|
With a VLAN Management Policy Server (VMPS),
you can assign switch ports to VLANs dynamically, based on the
source MAC address of the device connected to the port. When you
move a host from a port on one switch in the network to a port on
another switch in the network, the switch assigns the new port to
the proper VLAN for that host dynamically.
When you enable VMPS, a MAC
address-to-VLAN mapping database downloads from a Trivial File
Transfer Protocol (TFTP) server and VMPS begins to accept client
requests. If you reset or power cycle the Catalyst 5000, 4000, 900,
3500, or 6000 Series Switch, the VMPS database downloads from the TFTP server
automatically and VMPS is reenabled.
VMPS opens a User Datagram Protocol (UDP)
socket to communicate and listen to client requests. When the VMPS
server receives a valid request from a client, it searches its
database for a MAC address-to-VLAN mapping.
If the assigned VLAN is restricted to
a group of ports, VMPS verifies the requesting port against this
group. If the VLAN is allowed on the port, the VLAN name is returned
to the client. If the VLAN is not allowed on the port and VMPS is
not in secure mode, the host receives an "access-denied"
response. If VMPS is in secure mode, the port is shut down.
If a VLAN in the database does not
match the current VLAN on the port and active hosts are on the port,
VMPS sends an access-denied or a port-shutdown response based on the
secure mode of the VMPS.
You can configure a fallback VLAN
name. If you connect a device with a MAC address that is not in the
database, VMPS sends the fallback VLAN name to the client. If you do
not configure a fallback VLAN and the MAC address does not exist in
the database, VMPS sends an access-denied response. If VMPS is in
secure mode, it sends a port-shutdown response.
You can also make an explicit entry
in the configuration table to deny access to specific MAC addresses
for security reasons by specifying a --NONE-- keyword for the VLAN
name. In this case, VMPS sends an access-denied or port-shutdown
response.
On a set command-based switch, a
dynamic (nontrunking) port can belong to only one VLAN at a time.
When the link comes up, a dynamic port is isolated from its static
VLAN. The source MAC address from the first packet of a new host on
the dynamic port is sent to VMPS, which attempts to match the MAC
address to a VLAN in the VMPS database. If there is a match, VMPS
provides the VLAN number to assign to the port. If there is no
match, VMPS either denies the request or shuts down the port
(depending on the VMPS secure mode setting).
Multiple hosts (MAC addresses) can be
active on a dynamic port if they are all in the same VLAN. If the
link goes down on a dynamic port, the port returns to an isolated
state. Any hosts that come on line through the port are checked
again with VMPS before the port is assigned to a VLAN.
The following guidelines and
restrictions apply to dynamic port VLAN membership:
- You must configure VMPS before you
configure ports as dynamic.
- When you configure a port as
dynamic, Spanning-Tree PortFast is enabled automatically for
that port. Automatic enabling of Spanning-Tree PortFast prevents
applications on the host from timing out and entering loops
caused by incorrect configurations. You can disable
Spanning-Tree PortFast mode on a dynamic port.
- If you reconfigure a port from a
static port to a dynamic port on the same VLAN, the port
connects immediately to that VLAN. However, VMPS checks the
legality of the specific host on the dynamic port after a
certain period.
- Static secure ports cannot become
dynamic ports. You must turn off security on the static secure
port before it can become dynamic.
- Static ports that are trunking
cannot become dynamic ports. You must turn off trunking on the
trunk port before changing it from static to dynamic.
It is also important to note that the
VLAN Trunking Protocol (VTP) management domain and the management
VLAN of VMPS clients and the VMPS server must be the same.
|