Normally, when you configure a VLAN, you must perform three steps:
Ensure that the Catalyst belongs to a VTP domain
Create a VLAN
Assign ports to the VLAN
The first two steps
globally affect Catalysts. When you create a VLAN, VTP announces the addition or deletion of the VLAN throughout
the VTP domain. Assigning ports to a VLAN, however, is a local event. VTP
does not announce what ports belong to which VLAN. You must log in to the
Catalyst where you want to assign ports. After you assign the port to a VLAN,
any device attached to the port belongs to the assigned VLAN. (The exception
to this is the port security feature that allows one and only one MAC address
on the port to belong to the VLAN.) When you attach a station to a port on
the Catalyst, you need to ensure that the port belongs to the correct VLAN.
Unfortunately, you might not always have access to the CLI to make a change.
Or, you might have users who frequently relocate within their facilities environment.
But you do not want them to bother you every time they relocate a station,
especially when it happens after midnight or during a weekend.
Cisco built a feature into the Catalyst to facilitate dynamic port configurations.
The dynamic VLAN feature automatically configures a port to a VLAN based upon
the MAC address of the device attached to the port as shown in the following
sequence:
When you attach a device to the port and the device
transmits a frame, the Catalyst learns the source MAC address.
The Catalyst then interrogates a VLAN membership policy
server (VMPS). The VMPS server has a database of MAC addresses and the authorized
VLAN for each MAC address.
The VMPS responds to the client Catalyst with the authorized
VLAN.
The VMPS client Catalyst configures the port to the
correct VLAN based upon the information received from the VMPS.
The bulk of your work as the network administrator is to initially build
the database. After you build the database, you (or your users) do not have
to statically configure a Catalyst every time that a device moves from one
port to another.
This feature also provides a level of security because the user's MAC
address for the device must be in a database before the Catalyst assigns the
port to a VLAN. If the MAC address is not in the database, the Catalyst can
refuse the connection or assign the user to a default VLAN.
Three components enable a dynamic VLAN environment. First, you must
have a TFTP server. The VMPS database resides as a text file on the TFTP server.
The second component, the VMPS server, reads the database from the TFTP server
and locally remembers all of the data. Dynamic VLAN clients interrogate the
VMPS whenever a device attaches to a port on the Catalyst. You can configure
up to two backup VMPS servers. The third component, the VMPS client, communicates
with the VMPS server using UDP transport and a socket value of 1589. This
is a well known protocol value registered with the Internet Assigned Numbers Authority
(IANA) as VQP (VMPS Query Protocol).
Figure 5-20 illustrates the relationship
between the components. Cat-A serves as the primary VMPS server, with two
other Catalysts also enabled as backup VMPS servers. The section on configuring
the VMPS client details how to identify primary and backup VMPS servers. The
VMPS server (Cat-A) accesses the TFTP server when you initially enable the
VMPS server, or whenever you manually force the VMPS to download a new configuration
table. The VMPS server must have an IP address and it might need a default
route to the TFTP server for the VMPS server to initialize. The VMPS server
needs a default route if the VMPS and TFTP servers reside on different subnets/VLANs.
Cat-B and Cat-C are each configured as VMPS clients and get port-to-VLAN
authorizations from the VMPS server. Therefore, they need to be able to communicate
with the VMPS server.
The following list outlines the steps for configuring dynamic VLANs:
Build the VLAN database and load into a TFTP server.
Configure the VMPS server IP address.
On the VMPS server, enter the IP address of the TFTP
server.
Enable the VMPS server.
Configure VMPS clients with an IP address.
On the VMPS clients, configure the IP address of the
VMPS server.
Identify dynamic ports on clients.
The sections that follow provide more detail on this seven-step sequence
for configuring dynamic VLANs.
The bulk of your configuration activity
resides in building the VMPS database, a simple text file. The VMPS server
downloads the text file database and uses it to determine whether devices
are authorized to join a VLAN. Example 5-5
shows a representative database. The database divides into three portions.
The first part modifies global parameters for the VMPS system. The second
part defines the MAC address and the authorized VLAN for the address. The
third part defines other policies to restrict VLANs to specific ports or groups
of ports.
