Embedded Files
Dynamic VLAN Membership
Dynamic VLANs, as opposed to Static VLANs, do not require the network administrator to manually assign each switchport to a specific VLAN. But instead, a central server called VLAN Membership Policy Server (VMPS) is used to handle port configuration of every switch participating in a VLAN network. The VMPS can be a Cisco switch running CatOS (Cisco Catalyst 4000 onwards) or a free OpenVMPS software on Linux/ Unix or FreeRADIUS or FreeNAC.
With VMPS, VLANs are assigned dynamically to switchports based on Source MAC address of the device connected to the switchport. The VMPS server contains a database of all workstation MAC addresses, along with the associated VLAN the MAC address should belong to. When an end-station moves from a port on SwitchA in the network to a port on SwitchB in the network, SwitchB dynamically assigns the new port to the proper VLAN for that end-station.
The switch acts as a client to VMPS and communicates with it via VLAN Query Protocol (VQP) (Cisco-only protocol) on UDP port 1589. The VMPS receives a VQP request from a client switch, it searches its MAC address-to-VLAN mapping database and assigns the switchport a VLAN based on this mapping.
VMPS Modes
The VMPS server can be in one of two modes- Secure and Open mode. The response to VQP request is based on MAC address-to-VLAN mapping and whether the server is in Secure or Open mode.
There would be one of 4 types of responses from the VMPS server to a VQP request- Allow, Deny, Shutdown and Wrong_Domain.
- If the MAC address is in the VMPS database, the server (either Open or Secure mode) responds with a VLAN name corresponding to it.
- If the MAC address is not in the VMPS database, the server response depends on the type of mode:
- If the VMPS is in Open mode, it responds with an access-denied to the Client and continues to block traffic from the MAC address on the port
- If the VMPS is in Secure mode, it reponds with a shutdown to the Client and the Switch shuts the port down.
Sample scenario
The MAC Address of the End Station is 00:22:19:DF:92:52. It is connected to a Switch. The Switch assigns a VLAN to the port based on the MAC address of the End Station after communicating with the VMPS Server.
The VMPS configuration on a Cisco switch acting as a client requires the IP address of the VMPS Server using vmps server <ip-address> [primary] command. The primary keyword is used to specify preference.
The Switch is configured for VMPS as follows:
VMPS Configuration on Switch
vlan 10 name IT!vtp domain mydomain!vmps server 192.168.3.2 primaryvmps reconfirm 60vmps retry 3!interface fastethernet 0/1 switchport mode access switchport access vlan dynamic no shutdownThe vmps reconfirm <minutes> command indicates the number of minutes the switch waits before reconfirming the VLAN-to-MAC address assignment. The default is 60 minutes.
The vmps retry <count> command indicates the number of times VQP resends a query to VMPS server. If no response is received after this many tries, the switch starts to query the secondary VMPS server. The default is 3 retries.
The switchport mode access dynamic command configures the port as eligible for dynamic VLAN access.
Note
When a port is configured as dynamic, the spanning-tree portfast feature is automatically configured on the port. The Port Fast mode accelerates the process of bringing the port into the forwarding state.You can disable Port Fast mode on a dynamic port using no spanning-tree portfast command on the port.A sample VMPS Server Database (vlan.db) file looks like this:
VMPS Server Configuration
vmps domain mydomain ! The VTP domain on the Client switch should match this domain namevmps mode open ! This can be either Open or Secure mode! vmps fallback <vlan-name> ! Fallback VLAN in case no MAC address-to-VLAN match is made! vmps no-domain-req { allow | deny }!vmps-mac-addrsaddress 0022.19df.9252 vlan-name IT!vmps-port-policies vlan-name ITdevice 192.168.100.10 port Fa 0/1 ! Device is the Switch here!Verification
The show vmps command shows the VMPS Server configuration on the Switch. It also shows the status of the VMPS reconfirmation.
show vmps
Switch# show vmpsVQP Client Status:--------------------VMPS VQP Version: 1Reconfirm Interval: 60 minServer Retry Count: 3VMPS domain server: 192.168.3.2 (primary, current)Reconfirmation status---------------------VMPS Action: SuccessThe show vmps statistics command shows the VQP Requests sent by the Switch and VQP Responses received from the VMPS Server.
show vmps statistics
Switch# show vmps statisticsVMPS Client Statistics----------------------VQP Queries: 682VQP Responses: 2VMPS Changes: 0VQP Shutdowns: 0VQP Denied: 0VQP Wrong Domain: 0VQP Wrong Version: 0VQP Insufficient Resource: 0The Switch reconfirms the assignment of VLAN-to-MAC address once very 60 minutes by default. However, using vmps reconfirm command from Exec mode, causes the Switch to reconfirm manually. The debug vqpc all command shows the packets exchanged during communication between the Switch and VMPS Server.
debug vqpc all
Switch# debug vqpc allSwitch# vmps reconfirmSwitch#01:44:09: %VQPCLIENT-7-RECONF: Reconfirming VMPS responses01:44:09: VQPC PAK: xmt transaction ID = 0x000000AE01:44:09: VQPC PAK: sending query to VMPS01:44:09: VQPC PAK:01:44:09: VQPC PAK: rcvd packet from VMPS01:44:09: VQPC PAK: transaction ID = 0x000000AE01:44:09: VQPC: rcvd response, transID = 0x000000AE01:44:09: VQPC PAK: VLAN name TLV, vlanName = IT01:44:09: VQPC PAK: Cookie TLV, cookie = 0022.19df.9252, length = 6The show vlan command shows the VLANs on the Switch and the ports assigned to each VLAN. Here, it shows that port Fa 0/1 is dynamically assigned to VLAN 10.
show vlan
Switch# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/2310 IT active Fa0/11002 fddi-default act/unsup1003 token-ring-default act/unsup1004 fddinet-default act/unsup1005 trnet-default act/unsupVLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------1 enet 100001 1500 - - - - - 0 010 enet 100010 1500 - - - - - 0 01002 fddi 101002 1500 - - - - - 0 01003 tr 101003 1500 - - - - - 0 01004 fdnet 101004 1500 - - - ieee - 0 01005 trnet 101005 1500 - - - ibm - 0 0Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------And finally, the show spanning-tree interface command shows the status of the port.
Port Status
Switch# show spanning-tree interface fa 0/1Vlan Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------VLAN0010 Desg FWD 19 128.1 Edge P2pSwitch# show spanning-tree interface fa 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.1. Designated root has priority 24586, address 0008.a38a.c740 Designated bridge has priority 24586, address 0008.a38a.c740 Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default BPDU: sent 92, received 0Further reading:
Page updated
Google Sites
Report abuse