Tuesday 21 April 2015

Configuring VLAN Management Policy Server

Configuring VMPS

The Catalyst 2950 switch cannot be a VMPS server but can act as a client to the VMPS and communicate with it through the VLAN Query Protocol (VQP). VMPS dynamically assigns dynamic access port VLAN membership.
This section includes this information about configuring VMPS:
"Understanding VMPS" section
"Default VMPS Configuration" section
"VMPS Configuration Guidelines" section
"Configuring the VMPS Client" section
"Monitoring the VMPS" section
"Troubleshooting Dynamic Port VLAN Membership" section
"VMPS Configuration Example" section

Understanding VMPS

When the VMPS receives a VQP request from a client switch, it searches its database for a MAC-address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in secure mode. Secure mode determines whether the server shuts down the port when a VLAN is not allowed on it or just denies the port access to the VLAN.
In response to a request, the VMPS takes one of these actions:
If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against this group and responds as follows:
If the VLAN is allowed on the port, the VMPS sends the VLAN name to the client in response.
If the VLAN is not allowed on the port and the VMPS is not in secure mode, the VMPS sends an access-denied response.
If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a port-shutdown response.
If the VLAN in the database does not match the current VLAN on the port and active hosts exist on the port, the VMPS sends an access-denied or aport-shutdown response, depending on the secure mode of the VMPS.
If the switch receives an access-denied response from the VMPS, it continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address. If the switch receives a port-shutdown response from the VMPS, it disables the port. The port must be manually re-enabled by using the CLI, CMS, or SNMP.
You can also use an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends an access-denied or port-shutdown response, depending on the VMPS secure mode setting.

Dynamic Port VLAN Membership

A dynamic (nontrunking) port on the switch can belong to only one VLAN, with a VLAN ID from 1 to 1005. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic port and attempts to match the MAC address to a VLAN in the VMPS database.
If there is a match, the VMPS sends the VLAN number for that port. If the client switch was not previously configured, it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS. If the client switch was previously configured, it includes its domain name in the query packet to the VMPS to obtain its VLAN number. The VMPS verifies that the domain name in the packet matches its own domain name before accepting the request and responds to the client with the assigned VLAN number for the client. If there is no match, the VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting).
Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN; however, the VMPS shuts down a dynamic port if more than 20 hosts are active on the port.
If the link goes down on a dynamic port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN.

VMPS Database Configuration File

The VMPS contains a database configuration file that you create. This ASCII text file is stored on a switch-accessible TFTP server that functions as a VMPS server. The file contains VMPS information, such as the domain name, the fallback VLAN name, and the MAC-address-to-VLAN mapping. The Catalyst 2950 switch cannot act as the VMPS, but you can use a Catalyst 5000 or Catalyst 6000 series switch as the VMPS.
You can configure a fallback VLAN name. If you connect a device with a MAC address that is not in the database, the VMPS sends the fallback VLAN name to the client. If you do not configure a fallback VLAN and the MAC address does not exist in the database, the VMPS sends an access-deniedresponse. If the VMPS is in secure mode, it sends a port-shutdown response.
Whenever port names are used in the VMPS database configuration file, the server must use the switch convention for naming ports. For example, Fa0/4 is fixed Fast Ethernet port number 4. If the switch is a cluster member, the command switch adds the name of the switch before the type. For example,es3%Fa0/4 refers to fixed Fast Ethernet port 4 on member switch 3. When port names are required, these naming conventions must be followed in the VMPS database configuration file when it is configured to support a cluster.
This example shows a example of a VMPS database configuration file as it appears on a Catalyst 6000 series switch. The file has these characteristics:
The security mode is open.
The default is used for the fallback VLAN.
MAC address-to-VLAN name mappings—The MAC address of each host and the VLAN to which each host belongs is defined.
Port groups are defined.
VLAN groups are defined.
VLAN port policies are defined for the ports associated with restricted VLANs.
!VMPS File Format, version 1.1

!
 Always begin the configuration file with



!
 the word "VMPS"



!



!
vmps domain <domain-name>



!
 The VMPS domain must be defined.