Example 5-5. VLAN Database Example
!PART 1: GLOBAL SETTINGS
!vmps domain <domain-name>
! The VMPS domain must be defined.
!vmps mode { open | secure }
! The default mode is open.
!vmps fallback <vlan-name>
!vmps no-domain-req { allow | deny }
!
! The default value is allow.
! The VMPS domain name MUST MATCH the VTP domain name.
vmps domain testvtp
vmps mode open
vmps fallback default
vmps no-domain-req deny
!
!
!PART 2: MAC ADDRESS DATABASE
!MAC Addresses
!
vmps-mac-addrs
!
! address <addr> vlan-name <vlan_name>
!
address 0060.0893.dbc1 vlan-name Engineering
address 0060.08aa.5279 vlan-name --NONE--
address 0060.08b6.49fb vlan-name Engineering
!
!PART 3: OTHER POLICIES
!Port Groups
!
!vmps-port-group <group-name>
! device <device-id> { port <port-name> | all-ports }
vmps-port-group restrictengineering
device 172.16.1.2 port 3/1
device 172.16.1.2 port 3/2
device 172.16.1.3 port 4/1
device 172.16.1.3 port 4/3
device 172.16.1.3 port 4/5
!
!
!
!VLAN groups
! USE THIS TO ASSOCIATE A GROUP OF VLANs TOGETHER. THE DATABASE TREATS
! ALL OF THE VLANs AS A SINGLE GROUP.
!
!vmps-vlan-group <group-name>
! vlan-name <vlan-name>
!
!
!
!VLAN port Policies
!
!vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }
! { port-group <group-name> | device <device-id> port <port-name> }
vmps-port-policies vlan-name port-group restrictengineering
!
In the global configuration
portion of the database (Part 1 in Example 5-5),
you configure the VMPS domain name, the security mode, the fallback VLAN,
and the policy regarding VMPS and VTP domain
name mismatches.
The VMPS domain name must match the VTP domain name for the VMPS server
to respond to a VMPS client. You can force the VMPS server to accept requests
from VMPS clients with a domain name mismatch by setting the parameter vmps no-domain-req allow in the database.
The database entry vmps mode { open | secure
} defines what action to take if the VMPS server does not have
an entry for a MAC address. The open mode
means that, if there is no entry for the MAC address, assign the port to the
fallback VLAN. If you do not define a fallback,
the port remains unassigned. If you set the mode to secure,
the VMPS server instructs the VMPS client to shut down the interface instead of
leaving it unassigned. An unassigned port can continue to try to assign a
port through repeated requests. A shutdown port stays that way until you enable
it.
The
fallback VLAN is like a miscellaneous
VLAN. If the database does not have an entry for the MAC address, the VMPS
server assigns the device to the fallback VLAN, if one is configured.
The heart of the database is found here in the middle portion (Part 2
of Example 5-5). This defines
the MAC address-to-VLAN association. Each device that you want to dynamically
assign needs to have an entry in the database indicating its MAC address
and the authorized VLAN. If the host attaches to a dynamic port, the Catalyst
refers to the database for the VLAN assignment. Note that the VLAN assignment
is by name, not by VLAN number. Also note a reserved VLAN name, NONE.
This VLAN explicitly denies a MAC address from any dynamic VLAN port.
Use this to ensure that certain devices never work when attached to a
dynamic port. You can achieve a similar result by setting the security
mode to enabled and not defining a fallback VLAN. But that affects all
devices not in the database, not just a specific MAC address.
You can elect to enable these services for security reasons. For example,
you might have specific devices that you never want to gain access through
dynamic ports, in which case you can use the mapping to NONE
option. This prevents the device from even joining the fallback VLAN. On the
other hand, you might not want any station that is not in the database to
dynamically join any VLAN. In this case, you should enable the security mode.
This saves you from having to explicitly identify every excluded device.
