Prior articles in the series:
There is a process whereby a switch with a dynamic port can query a server with end station information to find out what VLAN the port should be in. The query is done via VQP, VLAN Query Protocol. The query goes to a VMPS, VLAN Membership Policy Server. The VMPS was initially a Catalyst 5xxx, but this is in the process of changing to where the server is perhaps a workstation running URT, User Response Tool, and eventually to perhaps a Windows 2000 Active Directory Server.
The following are capable of being VMPS servers right now: supervisor software release 2.3 or later on Catalyst 5000 and 2926G series switches. Many of the Cisco switches are capable of being VQP-using clients with dynamic VLAN's.
You can have several end stations on a dynamic port (using a hub), but they must all belong to the same dynamic VLAN. If there are more than 20 (29xx XL) to 50 (Catalyst 5xxx) end stations on a single port, the dynamic port will be shut down by the switch.
set vmps tftpserver ip-address [filename]This tells the future VMPS server what TFTP server to get information from, and optionally what filename the information will be under. The default filename is vmps-config-database.1.
You then do a
set vmps state enable(the alternative being disable), upon which the wannabe VMPS server will attempt to download the configuration database specified with the tftpserver command. If the TFTP download succeeds, then VMPS will become enabled. If the transfer fails, you'll get an error message and VMPS will remain disabled. The download/enable process also takes place when you reboot the switch.
You can force a download of new VMPS server information to a server with the command
download vmpsThis also can be used to retry after a download fails.
To set up a set-based switch as a VQP client, you need to tell it who its VMPS server is. This is done with the command
set vmps server server-ip-address [primary]You can do this up to three times, one primary and two backup VMPS servers. When the primary is down, it's status will be checked every five (5) minutes. When it is back up, queries will again be sent to the primary first.
For there to be any point to having a client, you need to use dynamic VLAN's. A port is made dynamic with the command
set port membership mod_num/port_num dynamicand the status will show up in the show port command output. Use the command
reconfirm vmpsoccasionally as enabled (privileged) user, if you wish to have the switch reconfirm all dynamic port VLAN assignments.
The design intent appears to be for there to be a VMPS server for local switches, say switches sharing a VTP domain. The point here is: you probably do not want to have to reach your VMPS server through a router, and if you do, it is the one Layer 3 switching hop to the server farm on a campus (more on this if I write a switched campus design article).
Other related commands:
clear vmps server | This command deletes a VMPS server from the list of servers in the client switch. |
clear vmps statistics | This resets the VMPS statistics to zero. |
show vmps | This command produces a summary of VMPS configuration and status information, including whether VMPS is enabled or disabled, which station the VMPS server might be, what the TFTPserver address is, and what the VMPS database filename is. |
show vmps mac | This command (on the VMPS server) shows the MAC to VLAN mapping table (the database). It also shows the last requestor, which tells you which switch and switch port last had the end station in question attached to it, also whether the request succeeded or was denied. |
show vmps statistics | This command displays VMPS-related statistics. It can be useful for troubleshooting, since it shows you VQP requests, denied requests, and also the MAC address of the end station associated with the last failed request. |
show vmps vlan vlan-name | On the VMPS server, this shows all MAC addresses for a VLAN in the VMPS configuration database. |
show vmps vlanports vlan-name | On a Catalyst 5xxx switch, shows the ports associated with the specified VLAN name. |
To specify VMPS server, use the configuration command
show vmpsTo make an interface (port) dynamic instead of static, configure
interface fastethernet 0/1You can check this with
switchport mode access
switchport access vlan dynamic
show interface interface switchportTo have the switch re-check the dynamic port VLAN assignments, use the EXEC mode command
vmps reconfirmThe default reconfirm interval is 60 minutes. The default number of retries on a VQP query are 3. You can configure these with
vmps reconfirm minutes
vmps retry number-of-retries
The second line of the sample below specifies security mode, which can be either open or secure. In secure mode, an unknown MAC address causes the port to be shut down. In open mode, unknown MAC addresses are assigned to fallback (default) "unsecure" VLAN, specified with the vmps fallback line. The default mode is open. You can also specify whether requests with no VTP/VMPS domain are allowed or denied. By the way, when unknown MAC addresses or denied situations occur, the switch can send a SNMP trap to your SNMP trap receiver (management station). This might be useful for tracking use of unauthorized PC's in a campus environment (provided that's something you care to manage).
vmps domain mydomainThis section of the configuration database file is followed by the list of MAC addresses and VLAN names:
vmps mode open
! vmps mode { open | secure }
vmps fallback default
vmps no-domain-req deny
! vmps no-domain-req { allow | deny }
vmps-mac-addrsNote that "--NONE--" is a way of excluding an untrusted MAC address: the VMPS server will send a denied response to any queries.
!
address 0012.2233.4455 vlan-name Engineering
address 0012.3344.abcd vlan-name Engineering
address aaaa.bbbb.cccc vlan-name Accounting
address aaaa.bbbb.1111 vlan-name --NONE--
address aaaa.bbbb.2222 vlan-name SecureAccounting
You can apparently specify what devices are allowed on what ports (I haven't tried this). Note that quotes are used when the name contains a space.
! vmps-port-group <group-name>You can then create groups of VLAN (names) and then policies as to which VLAN's are allowed on which ports (using the above port-groups):
! device <device-id> { port <port-name> | all-ports }
!
vmps-port-group WiringCloset1
device 172.16.1.1 port Fa1/3
device 172.16.1.2 port Fa1/4
vmps-port-group "Executive Suite"
device 172.16.10.1 port Fa0/1
device 172.16.10.1 port Fa0/2
device 172.16.10.10 all-ports
! vmps-vlan-group <group-name>
! vlan-name <vlan-name>
!
vmps-vlan-group Engineering
vlan-name hardware
vlan-name software
!
!vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }
! { port-group <group-name> | device <device-id> port <port-name> }
!
vmps-port-policies vlan-group Engineering
port-group WiringCloset1
vmps-port-policies vlan-name Accounting
device 172.16.10.1 port Fa0/3
vmps-port-policies vlan-name Management
device 172.16.10.1 port Fa0/10
port-group "Executive Suite"
You can use the tool to then change multiple switch ports to dynamic status. You can also use it to save the MAC address information to TFTP server, and you can even trigger the VMPS server to download fresh MAC address table information.
Oh, and you can use CiscoView (and SNMP) to configure the VMPS servers and clients. We do a demo of all this in the CEMS CiscoWorks 2000 course.
I'm planning more switching topics for the next month or two. We may also sneak in a little design: you need to think about end-to-end VLAN's versus the "Layer 2 / Layer 3" hierarchical approach. See you in a month!
Dr. Peter J. Welcher (CCIE #1773, CCSI #94014) is a Senior Consultant with Chesapeake NetCraftsmen. NetCraftsmen is a high-end consulting firm and Cisco Premier Partner dedicated to quality consulting and knowledge transfer. NetCraftsmen has nine CCIE's, with expertise including large network high-availability routing/switching and design, VoIP, QoS, MPLS, network management, security, IP multicast, and other areas. See http://www.netcraftsmen.net for more information about NetCraftsmen. Pete's links start at http://www.netcraftsmen.net/welcher . New articles will be posted under the Articles link. Questions, suggestions for articles, etc. can be sent to pjw@netcraftsmen.net .