VMPS and Dynamic VLANs: Advanced Administration

VMPS and Dynamic VLANs: Advanced Administration

Normally, when you configure a VLAN, you must perform three steps:

  1. Ensure that the Catalyst belongs to a VTP domain
  2. Create a VLAN
  3. Assign ports to the VLAN

The first two steps globally affect Catalysts. When you create a VLAN, VTP announces the addition or deletion of the VLAN throughout the VTP domain. Assigning ports to a VLAN, however, is a local event. VTP does not announce what ports belong to which VLAN. You must log in to the Catalyst where you want to assign ports. After you assign the port to a VLAN, any device attached to the port belongs to the assigned VLAN. (The exception to this is the port security feature that allows one and only one MAC address on the port to belong to the VLAN.)

When you attach a station to a port on the Catalyst, you need to ensure that the port belongs to the correct VLAN. Unfortunately, you might not always have access to the CLI to make a change. Or, you might have users who frequently relocate within their facilities environment. But you do not want them to bother you every time they relocate a station, especially when it happens after midnight or during a weekend.

Cisco built a feature into the Catalyst to facilitate dynamic port configurations. The dynamic VLAN feature automatically configures a port to a VLAN based upon the MAC address of the device attached to the port as shown in the following sequence:

  1. When you attach a device to the port and the device transmits a frame, the Catalyst learns the source MAC address.
  2. The Catalyst then interrogates a VLAN membership policy server (VMPS). The VMPS server has a database of MAC addresses and the authorized VLAN for each MAC address.
  3. The VMPS responds to the client Catalyst with the authorized VLAN.
  4. The VMPS client Catalyst configures the port to the correct VLAN based upon the information received from the VMPS.

The bulk of your work as the network administrator is to initially build the database. After you build the database, you (or your users) do not have to statically configure a Catalyst every time that a device moves from one port to another.

This feature also provides a level of security because the user’s MAC address for the device must be in a database before the Catalyst assigns the port to a VLAN. If the MAC address is not in the database, the Catalyst can refuse the connection or assign the user to a default VLAN.

Three components enable a dynamic VLAN environment. First, you must have a TFTP server. The VMPS database resides as a text file on the TFTP server. The second component, the VMPS server, reads the database from the TFTP server and locally remembers all of the data. Dynamic VLAN clients interrogate the VMPS whenever a device attaches to a port on the Catalyst. You can configure up to two backup VMPS servers. The third component, the VMPS client, communicates with the VMPS server using UDP transport and a socket value of 1589. This is a well known protocol value registered with the Internet Assigned Numbers Authority (IANA) as VQP (VMPS Query Protocol).

Figure 5-20 illustrates the relationship between the components. Cat-A serves as the primary VMPS server, with two other Catalysts also enabled as backup VMPS servers. The section on configuring the VMPS client details how to identify primary and backup VMPS servers. The VMPS server (Cat-A) accesses the TFTP server when you initially enable the VMPS server, or whenever you manually force the VMPS to download a new configuration table. The VMPS server must have an IP address and it might need a default route to the TFTP server for the VMPS server to initialize. The VMPS server needs a default route if the VMPS and TFTP servers reside on different subnets/VLANs.

Cat-B and Cat-C are each configured as VMPS clients and get port-to-VLAN authorizations from the VMPS server. Therefore, they need to be able to communicate with the VMPS server.

Figure 5-20. Dynamic VLAN Architecture

The following list outlines the steps for configuring dynamic VLANs:

  1. Build the VLAN database and load into a TFTP server.
  2. Configure the VMPS server IP address.
  3. On the VMPS server, enter the IP address of the TFTP server.
  4. Enable the VMPS server.
  5. Configure VMPS clients with an IP address.
  6. On the VMPS clients, configure the IP address of the VMPS server.
  7. Identify dynamic ports on clients.

The sections that follow provide more detail on this seven-step sequence for configuring dynamic VLANs.

Building the VMPS Database for TFTP Download

The bulk of your configuration activity resides in building the VMPS database, a simple text file. The VMPS server downloads the text file database and uses it to determine whether devices are authorized to join a VLAN. Example 5-5 shows a representative database. The database divides into three portions. The first part modifies global parameters for the VMPS system. The second part defines the MAC address and the authorized VLAN for the address. The third part defines other policies to restrict VLANs to specific ports or groups of ports.

Example 5-5 VLAN Database Example

VMPS Database Global Settings

In the global configuration portion of the database (Part 1 in Example 5-5), you configure the VMPS domain name, the security mode, the fallback VLAN, and the policy regarding VMPS and VTP domain name mismatches.