Through the third part of the
VMPS database (Part 3 in Example 5-5), you
can restrict VLANS to specific ports on the VMPS client. Suppose, for example,
that you want to ensure that hosts in the engineering VLAN only get authorized
when they attach to Ports 3/1 and 3/2 on Cat-B, and Ports 4/1,3,5 on Cat-C
in Figure 5-20. If the host attaches to any
other dynamic port, do not authorize the port configuration, even if the MAC
address is in the database. You can configure this in the database as shown
in the third part of Example 5-5. Note that
the database depends upon the IP address to specify the VMPS client and the
policies regarding it.
You
should complete the TFTP file configuration before you enable the VMPS server.
You can have up to three VMPS servers, the active and two backups. When you
enable the server, it attempts to download the database from the TFTP server.
If it fails to download the database, the Catalyst does not enable the VMPS
server function.
Two commands configure the VMPS serverset vmps tftpserver
ip_addr [filename] and set vmps state enable. The first
command points the VMPS server to the TFTP server and optionally specifies
the database filename. If you do not specify a filename, the VMPS tries
the filename vmps-config-database.1. Use the command set vmps
tftpserver ip_addr [filename] to inform the VMPS server
of the TFTP server's IP address and the VMPS database filename to request.
After you configure the TFTP server information, you can enable the
VMPS server with the command set vmps state enable.
At this point, the VMPS server attempts to download the VMPS database from
the TFTP server.
If at some point after you enable the server you modify the VMPS database
on the TFTP server, you can force the VMPS server to acquire the new database
with the command download vmps.
You can check the status of the VMPS server with the command show vmps. This command reports all of the current
configuration information for the server, as shown in Example
5-6.
Example 5-6. show vmps Output
Console> show vmps
VMPS Server Status:
-------------------
Management Domain: Accounting
State: enbabled
Operational Status: active
TFTP Server: 144.254.10.33
TFTP File: myvmpsdatabase.db
Fallback VLAN: miscbucket
Secure Mode: open
VMPS No Domain Req: allow
VMPS Client Status:
---------------------
VMPS VQP Version: 1
Reconfirm Interval: 20 min
Server Retry Count: 3
VMPS domain server: 172.16.1.1
No dynamic ports configured.
Console>
The show vmps command works for both
the VMPS server and client. The top half of the display shows the server configuration
information, and the bottom half displays client values. If you have trouble
getting the VMPS server operational, use this command to view a summary of
the parameters. In particular, check that the VMPS domain name matches the
VTP domain name. State is either enabled
or disabled. You should see enabled
if you entered the set vmps state enable
command. Check the operational status. This displays either active, inactive, or downloading.
The downloading status implies that the
VMPS server is retrieving the VMPS database from the TFTP server. The inactive status means that the VMPS server tried
to get the database, but failed and became inactive. Finally, check the database
filename and ensure that the Catalyst can reach the server, that the file
exists, and that it is a VMPS file.
Cisco has two optional tools for the VMPS databasethe User Registration
Tool (URT) and
the User Tracker for Cisco Works for Switched Internetworks (CWSI). The
tools help with the creation of the database and allow you to place the
VMPS server in a non-Catalyst device. The sections that follow provide additional
information on these two tools.
Cisco's User Registration Tool (URT) allows you
to have a VLAN membership database built based upon a user's Windows/NT login
information rather than based upon a MAC address. You can only use URT with
Windows 95/98 and Windows NT 4 clients running Microsoft Networking (NetBios
or Client for Microsoft Networks) running over TCP/IP using the Dynamic Host
Control Protocol (DHCP). URT does not support other operating systems or network
layer protocols. You must manually load a URT client package on the NT 4 clients/servers
so it can interact with the URT server. However, Windows 95/98 clients automatically
install the URT client service from their NT domain controller.
URT sets up an NT 4 database and behaves like a VMPS server. You still
need to enable Catalysts as VMPS clients pointing to the NT server with the
URT database.
Managing the URT server requires CWSI 2.1 as it interacts with the CWSI
2.1 ANI server to define workstation relationships to VLANs.
User Tracker simplifies the task of building the TFTP server database.
