|
|
 |
Note Catalyst 6000 family switches support VMPS client only. You must have a Catalyst 5000 family switch as the VMPS server to configure dynamic port VLAN membership. VMPS server configuration is included in this chapter as a convenience; all VMPS server configuration must be performed on the Catalyst 5000 family switch. |
This chapter describes how to configure dynamic port VLAN membership using the VMPS.
|
Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6000 Family Command Reference publication. |
This chapter consists of these sections:
With VMPS, you can assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port. When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.
When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial File Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If you reset or power cycle the switch, the VMPS database downloads from the TFTP server automatically and VMPS is reenabled.
VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests. When the VMPS server receives a valid request from a client, it searches its database for a MAC address-to-VLAN mapping.
If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port and VMPS is not in secure mode, the host receives an "access denied" response. If VMPS is in secure mode, the port is shut down.
If a VLAN in the database does not match the current VLAN on the port and active hosts are on the port, VMPS sends an access denied or a port shutdown response based on the VMPS secure mode.
You can configure a fallback VLAN name. If you connect a device with a MAC address that is not in the database, VMPS sends the fallback VLAN name to the client. If you do not configure a fallback VLAN and the MAC address does not exist in the database, VMPS sends an access denied response. If VMPS is in secure mode, it sends a port shutdown response.
You can also make an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons by specifying a --NONE-- keyword for the VLAN name. In this case, VMPS sends an access denied or port shutdown response.
A dynamic port can belong to only one VLAN at a time. When the link comes up, a dynamic port is isolated from its static VLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to VMPS, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, VMPS provides the VLAN number to assign to the port. If there is no match, VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting).
Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN. If the link goes down on a dynamic port, the port returns to an isolated state. Any hosts that come online through the port are checked again with VMPS before the port is assigned to a VLAN.
Table 12-1 shows the default VMPS and dynamic port configuration.
| Feature | Default Configuration |
|---|---|
| VMPS server | |
VMPS enable state | Disabled |
VMPS management domain | Null |
VMPS TFTP server | None |
VMPS database configuration filename | vmps-config-database.1 |
VMPS fallback VLAN | Null |
VMPS secure mode | Open |
VMPS no domain requests | Allow |
| VMPS Client | |
VMPS domain server | None |
VMPS reconfirm interval | 60 minutes |
VMPS server retry count | 3 |
Dynamic ports | No dynamic ports configured |
|
Note This section applies to VMPS server configuration on the Catalyst 5000 family switch only. |
These guidelines and restrictions apply to dynamic port VLAN membership:
|
Note The VTP management domain and the management VLAN of VMPS clients and the VMPS server must be the same. For more information, see "Configuring VTP," and "Configuring VLANs." |
These sections describe how to configure VMPS and define dynamic ports on clients:
|
Note This section applies to VMPS server configuration on the Catalyst 5000 family switch only. |
To use VMPS, you first must create a VMPS database and store it on a TFTP server. The VMPS parser is line based. Start each entry in the file on a new line. Ranges are not allowed for the port numbers.
|
Note For an example ASCII text VMPS database configuration file, see the "VMPS Database Configuration File Example" section. |
Follow these guidelines for creating the VMPS database file:
To create a VMPS database, perform this task:
| Task | Command | |
|---|---|---|
Step 1 | Determine the MAC addresses of the hosts you want to be assigned to VLANs dynamically. | show cam |
Step 2 | Create an ASCII text file on your workstation or PC that contains the MAC address-to-VLAN mappings. |
|
Step 3 | Move the ASCII text file to a TFTP server so it can be downloaded to the switch. |
|
|
Note This section applies to VMPS server configuration on the Catalyst 5000 family switch only. |
When you enable VMPS, the switch downloads the VMPS database from the TFTP server and begins accepting VMPS requests.