The VMPS domain name must match the VTP domain name for the VMPS server to respond to a VMPS client. You can force the VMPS server to accept requests from VMPS clients with a domain name mismatch by setting the parameter vmps no-domain-req allow in the database.

The database entry vmps mode { open | secure } defines what action to take if the VMPS server does not have an entry for a MAC address. The open mode means that, if there is no entry for the MAC address, assign the port to the fallback VLAN. If you do not define a fallback, the port remains unassigned. If you set the mode to secure, the VMPS server instructs the VMPS client to shut down the interface instead of leaving it unassigned. An unassigned port can continue to try to assign a port through repeated requests. A shutdown port stays that way until you enable it.

The fallback VLAN is like a miscellaneous VLAN. If the database does not have an entry for the MAC address, the VMPS server assigns the device to the fallback VLAN, if one is configured.

VMPS Database VLAN Authorizations

The heart of the database is found here in the middle portion (Part 2 of Example 5-5). This defines the MAC address-to-VLAN association. Each device that you want to dynamically assign needs to have an entry in the database indicating its MAC address and the authorized VLAN. If the host attaches to a dynamic port, the Catalyst refers to the database for the VLAN assignment. Note that the VLAN assignment is by name, not by VLAN number. Also note a reserved VLAN name, –NONE–. This VLAN explicitly denies a MAC address from any dynamic VLAN port. Use this to ensure that certain devices never work when attached to a dynamic port. You can achieve a similar result by setting the security mode to enabled and not defining a fallback VLAN. But that affects all devices not in the database, not just a specific MAC address.

You can elect to enable these services for security reasons. For example, you might have specific devices that you never want to gain access through dynamic ports, in which case you can use the mapping to NONE option. This prevents the device from even joining the fallback VLAN. On the other hand, you might not want any station that is not in the database to dynamically join any VLAN. In this case, you should enable the security mode. This saves you from having to explicitly identify every excluded device.

VMPS Database Group Policies

Through the third part of the VMPS database  (Part 3 in Example 5-5), you can restrict VLANS to specific ports on the VMPS client. Suppose, for example, that you want to ensure that hosts in the engineering VLAN only get authorized when they attach to Ports 3/1 and 3/2 on Cat-B, and Ports 4/1,3,5 on Cat-C in Figure 5-20. If the host attaches to any other dynamic port, do not authorize the port configuration, even if the MAC address is in the database. You can configure this in the database as shown in the third part of Example 5-5. Note that the database depends upon the IP address to specify the VMPS client and the policies regarding it.

Configuring the VMPS Server

You should complete the TFTP file configuration before you enable the VMPS server. You can have up to three VMPS servers, the active and two backups. When you enable the server, it attempts to download the database from the TFTP server. If it fails to download the database, the Catalyst does not enable the VMPS server function.

Two commands configure the VMPS server—set vmps tftpserver ip_addr [filename] and set vmps state enable. The first command points the VMPS server to the TFTP server and optionally specifies the database filename. If you do not specify a filename, the VMPS tries the filename vmps-config-database.1. Use the command set vmps tftpserver ip_addr [filename] to inform the VMPS server of the TFTP server’s IP address and the VMPS database filename to request.

After you configure the TFTP server information, you can enable the VMPS server with the command set vmps state enable. At this point, the VMPS server attempts to download the VMPS database from the TFTP server.

If at some point after you enable the server you modify the VMPS database on the TFTP server, you can force the VMPS server to acquire the new database with the command download vmps.

You can check the status of the VMPS server with the command show vmps. This command reports all of the current configuration information for the server, as shown in Example 5-6.

Example 5-6 show vmps Output

The show vmps command works for both the VMPS server and client. The top half of the display shows the server configuration information, and the bottom half displays client values. If you have trouble getting the VMPS server operational, use this command to view a summary of the parameters. In particular, check that the VMPS domain name matches the VTP domain name. State is either enabled or disabled. You should see enabled if you entered the set vmps state enable command. Check the operational status. This displays either active, inactive, or downloading.

The downloading status implies that the VMPS server is retrieving the VMPS database from the TFTP server. The inactive status means that the VMPS server tried to get the database, but failed and became inactive. Finally, check the database filename and ensure that the Catalyst can reach the server, that the file exists, and that it is a VMPS file.

Cisco has two optional tools for the VMPS database—the User Registration Tool (URT) and the User Tracker for Cisco Works for Switched Internetworks (CWSI). The tools help with the creation of the database and allow you to place the VMPS server in a non-Catalyst device. The sections that follow provide additional information on these two tools.