!
vmps mode {open | secure}



! The default mode is open.



!
vmps fallback <vlan-name>



!
vmps no-domain-req { allow | deny }



!



! The default value is allow.



vmps domain DSBU



vmps mode open



vmps fallback default



vmps no-domain-req deny



!



!



!
MAC Addresses



!



vmps-mac-addrs



!



!
 address <addr> vlan-name <vlan_name>



!



address 0012.2233.4455 vlan-name hardware



address 0000.6509.a080 vlan-name hardware



address aabb.ccdd.eeff vlan-name Green



address 1223.5678.9abc vlan-name ExecStaff



address fedc.ba98.7654 vlan-name --NONE--



address fedc.ba23.1245 vlan-name Purple



!



!
Port Groups



!



!
vmps-port-group <group-name>



!
 device <device-id> { port <port-name> | all-ports }



!



vmps-port-group WiringCloset1



 device 198.92.30.32 port 0/2



 device 172.20.26.141 port 0/8



vmps-port-group "Executive Row"



 device 198.4.254.222 port 0/2



 device 198.4.254.222 port 0/3



 device 198.4.254.223 all-ports



!



!



!


VLAN groups



!


!
vmps-vlan-group <group-name>



!
vlan-name <vlan-name>



!



vmps-vlan-group Engineering



vlan-name hardware



vlan-name software



!



!



!
VLAN port Policies



!



!
vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }



{ port-group <group-name> | device <device-id> port <port-name> }



!



vmps-port-policies vlan-group Engineering



 port-group WiringCloset1



vmps-port-policies vlan-name Green



 device 198.92.30.32 port 0/8



vmps-port-policies vlan-name Purple



 device 198.4.254.22 port 0/2



 port-group "Executive Row"

Default VMPS Configuration

Table 13-7 shows the default VMPS and dynamic port configuration on client switches.
Table 13-7 Default VMPS Client and Dynamic Port Configuration

Feature

Default Setting

VMPS domain server

None

VMPS reconfirm interval

60 minutes

VMPS server retry count

3

Dynamic ports

None configured

VMPS Configuration Guidelines

These guidelines and restrictions apply to dynamic port VLAN membership:
You must configure the VMPS before you configure ports as dynamic.
The communication between a cluster of switches and VMPS is managed by the command switch and includes port-naming conventions that are different from standard port names. For the cluster-based port-naming conventions
When you configure a port as dynamic, the spanning-tr.ee Port Fast feature is automatically enabled for that port. The Port Fast mode accelerates the process of bringing the port into the forwarding state. You can disable Port Fast mode on a dynamic port.
802.1X ports cannot be configured as dynamic ports. If you try to enable 802.1X on a dynamic-access (VQP) port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.
Trunk ports cannot be dynamic ports, but you can enter the switchport access vlan dynamic interface configuration command for a trunk port. In this case, the switch retains the setting and applies it if the port is later configured as an access port.
You must turn off trunking on the port before the dynamic access setting takes effect.
Dynamic ports cannot be network ports or monitor ports.
Secure ports cannot be dynamic ports. You must disable port security on a port before it becomes dynamic.
Dynamic ports cannot be members of an EtherChannel group.
Port channels cannot be configured as dynamic ports.
The VTP management domain of the VMPS client and the VMPS server must be the same.
VQP does not support extended-range VLANs (VLAN IDs higher than 1006). Extended-range VLANs cannot be configured by VMPS.
The VLAN configured on the VMPS server should not be a voice VLAN.

Configuring the VMPS Client

You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server.

Entering the IP Address of the VMPS

You must first enter the IP address of the server to configure the switch as a client.
Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

vmps server ipaddress primary

Enter the IP address of the switch acting as the primary VMPS server.

Step 3 

vmps server ipaddress

Enter the IP address of the switch acting as a secondary VMPS server.

You can enter up to three secondary server addresses.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show vmps

Verify your entries in the VMPS Domain Server field of the display.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Configuring Dynamic Access Ports on VMPS Clients

If you are configuring a port on a cluster member switch as a dynamic port, first use the rcommand privileged EXEC command to log into the member switch.
Beginning in privileged EXEC mode, follow these steps to configure a dynamic access port on a VMPS client switch:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode and the switch port that is connected to the end station.