To configure VMPS, perform this task in privileged mode:
| Task | Command | |
|---|---|---|
Step 1 | Specify the download method. | set vmps downloadmethod rcp | tftp [username] |
Step 2 | Configure the IP address of the TFTP or rcp server on which the ASCII text VMPS database configuration file resides. | set vmps tftpserver ip_addr [filename] |
Step 3 | Enable VMPS. | set vmps state enable |
Step 4 | Verify the VMPS configuration. | show vmps |
This example shows how to enable VMPS on the switch:
Console> (enable) set vmps state enable Vlan Membership Policy Server enable is in progress. Console> (enable)
To disable VMPS, perform this task in privileged mode:
| Task | Command | |
|---|---|---|
Step 1 | Disable VMPS. | set vmps state disable |
Step 2 | Verify that VMPS is disabled. | show vmps |
This example shows how to disable VMPS on the switch:
Console> (enable) set vmps state disable All the VMPS configuration information will be lost and the resources released on disable. Do you want to continue (y/n[n]): y Vlan Membership Policy Server disabled. Console> (enable)
|
Note This section applies to VMPS client configuration on the Catalyst 5000 family switch only. |
To configure dynamic ports on VMPS client switches, perform this task in privileged mode:
| Task | Command | |
|---|---|---|
Step 1 | Specify the IP address of the VMPS server (the switch with VMPS enabled). | set vmps server ip_addr [primary] |
Step 2 | Verify the VMPS server specification. | show vmps server |
Step 3 | Configure dynamic port VLAN membership assignment to a port. | set port membership mod_num/port_num dynamic |
Step 4 | Verify the dynamic port assignments. | show port [mod_num[/port_num]] |
|
Note The show port command displays dyn- under the Vlan column of the display when it has not yet been assigned a VLAN for a port. |
To show information about MAC address-to-VLAN mappings, perform one of these tasks in privileged mode:
| Task (performed on Catalyst 5000 family switch only) | Command |
|---|---|
| show vmps mac [mac_address] |
| show vmps vlan [vlan_name] |
| show vmps vlanports [vlan_name] |
To show VMPS statistics, perform this task in privileged mode:
| Task | Command |
|---|---|
Show VMPS statistics. | show vmps statistics |
To clear VMPS statistics, perform this task in privileged mode:
| Task | Command |
|---|---|
Clear VMPS statistics. | clear vmps statistics |
To clear a VMPS server entry, perform this task in privileged mode:
| Task (performed on Catalyst 5000 family switch only) | Command |
|---|---|
Clear a VMPS server entry. | clear vmps server ip_addr |
To reconfirm the dynamic port VLAN membership assignments, perform this task in privileged mode:
| Task | Command | |
|---|---|---|
Step 1 | Reconfirm dynamic port VLAN membership. | reconfirm vmps |
Step 2 | Verify the dynamic VLAN reconfirmation status. | show dvlan statistics |
This example shows how to reconfirm dynamic port VLAN membership assignments:
Console> (enable) reconfirm vmps reconfirm process started Use 'show dvlan statistics' to see reconfirm status Console> (enable)
To download the VMPS database manually (to download a changed database configuration file or retry after a failed download attempt), perform this task in privileged mode:
| Task (performed on Catalyst 5000 family switch only) | Command | |
|---|---|---|
Step 1 | Download the VMPS database from the TFTP server, or specify a different VMPS database configuration file. | download vmps |
Step 2 | Verify the VMPS database configuration file. | show vmps |
To return a port to static VLAN port membership, perform this task in privileged mode:
| Task | Command | |
|---|---|---|
Step 1 | Configure static port VLAN membership assignment to a port. | set port membership mod_num/port_num static |
Step 2 | Verify the static port assignments. | show port [mod_num[/port_num]] |
This example shows how to return a port to static VLAN port membership:
Console> (enable) set port membership 3/1 static Port 3/1 vlan assignment set to static. Console> (enable)
These sections describe how to troubleshoot VMPS and dynamic port VLAN membership:
|
Note This section applies to troubleshooting the VMPS server configuration on the Catalyst 5000 family switch only. |
Table 12-2 shows VMPS error messages you might see when you enter the set vmps state enable or the download vmps command.
| VMPS Error Message | Recommended Action |
|---|---|
| Specify the TFTP server address using the command, set vmps tftpserver ip_addr [filename]. |
| Enter a static route (using the set ip route command) to the TFTP server. |
| Check the filename of the VMPS database configuration file on the TFTP server. Make sure the permissions are set correctly. |
| The switch does not have sufficient resources to run the database. You can fix this problem by increasing the dynamic random-access memory (DRAM). |
After VMPS successfully downloads the VMPS database configuration file, it parses the file and builds a database. When the parsing is complete, VMPS outputs statistics about the total number of lines parsed and the number of parsing errors.