Cisco’s User Registration Tool (URT) allows you to have a VLAN membership database built based upon a user’s Windows/NT login information rather than based upon a MAC address. You can only use URT with Windows 95/98 and Windows NT 4 clients running Microsoft Networking (NetBios or Client for Microsoft Networks) running over TCP/IP using the Dynamic Host Control Protocol (DHCP). URT does not support other operating systems or network layer protocols. You must manually load a URT client package on the NT 4 clients/servers so it can interact with the URT server. However, Windows 95/98 clients automatically install the URT client service from their NT domain controller.

URT sets up an NT 4 database and behaves like a VMPS server. You still need to enable Catalysts as VMPS clients pointing to the NT server with the URT database.

Managing the URT server requires CWSI 2.1 as it interacts with the CWSI 2.1 ANI server to define workstation relationships to VLANs.

User Tracker for CWSI

User Tracker simplifies the task of building the TFTP server database. With Cisco Works for Switched Internetworks (CWSI), you can use the User Tracker function to build the database. User Tracker keeps track of individual stations in your network. Through a series of screens, you can use the information gleaned by User Tracker to automatically add entries to the VMPS database on your TFTP server. This eliminates the need for you to manually type entries in the database eliminating typographical errors in the database.

Configuring the VMPS Client

The VMPS client configuration includes steps to inform the client of the IP address of the VMPS server and to set ports to dynamic mode. By default, ports are in static mode which means that you must manually configure the VLAN membership. Setting the port to dynamic means that the Catalyst automatically configures the port VLAN membership based upon the response of the VMPS server.

Use the command set vmps server ip_addr [primary] to inform the client about the VMPS server IP address. You can specify up to three VMPS servers in the configuration file. One server functions as the primary server, the other two as backups.

To configure ports as dynamic, use the command set port membership mod_num/port_num dynamic. You cannot make a trunk port a dynamic port. You must first turn off trunking before you set port membership to dynamic. Nor can you set a secure port to dynamic. If you have port security enabled, you must disable it before you set it to dynamic. After you enter the set port membership command, the Catalyst attempts to communicate with the VMPS server using VQP when the attached device initially transmits. If the client successfully communicates with the server, the server responds in one of four ways:

  • Assigns the port to an authorized VLAN
  • Assigns the port to a fallback VLAN
  • Denies access
  • Disables the port

If the VMPS server finds an entry for the MAC address in the VMPS database, the server responds with the authorized VLAN for that device. The VMPS client enables the port and configures the port to the correct VLAN. If the VMPS server does not find the MAC address in the database, it assigns the device to the fallback VLAN if you set one up in the database.

If you do not have a fallback specified, the VMPS server responds with instructions to deny access or shut down the interface, depending upon the VMPS security setting. Deny access differs from shutdown in that deny allows devices to try again (the behavior if the security option is disabled), whereas shutdown literally shuts down the port and prevents any further attempts to dynamically assign the port (the default behavior if the security option is enabled).

You can have multiple hosts on the dynamic port; however, all hosts must be authorized for the same VLAN, and you cannot have more than 50 hosts on the port.

Note that a Catalyst does not initiate a VQP to the server until the device attached to the port transmits. When the local Catalyst sees the source MAC address, it can generate a request to the VMPS server. If you use the show port command, you can determine what VLAN a port is assigned to. Dynamic ports have a VLAN nomenclature of dyn- as shown in Example 5-7.

Example 5-7 Displaying Dynamic Ports

Note the entry for Port 1/1. It has a dynamic VLAN assignment. But the highlighted Port 3/1 is a dynamic port without a VLAN assignment. The Catalyst does not forward any frames from the host attached to this port. When you first attach a host to the port, the Catalyst does not know the source MAC address and automatically configures the port in this mode.

After the host transmits and the VMPS client receives a valid response from the VMPS server, the VMPS client Catalyst enables the interface in the correct VLAN. If the client sits idle for awhile causing the bridge aging timer to expire for the entry, the Catalyst returns the port to an unassigned state. The VMPS client issues a new query to the VMPS server when the host transmits again.

Confirm the VMPS client configuration with the show vmps command as was shown in Example 5-6. The bottom half of this output shows the client settings. The reconfirm interval defines how often the client interrogates the VMPS server to see if a policy changed for locally attached hosts. In Example 5-6, the interval is for every 20 minutes. The Server Retry Count, in this case three, specifies how many times the VMPS client should try to reach the VMPS server. If it fails to receive a response from the server after three attempts, the client attempts to reach one of the backup servers. Finally, the output shows how the IP address of the VMPS server the client is attempting to use,

About the author


Leave a Comment