|
|
This chapter describes how to configure dynamic port VLAN membership by using the VLAN Management Policy Server (VMPS).
These sections describe how to configure dynamic VLANs on Catalyst 2900 XL switches:
With VMPS, you can assign switch ports to VLANs dynamically, based on the source Media Access Control (MAC) address of the device connected to the port. When you move a host from a port on one switch in the network to a port on another switch in the network, the switch dynamically assigns the new port to the proper VLAN for that host.
The Catalyst 2900 series XL switch acts as a client to the VMPS and communicates with it via the VLAN Query Protocol (VQP ). When the VMPS server receives a VQP request from a client switch, it searches its database for a MAC address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in secure mode. Secure mode determines whether the server shuts down the port when a VLAN is not allowed on it or just denies the port access to the VLAN.
In response to a request, the VMPS takes one of the following actions:
If the switch receives an access-denied response from the VMPS, it continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address. If the switch receives a port-shutdown response from the VMPS, it disables the port. The port must be manually reenabled by using the CLI, the manager software, or SNMP.
You can also make an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons by specifying a --NONE-- keyword for the VLAN name. In this case, VMPS sends an access-denied or port-shutdown response.
You can configure a fallback VLAN name. If you connect a device with a MAC address that is not in the database, VMPS sends the fallback VLAN name to the client. If you do not configure a fallback VLAN and the MAC address does not exist in the database, VMPS sends an access-denied response. If VMPS is in secure mode, it sends a port-shutdown response.
On a Catalyst 2900 XL switch, a dynamic (nontrunking) port can belong to only one VLAN. When the link comes up, the switch does not forward traffic to or from this port until a VLAN is identified for it. The source MAC address from the first packet of a new host on the dynamic port is sent to VMPS, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, VMPS sends the VLAN number for that port. If there is no match, VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting). See the "Understanding How VMPS Works" section for a complete description of possible VMPS responses.
 | Caution Dynamic port VLAN membership is for end stations. Connecting dynamic ports to other switches can cause a loss of connectivity. |
Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN. If the link goes down on a dynamic port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again with VMPS before the port is assigned to a VLAN.
The following guidelines and restrictions apply to dynamic port VLAN membership:
Table 4-1 shows the default VMPS and dynamic port configuration on client switches.
| Feature | Default Configuration |
|---|---|
VMPS domain server | None |
VMPS reconfirm interval | 60 minutes |
VMPS server retry count | 3 |
Dynamic ports | No dynamic ports configured |
These sections describe how to configure a Catalyst 2900 XL switch as a VMPS client and configure its ports for dynamic VLAN membership.
To configure the switch as a client, you must enter the IP address of the
Catalyst 5000 or the other device acting as the VMPS. Perform this task from privileged EXEC mode:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter the IP address of the switch acting as the primary VMPS server. | vmps server ipaddress primary |
Step 3 Enter the IP address for the switch acting as a secondary VMPS server. | vmps server ipaddress |
Step 4 Return to privileged EXEC mode. | end |
Step 5 Verify the VMPS server entry. | show vmps |
This example shows how to enter the primary and backup VMPS devices:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# vmps server 172.20.128.179 primary Switch(config)# vmps server 172.20.128.178 Switch(config)# end Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3VMPS domain server: 172.20.128.179 (primary, current) 172.20.128.178 Reconfirmation status --------------------- VMPS Action: No Dynamic Port
To configure dynamic ports on VMPS client switches, perform this task from privileged EXEC mode:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter interface configuration mode and the name of the port to be configured. | interface interface |
Step 3 Set the port to access mode. | switchport mode access |
Step 4 Configure the port as eligible for dynamic VLAN access. | switchport access vlan dynamic |
Step 5 Return to privileged EXEC mode. | end |
Step 6 Verify the entry. | show interface interface switchport |
This example shows how to configure a port as a dynamic access port and then verify the entry:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fa0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan dynamic Switch(config-if)# end Switch# show interface fa0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative mode: dynamic access
You can display information about the VMPS by using the privileged EXEC show vmps command.
VMPS VQP Version | The version of VQP used to communicate with the VMPS. The switch queries the VMPS using version 1 of VQP. |
Reconfirm Interval | The number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments. |
Server Retry Count | The number of times VQP resends a query to the VMPS. If no response is received after this many tries, the switch starts to query the backup VMPS. |
VMPS domain server | The IP address of the configured VLAN membership policy servers. The switch currently sends queries to the one marked current. The one marked primary is the primary server. |
VMPS Action | The result of the most-recent reconfirmation attempt. This can happen automatically when the reconfirmation interval expired, or you can force it by entering the privileged EXEC vmps reconfirm command or its manager software or SNMP equivalent. |
The following example shows how to display VMPS information on the Catalyst 2900 XL:
Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: Reconfirmation status --------------------- VMPS Action: other
The following example shows how to display VMPS statistics:
Switch# show vmps statistics VMPS Client Statistics ---------------------- VQP Queries: 0 VQP Responses: 0 VMPS Changes: 0 VQP Shutdowns: 0 VQP Denied: 0 VQP Wrong Domain: 0 VQP Wrong Version: 0 VQP Insufficient Resource: 0
In case an administrator has made a change, VMPS clients periodically reconfirm the VLAN membership information that they have received from the VMPS. You can set the interval after which the reconfirmation occurs. Perform this task from privileged EXEC mode:
| Task | Command |
|---|---|
Step 1 Enter global configuration mode. | configure terminal |
Step 2 Enter the number of minutes between reconfirmations of the dynamic VLAN membership. | vmps reconfirm minutes |
Step 3 Return to privileged EXEC mode. | end |
Step 4 Verify the dynamic VLAN reconfirmation status. | show vmps |
This example shows how to change the reconfirmation interval to 60 minutes and verify the change by displaying the VMPS information:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# vmps reconfirm 60 Switch(config)# end Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1
You can confirm the VLAN membership information that the switch has received from the VMPS at any time. To confirm the dynamic port VLAN membership assignments, perform this task from privileged EXEC mode:
| Task | Command |
|---|---|
Step 1 Reconfirm dynamic port VLAN membership. | vmps reconfirm |
Step 2 Verify the dynamic VLAN reconfirmation status. | show vmps |
This example shows how to reconfirm dynamic port VLAN membership assignments from privileged EXEC mode:
Switch#vmps reconfirmSwitch#show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 10 VMPS domain server: 172.20.130.50 (primary, current) Reconfirmation status --------------------- VMPS Action: Success
A dynamic port might shut down under these conditions:
To reenable a shut-down dynamic port, enter the interface configuration mode
no shutdown command.