To obtain more information on VMPS parsing errors, set the syslog level for VMPS to 3 using the set logging level vmps 3 command.
|
Note For more information on system error messages, refer to the System Message Guide---Catalyst 6000 Family, Catalyst 5000 Family, and Catalyst 4000 Family, Catalyst 2926G Series, Catalyst 2948G, and Catalyst 2980G. |
A dynamic port might shut down under these circumstances:
To reenable a shut-down dynamic port, enter the set port enable mod_num/port_num command.
These sections show examples of how to configure VMPS and dynamic ports:
|
Note This example applies to the VMPS server configuration on the Catalyst 5000 family switch only. |
This example shows a sample VMPS database configuration file. A VMPS database configuration file is an ASCII text file that is stored on a TFTP server accessible to the switch configured as the VMPS server. A summary of the configuration example follows:
vmps domain vtp-domain vmps mode open vmps fallback default vmps no-domain-req deny vmps-mac-addrs address 0000.7777.0001 vlan-name qa address 0000.7777.0002 vlan-name qa address 0000.7777.0003 vlan-name swe address 0000.7777.0004 vlan-name swe address 0000.7777.0005 vlan-name inside address 0000.7777.0006 vlan-name inside address 0000.7777.0007 vlan-name outside address 0000.7777.0008 vlan-name outside vmps-port-group portgroup1 device 192.168.1.2 port 3/13 device 192.168.1.2 port 3/14 device 192.168.2.2 port 3/9 device 192.168.2.2 port 3/10 vmps-vlan-group engineering vlan-name qa vlan-name swe vmps-port-policies vlan-group engineering port-group portgroup1 vmps-port-policies vlan-name qa device 192.168.1.2 port 3/13 device 192.168.2.2 port 3/9 vmps-port-policies vlan-name swe device 192.168.1.2 port 3/14 device 192.168.2.2 port 3/10 vmps-port-group portgroup2 device 192.168.1.2 port 3/15 device 192.168.1.2 port 3/16 device 192.168.2.2 port 3/11 device 192.168.2.2 port 3/12 vmps-vlan-group sales vlan-name inside vlan-name outside vmps-port-policies vlan-group sales port-group portgroup2 vmps-port-policies vlan-name inside device 192.168.1.2 port 3/15 device 192.168.2.2 port 3/11 vmps-port-policies vlan-name outside device 192.168.1.2 port 3/16 device 192.168.2.2 port 3/12 device 192.168.1.3 port 9/48
Figure 12-1 shows a network with a VMPS server switch and VMPS client switches with dynamic ports. In this example, these assumptions apply:
Use this procedure to configure VMPS and dynamic ports on the Catalyst 5000 family switch only:
a. Configure the IP address of the TFTP server on which the ASCII file resides:
Console> (enable) set vmps tftpserver 172.20.22.7 Bldg-G.db
b. Enable VMPS:
Console> (enable) set vmps state enable
After entering these commands, the file Bldg-G.db is downloaded to Switch 1. Switch 1 becomes the VMPS server.
Step 2 Configure the VMPS server addresses on each VMPS client:
a. Configure the primary VMPS server IP address:
Console> (enable) set vmps server 172.20.26.150 primary
b. Configure the secondary VMPS server IP addresses:
Console> (enable) set vmps server 172.20.26.152 Console> (enable) set vmps server 172.20.26.159
c. Verify the VMPS server addresses:
Console> (enable) show vmps server
Step 3 Configure port 3/1 on Switch 2 as dynamic:
Console> (enable) set port membership 3/1 dynamic
Step 4 Connect End Station 2 on port 3/1. When End Station 2 sends a packet, Switch 2 sends a query to the primary VMPS server, Switch 1. Switch 1 responds with the VLAN to assign to port 3/1. Because spanning-tree PortFast mode is enabled by default on dynamic ports, port 3/1 connects immediately and enters forwarding mode.
Step 5 Repeat Steps 2 and 3 to configure the VMPS server addresses and assign dynamic ports on each VMPS client switch.
Posted: Sun Jun 11 02:24:37 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.