Step 3 

switchport mode access

Set the port to access mode.

Step 4 

switchport access vlan dynamic

Configure the port as eligible for dynamic VLAN membership.

The dynamic access port must be connected to an end station.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show interfaces interface-idswitchport

Verify your entries in the Operational Mode field of the display.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
To return an interface to its default configuration, use the default interface interface-id interface configuration command. To return an interface to its default switchport mode (dynamic desirable), use the no switchport mode interface configuration command. To reset the access mode to the default VLAN for the switch, use the no switchport access interface configuration command.

Reconfirming VLAN Memberships

Beginning in privileged EXEC mode, follow these steps to confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS:

Command

Purpose

Step 1 

vmps reconfirm

Reconfirm dynamic port VLAN membership.

Step 2 

show vmps

Verify the dynamic VLAN reconfirmation status.

Changing the Reconfirmation Interval

VMPS clients periodically reconfirm the VLAN membership information received from the VMPS. You can set the number of minutes after which reconfirmation occurs.
If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch. You must also first use the rcommand privileged EXEC command to log into the member switch.
Beginning in privileged EXEC mode, follow these steps to change the reconfirmation interval:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

vmps reconfirm minutes

Enter the number of minutes between reconfirmations of the dynamic VLAN membership.

Enter a number from 1 to 120. The default is 60 minutes.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show vmps

Verify the dynamic VLAN reconfirmation status in the Reconfirm Intervalfield of the display.

Step 5 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
To return the switch to its default setting, use the no vmps reconfirm global configuration command.

Changing the Retry Count

Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server:

Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

vmps retry count

Change the retry count.

The retry range is from 1 to 10; the default is 3.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show vmps

Verify your entry in the Server Retry Count field of the display.

Step 5 

copy running-config startup-config

(Optional) Save your entries in the configuration file.
To return the switch to its default setting, use the no vmps retry global configuration command.

Monitoring the VMPS

You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS:

VMPS VQP Version

The version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP version 1.

Reconfirm Interval

The number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments.

Server Retry Count

The number of times VQP resends a query to the VMPS. If no response is received after this many tries, the switch starts to query the secondary VMPS.

VMPS domain server

The IP address of the configured VLAN membership policy servers. The switch sends queries to the one marked current. The one marked primary is the primary server.

VMPS Action

The result of the most recent reconfirmation attempt. A reconfirmation attempt can occur automatically when the reconfirmation interval expired, or you can force it by entering the vmps reconfirm privileged EXEC command or its CMS or SNMP equivalent.

This is an example of output for the show vmps privileged EXEC command:


Switch# show vmps





VQP Client Status:



--------------------



VMPS VQP Version:   1



Reconfirm Interval: 60 min



Server Retry Count: 3



VMPS domain server: 172.20.128.86 (primary, current)



                    172.20.128.87 

 



Reconfirmation status



---------------------



VMPS Action:         No Dynamic Port

Troubleshooting Dynamic Port VLAN Membership

The VMPS shuts down a dynamic port under these conditions:
The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts down the port to prevent the host from connecting to the network.
More than 20 active hosts reside on a dynamic port.
To re-enable a disabled dynamic port, enter the no shutdown interface configuration command.

VMPS Configuration Example

Figure 13-5 shows a network with a VMPS server switch and VMPS client switches with dynamic ports. In this example, these assumptions apply:
The VMPS server and the VMPS client are separate switches.
The Catalyst 5000 series Switch 1 is the primary VMPS server.
The Catalyst 5000 series Switch 3 and Switch 10 are secondary VMPS servers.
The end stations are connected to these clients:
Catalyst 2950 Switch 2
Catalyst 3500 XL Switch 9
The database configuration file is stored on the TFTP server with the IP address 172.20.22.7.
Figure 13-5 Dynamic Port VLAN Membership Configuration

Posted by at
Location: Patiala, Punjab, India

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)