This example shows a sample VMPS database configuration file as it appears on a
Catalyst 5000 series switch. A VMPS database configuration file is an ASCII text file that is stored on a TFTP server accessible to the switch that functions as the VMPS server.
!vmps domain <domain-name>
! The VMPS domain must be defined.
!vmps mode { open | secure }
! The default mode is open.
!vmps fallback <vlan-name>
!vmps no-domain-req { allow | deny }
!
! The default value is allow.
vmps domain WBU
vmps mode open
vmps fallback default
vmps no-domain-req deny
!
!
!MAC Addresses
!
vmps-mac-addrs
!
! address <addr> vlan-name <vlan_name>
!
address 0012.2233.4455 vlan-name hardware
address 0000.6509.a080 vlan-name hardware
address aabb.ccdd.eeff vlan-name Green
address 1223.5678.9abc vlan-name ExecStaff
address fedc.ba98.7654 vlan-name --NONE--
address fedc.ba23.1245 vlan-name Purple
!
!Port Groups
!
!vmps-port-group <group-name>
! device <device-id> { port <port-name> | all-ports }
!
vmps-port-group WiringCloset1
device 198.92.30.32 port Fa1/3
device 172.20.26.141 port Fa1/4
vmps-port-group "Executive Row"
device 198.4.254.222 port Fa0/1
device 198.4.254.222 port Fa0/2
device 198.4.254.223 all-ports
!
!VLAN groups
!
!vmps-vlan-group <group-name>
! vlan-name <vlan-name>
!
vmps-vlan-group Engineering
vlan-name hardware
vlan-name software
!
!VLAN port Policies
!
!vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }
! { port-group <group-name> | device <device-id> port <port-name> }
!
vmps-port-policies vlan-group Engineering
port-group WiringCloset1
vmps-port-policies vlan-name Green
device 198.92.30.32 port Fa0/9
vmps-port-policies vlan-name Purple
device 198.4.254.22 port Fa0/10
port-group "Executive Row"
Figure 4-1 shows a network with a VMPS server switch and VMPS client switches with dynamic ports. In this example, these assumptions apply:
Use this procedure to configure VMPS and dynamic ports:
In this procedure, the VMPS is configured on the Catalyst 5000 switches. Use this procedure to configure the Catalyst 2900 series clients in the network:
Step 1 Configure the VMPS server addresses on Switch 2, the Catalyst 2900 series client.
(a) Starting from privileged EXEC mode, enter global configuration mode:
switch# configuration terminal
(a) Enter the primary VMPS server IP address:
switch(config)# vmps server 172.20.26.150 primary
(b) Enter the secondary VMPS server IP addresses:
switch(config)# vmps server 172.20.26.152
(c) To verify your entry of the VMPS IP addresses, return to privileged EXEC mode:
switch#(config) end
(d) Display VMPS information configured for the switch:
switch# show vmps
VQP Client Status:
--------------------
VMPS VQP Version: 1
Reconfirm Interval: 60 min
Server Retry Count: 3
VMPS domain server: 172.20.26.152
172.20.26.150 (primary, current
Step 2 Configure port Fa0/1 on Switch 2 as a dynamic port.
(a) Return to global configuration mode:
switch# configure terminal
(b) Enter interface configuration mode:
switch(config)# interface fa0/1
(c) Configure the VLAN membership mode for static-access ports:
switch(config-if)# switchport mode access
(d) Assign the port dynamic VLAN membership:
switch(config-if)# switchport access vlan dynamic
(e) Return to privileged EXEC mode:
switch(config-if)# end
switch#
Step 3 Connect End Station 2 on port Fa0/1. When End Station 2 sends a packet, Switch 2 sends a query to the primary VMPS server, Switch 1. Switch 1 responds with the VLAN ID for port Fa0/1. Because Spanning-Tree Protocol Port Fast mode is enabled by default on dynamic ports, port Fa0/1 connects immediately and begins forwarding.
Step 4 Set the VMPS reconfirmation period to 60 minutes. The reconfirmation period is the number of minutes the switch waits before reconfirming the VLAN to MAC address assignments.
switch# config terminal
switch(config)# vmps reconfirm 60
Step 5 Confirm the entry from privileged EXEC mode:
switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: Reconfirmation status --------------------- VMPS Action: No Dynamic Port
Step 6 Repeat Steps 1 and 2 to configure the VMPS server addresses and assign dynamic ports on each VMPS client switch.
|
|