With Cisco Works for Switched Internetworks (CWSI), you can use the User Tracker
function to build the database. User Tracker keeps track of individual stations
in your network. Through a series of screens, you can use the information
gleaned by User Tracker to automatically add entries to the VMPS database
on your TFTP server. This eliminates the need for you to manually type entries
in the database eliminating typographical errorrorrorrs in the database.
The
VMPS client configuration includes steps to inform the client of the IP address
of the VMPS server and to set ports to dynamic mode. By default, ports are
in static mode which means that you must manually configure the VLAN membership.
Setting the port to dynamic means that the Catalyst automatically configures
the port VLAN membership based upon the response of the VMPS server.
Use the command set vmps server ip_addr [primary] to inform the client about the VMPS server
IP address. You can specify up to three VMPS servers in the configuration
file. One server functions as the primary server, the other two as backups.
To
configure ports as dynamic, use the command set port
membership mod_num/port_num dynamic.
You cannot make a trunk port a dynamic port. You must first turn off trunking
before you set port membership to dynamic. Nor can you set a secure port to
dynamic. If you have port security enabled, you must disable it before you
set it to dynamic. After you enter the set port membership
command, the Catalyst attempts to communicate with the VMPS server using VQP
when the attached device initially transmits. If the client successfully communicates
with the server, the server responds in one of four ways:
If the VMPS server finds an entry for the MAC address in the VMPS database,
the server responds with the authorized VLAN for that device. The VMPS client
enables the port and configures the port to the correct VLAN. If the VMPS
server does not find the MAC address in the database, it assigns the device
to the fallback VLAN if you set one up in the database. If you do not have
a fallback specified, the VMPS server responds with instructions to deny access
or shut down the interface, depending upon the VMPS security setting. Deny
access differs from shutdown in that deny allows devices to try again (the
behavior if the security option is disabled), whereas shutdown literally shuts
down the port and prevents any further attempts to dynamically assign the
port (the default behavior if the security option is enabled).
You can have multiple hosts on the dynamic port; however, all hosts
must be authorized for the same VLAN, and you cannot have more than 50 hosts
on the port.
Note that a Catalyst does not initiate a VQP to the server until the
device attached to the port transmits. When the local Catalyst sees the source
MAC address, it can generate a request to the VMPS server. If you use the show port command, you can determine what VLAN a
port is assigned to. Dynamic ports have a VLAN nomenclature of dyn-
as shown in Example 5-7.
Example 5-7. Displaying Dynamic Ports
Console> show port
Port Name Status Vlan Level Duplex Speed Type
1/1 connect dyn-3 normal full 100 100 BASE-TX
1/2 connect trunk normal half 100 100 BASE-TX
2/1 connect trunk normal full 155 OC3 MMF ATM
3/1 connect dyn- normal half 10 10 BASE-T
3/2 connect dyn-5 normal half 10 10 BASE-T
3/3 connect dyn-5 normal half 10 10 BASE-T
Console> (enable)
Note the entry for Port 1/1. It has a dynamic VLAN assignment. But the
highlighted Port 3/1 is a dynamic port without a VLAN assignment. The Catalyst
does not forward any frames from the host attached to this port. When you
first attach a host to the port, the Catalyst does not know the source MAC
address and automatically configures the port in this mode.
After
the host transmits and the VMPS client receives a valid response from the
VMPS server, the VMPS client Catalyst enables the interface in the correct
VLAN. If the client sits idle for awhile causing the bridge aging timer to
expire for the entry, the Catalyst returns the port to an unassigned state.
The VMPS client issues a new query to the VMPS server when the host transmits
again.
Confirm the VMPS client configuration with the show
vmps command as was shown in Example
5-6. The bottom half of this output shows the client settings. The reconfirm
interval defines how often the client interrogates the VMPS server
to see if a policy changed for locally attached hosts. In Example
5-6, the interval is for every 20 minutes. The Server Retry
Count, in this case three, specifies how many times the VMPS client
should try to reach the VMPS server. If it fails to receive a response from
the server after three attempts, the client attempts to reach one of the backup
servers. Finally, the output shows how the IP address of the VMPS server the
client is attempting to use, 172.16.1.1.