in secure mode, the VMPS sends an "access-denied" response.
–If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a "port-shutdown" response.
•If the VLAN in the database does not match the current VLAN on the port and there are active hosts on the port, the VMPS sends an "access-denied" (open), a "fallback VLAN name" (open with fallback VLAN configured), a "port-shutdown" (secure), or a "new VLAN name" (multiple) response, depending on the secure mode setting of the VMPS.
If the switch receives an "access-denied" response from the VMPS, the switch continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address. If the switch receives a "port-shutdown" response from the VMPS, the switch disables the port. The port must be manually re-enabled by using the CLI, Cisco Visual Switch Manager (CVSM), or SNMP.
You can also use an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends an "access-denied" or "port-shutdown" response.
For more information on a Catalyst 6500 series switch VMPS running Catalyst operating system software, refer to the
"Configuring Dynamic Port VLAN Membership with VMPS" chapter at the URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_3/confg_gd/vmps.htm
Security Modes for VMPS Server
VMPS operates in three different modes. The way a VMPS server responds to illegal requests depends on the mode in which the VMPS is configured:
•Open mode
•Secure mode
•Multiple mode
Open mode
If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group:
•If the VLAN is allowed on the port, the VLAN name is returned to the client.
•If the VLAN is not allowed on the port, the host receives an "access denied" response.
•If a VLAN in the database does not match the current VLAN on the port and a fallback VLAN name is configured, VMPS sends the fallback VLAN name to the client.
•If a VLAN in the database does not match the current VLAN on the port and a fallback VLAN name is not configured, the host receives an "access denied" response.
Secure mode
If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group:
•If the VLAN is allowed on the port, the VLAN name is returned to the client.
•If the VLAN is not allowed on the port, the port is shut down.
•If a VLAN in the database does not match the current VLAN on the port, the port is shutdown, even if a fallback VLAN name is configured.
Multiple mode
Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN. If the link goes down on a dynamic port, the port returns to the unassigned state. Any hosts that come online through the port are checked again with VMPS before the port is assigned to a VLAN.
If multiple hosts connected to a dynamic port belong to different VLANs, the VLAN matching the MAC address in the last request is returned to the client, provided that multiple mode is configured on the VMPS server.
Note Although Catalyst 4500 series and Catalyst 6500 series switches running Catalyst operating system software support VMPS in all three operation modes, the Cisco network management tool URT (User Registration Tool) supports open mode only.
Fall-back VLAN
You can configure a fallback VLAN name on a VMPS server. If you connect a device with a MAC address that is not in the database, the VMPS sends the fallback VLAN name to the client. If you do not configure a fallback VLAN name and the MAC address does not exist in the database, the VMPS sends an "access-denied" response. If the VMPS is in secure mode, it sends a "port-shutdown" response, whether or not a fallback VLAN has been configured on the server.
Illegal VMPS client requests
Two examples of illegal VMPS client requests are as follows:
•When a MAC-address mapping is not present in the VMPS database and "no fall back" VLAN is configured on the VMPS.
•When a port is already assigned a VLAN (and the VMPS mode is not "multiple") but a second VMPS client request is received on the VMPS for a different MAC-address.
Understanding VMPS clients
The following subsections describe how to configure a switch as a VMPS client and configure its ports for dynamic VLAN membership.
The following topics are included:
•Dynamic VLAN Membership Overview
•Default VMPS Client Configuration
•Configuring a Switch as a VMPS Client
•Administering and Monitoring the VMPS
•Troubleshooting Dynamic Port VLAN Membership
Dynamic VLAN Membership Overview
When a port is configured as "dynamic," it receives VLAN information based on the MAC-address that is on the port. The VLAN is not statically assigned to the port; it is dynamically acquired from the VMPS based on the MAC-address on the port.
A dynamic port can belong to one VLAN only. When the link becomes active, the switch does not forward traffic to or from this port until the port is assigned to a VLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to the VMPS as part of the VQP request, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, the VMPS sends the VLAN number for that port. If there is no match, the VMPS either denies the request or shuts down the port (depending on the VMPS security mode setting). See the "Understanding VMPS" section for a complete description of possible VMPS responses.
Multiple hosts (MAC addresses) can be active on a dynamic port if all are in the same VLAN. If the link goes down on a dynamic port, the port returns to the unassigned state and does not belong to a VLAN. Any hosts that come online through the port are checked again with the VMPS before the port is assigned to a VLAN.
For this behavior to work, the client device must be able to reach the VMPS. A VMPS client sends VQP requests as UDP packets, trying a certain number of times before giving up. For details on how to set the retry interval, refer to section "Configuring the Retry Interval" on page 8.
The VMPS client also periodically reconfirms the VLAN membership. For details on how to set the reconfirm frequency, refer to section "Administering and Monitoring the VMPS" on page 8.
A maximum of 50 hosts are supported on a given port at any given time. Once this maximum is exceeded, the port is shut down, irrespective of the operating mode of the VMPS server.
Note The VMPS shuts down a dynamic port if more than 50 hosts are active on that port.
Default VMPS Client Configuration
Table 11-1 shows the default VMPS and dynamic port configuration on client switches.
Table 11-1 Default VMPS Client and Dynamic Port Configuration
|
|
VMPS domain server |
None |
VMPS reconfirm interval |
60 minutes |
VMPS server retry count |
3 |
Dynamic ports |
None configured |
Configuring a Switch as a VMPS Client
This section contains the following topics:
•Configuring the IP Address of the VMPS Server
•Configuring Dynamic Access Ports on a VMPS Client
•Reconfirming VLAN Memberships
•Configuring Reconfirmation Interval
•Reconfirming VLAN Memberships
Configuring the IP Address of the VMPS Server
To configure a Catalyst 4500 series switch as a VMPS client, you must enter the IP address or hostname of the switch acting as the VMPS.
