4.2 VLAN Types
4.2.6 Dynamic VLANs
With a VLAN Management Policy Server (VMPS), you can assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port. When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.

When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial File Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If you reset or power cycle the Catalyst 5000, 4000, 900, 3500, or 6000 Series Switch, the VMPS database downloads from the TFTP server automatically and VMPS is reenabled.

VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests. When the VMPS server receives a valid request from a client, it searches its database for a MAC address-to-VLAN mapping.

If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port and VMPS is not in secure mode, the host receives an "access-denied" response. If VMPS is in secure mode, the port is shut down.

If a VLAN in the database does not match the current VLAN on the port and active hosts are on the port, VMPS sends an access-denied or a port-shutdown response based on the secure mode of the VMPS.

You can configure a fallback VLAN name. If you connect a device with a MAC address that is not in the database, VMPS sends the fallback VLAN name to the client. If you do not configure a fallback VLAN and the MAC address does not exist in the database, VMPS sends an access-denied response. If VMPS is in secure mode, it sends a port-shutdown response.

You can also make an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons by specifying a --NONE-- keyword for the VLAN name. In this case, VMPS sends an access-denied or port-shutdown response.

On a set command-based switch, a dynamic (nontrunking) port can belong to only one VLAN at a time. When the link comes up, a dynamic port is isolated from its static VLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to VMPS, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, VMPS provides the VLAN number to assign to the port. If there is no match, VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting).

Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN. If the link goes down on a dynamic port, the port returns to an isolated state. Any hosts that come on line through the port are checked again with VMPS before the port is assigned to a VLAN.

The following guidelines and restrictions apply to dynamic port VLAN membership:

  • You must configure VMPS before you configure ports as dynamic.
  • When you configure a port as dynamic, Spanning-Tree PortFast is enabled automatically for that port. Automatic enabling of Spanning-Tree PortFast prevents applications on the host from timing out and entering loops caused by incorrect configurations. You can disable Spanning-Tree PortFast mode on a dynamic port.
  • If you reconfigure a port from a static port to a dynamic port on the same VLAN, the port connects immediately to that VLAN. However, VMPS checks the legality of the specific host on the dynamic port after a certain period.
  • Static secure ports cannot become dynamic ports. You must turn off security on the static secure port before it can become dynamic.
  • Static ports that are trunking cannot become dynamic ports. You must turn off trunking on the trunk port before changing it from static to dynamic.

It is also important to note that the VLAN Trunking Protocol (VTP) management domain and the management VLAN of VMPS clients and the VMPS server must be the same.