Dynamic VLAN Membership

Dynamic VLAN Membership

Dynamic VLANs, as opposed to Static VLANs, do not require the network administrator to manually assign each switchport to a specific VLAN. But instead, a central server called VLAN Membership Policy Server (VMPS) is used to handle port configuration of every switch participating in a VLAN network. The VMPS can be a Cisco switch running CatOS (Cisco Catalyst 4000 onwards) or a free OpenVMPS software on Linux/ Unix or FreeRADIUS or FreeNAC.

With VMPS, VLANs are assigned dynamically to switchports based on Source MAC address of the device connected to the switchport. The VMPS server contains a database of all workstation MAC addresses, along with the associated VLAN the MAC address should belong to. When an end-station moves from a port on SwitchA in the network to a port on SwitchB in the network, SwitchB dynamically assigns the new port to the proper VLAN for that end-station.

The switch acts as a client to VMPS and communicates with it via VLAN Query Protocol (VQP) (Cisco-only protocol) on UDP port 1589. The VMPS receives a VQP request from a client switch, it searches its MAC address-to-VLAN mapping database and assigns the switchport a VLAN based on this mapping.

VMPS Modes

The VMPS server can be in one of two modes- Secure and Open mode. The response to VQP request is based on MAC address-to-VLAN mapping and whether the server is in Secure or Open mode.

There would be one of 4 types of responses from the VMPS server to a VQP request- Allow, Deny, Shutdown and Wrong_Domain.

    • If the MAC address is in the VMPS database, the server (either Open or Secure mode) responds with a VLAN name corresponding to it.
    • If the MAC address is not in the VMPS database, the server response depends on the type of mode:
      • If the VMPS is in Open mode, it responds with an access-denied to the Client and continues to block traffic from the MAC address on the port
      • If the VMPS is in Secure mode, it reponds with a shutdown to the Client and the Switch shuts the port down.

Sample scenario

The MAC Address of the End Station is 00:22:19:DF:92:52. It is connected to a Switch. The Switch assigns a VLAN to the port based on the MAC address of the End Station after communicating with the VMPS Server.

The VMPS configuration on a Cisco switch acting as a client requires the IP address of the VMPS Server using vmps server <ip-address> [primary] command. The primary keyword is used to specify preference.

The Switch is configured for VMPS as follows:

VMPS Configuration on Switch

vlan 10
 name IT
!
vtp domain mydomain
!
vmps server 192.168.3.2 primary
vmps reconfirm 60
vmps retry 3
!
interface fastethernet 0/1
 switchport mode access
 switchport access vlan dynamic
 no shutdown

The vmps reconfirm <minutes> command indicates the number of minutes the switch waits before reconfirming the VLAN-to-MAC address assignment. The default is 60 minutes.

The vmps retry <count> command indicates the number of times VQP resends a query to VMPS server. If no response is received after this many tries, the switch starts to query the secondary VMPS server. The default is 3 retries.

The switchport mode access dynamic command configures the port as eligible for dynamic VLAN access.

Note

When a port is configured as dynamic, the spanning-tree portfast feature is automatically configured on the port. The Port Fast mode accelerates the process of bringing the port into the forwarding state.
You can disable Port Fast mode on a dynamic port using no spanning-tree portfast command on the port.

A sample VMPS Server Database (vlan.db) file looks like this:

VMPS Server Configuration

vmps domain mydomain            ! The VTP domain on the Client switch should match this domain name
vmps mode open                  ! This can be either Open or Secure mode
! vmps fallback <vlan-name>     ! Fallback VLAN in case no MAC address-to-VLAN match is made
! vmps no-domain-req { allow | deny }
!
vmps-mac-addrs
address 0022.19df.9252 vlan-name IT
!
vmps-port-policies vlan-name IT
device 192.168.100.10 port Fa 0/1            ! Device is the Switch here
!

Verification

The show vmps command shows the VMPS Server configuration on the Switch. It also shows the status of the VMPS reconfirmation.

show vmps

Switch# show vmps
VQP Client Status:
--------------------
VMPS VQP Version:   1
Reconfirm Interval: 60 min
Server Retry Count: 3
VMPS domain server: 192.168.3.2 (primary, current)
Reconfirmation status
---------------------
VMPS Action:         Success

The show vmps statistics command shows the VQP Requests sent by the Switch and VQP Responses received from the VMPS Server.

show vmps statistics

Switch# show vmps statistics
VMPS Client Statistics
----------------------
VQP  Queries:               682
VQP  Responses:             2
VMPS Changes:               0
VQP  Shutdowns:             0
VQP  Denied:                0
VQP  Wrong Domain:          0
VQP  Wrong Version:         0
VQP  Insufficient Resource: 0

The Switch reconfirms the assignment of VLAN-to-MAC address once very 60 minutes by default. However, using vmps reconfirm command from Exec mode, causes the Switch to reconfirm manually. The debug vqpc all command shows the packets exchanged during communication between the Switch and VMPS Server.

debug vqpc all

Switch# debug vqpc all
Switch# vmps reconfirm
Switch#
01:44:09: %VQPCLIENT-7-RECONF: Reconfirming VMPS responses
01:44:09: VQPC PAK: xmt transaction ID = 0x000000AE
01:44:09: VQPC PAK: sending query to VMPS
01:44:09: VQPC PAK:
01:44:09: VQPC PAK: rcvd packet from VMPS
01:44:09: VQPC PAK: transaction ID = 0x000000AE
01:44:09: VQPC: rcvd response, transID = 0x000000AE
01:44:09: VQPC PAK: VLAN name TLV, vlanName = IT
01:44:09: VQPC PAK: Cookie TLV, cookie = 0022.19df.9252, length = 6

The show vlan command shows the VLANs on the Switch and the ports assigned to each VLAN. Here, it shows that port Fa 0/1 is dynamically assigned to VLAN 10.

show vlan

Switch# show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
                                                Fa0/6, Fa0/7, Fa0/8, Fa0/9
                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23
10   IT                               active    Fa0/1
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0
Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

And finally, the show spanning-tree interface command shows the status of the port.

Port Status

Switch# show spanning-tree interface fa 0/1
Vlan             Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0010         Desg FWD 19        128.1    Edge P2p
Switch# show spanning-tree interface fa 0/1 detail
 Port 1 (FastEthernet0/1) of VLAN0010 is forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.1.
   Designated root has priority 24586, address 0008.a38a.c740
   Designated bridge has priority 24586, address 0008.a38a.c740
   Designated port id is 128.1, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 92, received 0

Further reading:

  1. http://www.firewall.cx/vlans-designing-vlans-dynamic-vlans.php
  2. http://www.supinfo-projects.com/2005/vmps_us/2/