To define the primary and secondary VMPS on a Catalyst 4500 series switch, perform this task:
|
|
|
Step 1 |
Switch# configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)# vmps server
{ipaddress | hostname} primary
|
Specifies the IP address or hostname of the switch acting as the primary VMPS server. |
Step 3 |
Switch(config)# vmps server
{ipaddress | hostname}
|
Specifies the IP address or hostname of the switch acting as a secondary VMPS server. |
Step 4 |
|
Returns to privileged EXEC mode. |
Step 5 |
|
Verifies the VMPS server entry. |
This example shows how to define the primary and secondary VMPS devices:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# vmps server 172.20.128.179 primary
Switch(config)# vmps server 172.20.128.178
Note You can configure up to four VMPS servers using this CLI on the VMPS client.
Reconfirm Interval: 60 min
VMPS domain server: 172.20.128.179 (primary, current)
VMPS Action: No Dynamic Port
Configuring Dynamic Access Ports on a VMPS Client
To configure a dynamic access port on a VMPS client switch, perform this task:
|
|
|
Step 1 |
Switch# configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)# interface interface
|
Enters interface configuration mode and specifies the port to be configured. |
Step 3 |
Switch(config-if)# switchport mode
access
|
Sets the port to access mode. |
Step 4 |
Switch(config-if)# switchport access
vlan dynamic
|
Configures the port as eligible for dynamic VLAN access. |
Step 5 |
|
Returns to privileged EXEC mode. |
Step 6 |
Switch# show interface interface
switchport
|
Verifies the entry. |
This example shows how to configure a dynamic access port and then verify the entry:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fa1/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan dynamic
Switch# show interface fa1/1 switchport
Administrative mode: dynamic auto
Operational Mode: dynamic access
Administrative Trunking Encapsulation: isl
Operational Trunking Encapsulation: isl
Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: NONE
Pruning VLANs Enabled: NONE
Voice Ports
If a VVID (voice VLAN ID) is configured on a dynamic access port, the port can belong to both an access VLAN and a voice VLAN. Consequently, an access port configured for connecting an IP phone can have separate VLANs for the following:
•Data traffic to and from the PC that is connected to the switch through the access port of the IP phone (access VLAN)
•Voice traffic to and from the IP phone (voice VLAN)
Reconfirming VLAN Memberships
To confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS, perform this task:
|
|
|
Step 1 |
|
Reconfirms dynamic port VLAN membership. |
Step 2 |
|
Verifies the dynamic VLAN reconfirmation status. |
Configuring Reconfirmation Interval
VMPS clients periodically reconfirm the VLAN membership information received from the VMPS. You can set the number of minutes the VMPS client waits before reconfirming the VLAN-to-MAC-address assignments.
To configure the reconfirmation interval, perform this task:
|
|
|
Step 1 |
Switch# configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)# vmps reconfirm minutes
|
Specifies the number of minutes between reconfirmations of the dynamic VLAN membership. |
Step 3 |
|
Returns to privileged EXEC mode. |
Step 4 |
|
Verifies the dynamic VLAN reconfirmation status. |
This example shows how to change the reconfirmation interval to 60 minutes and verify the change:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# vmps reconfirm 60
Reconfirm Interval: 60 min
VMPS domain server: 172.20.130.50 (primary, current)
Configuring the Retry Interval
You can set the number of times that the VMPS client attempts to contact the VMPS before querying the next server.
To set the retry interval, perform this task:
|
|
|
Step 1 |
Switch# configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)# vmps retry count
|
Specifies the retry count for the VPQ queries. Default is 3. Range is from 1 to 10. |
Step 3 |
|
Returns to privileged EXEC mode. |
Step 4 |
|
Verifies the retry count. |
This example shows how to change the retry count to 5 and to verify the change:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# vmps retry 5
Reconfirm Interval: 60 min
VMPS domain server: 172.20.130.50 (primary, current)
Administering and Monitoring the VMPS
You can display the following information about the VMPS with the show vmps command:
VQP Version |
The version of VQP used to communicate with the VMPS. The switch queries the VMPS using VQP Version 1. |
Reconfirm Interval |
The number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments. |
Server Retry Count |
The number of times VQP resends a query to the VMPS. If no response is received after this many tries, the switch starts to query the secondary VMPS. |
VMPS domain server |
The IP address of the configured VLAN membership policy servers. The switch currently sends queries to the one marked "current." The one marked "primary" is the primary server. |
VMPS Action |
The result of the most-recent reconfirmation attempt. This action can occur automatically when the reconfirmation interval expired, or you can force it by entering the vmps reconfirm command or its CVSM or SNMP equivalent. |
The following example shows how to display VMPS information:
Reconfirm Interval: 60 min
The following example shows how to display VMPS statistics:
Switch# show vmps statistics
VQP Insufficient Resource: 0
Note Refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference for details on VMPS statistics.
Troubleshooting Dynamic Port VLAN Membership
VMPS errdisables a dynamic port under the following conditions:
•The VMPS is in secure mode, and it will not allow the host to connect to the port. The VMPS errdisables the port to prevent the host from connecting to the network.
•More than 50 active hosts reside on a dynamic port.
For information on how to display the status of interfaces in error-disabled state, refer to
"Checking Port Status and Connectivity". To recover an errdisabled port, use the
errdisable recovery cause vmps global configuration command.