Restrictions For Vmps; Information About Vmps; Dynamic Vlan Assignments - Cisco Catalyst 2960 series Configuration Manual

Restrictions for VMPS

Restrictions for VMPS

The following are restrictions for configuring VMPS:
• IEEE 802.1x ports cannot be configured as dynamic-access ports. If you try to enable IEEE 802.1x on
• Trunk ports cannot be dynamic-access ports, but you can enter the switchport access vlan dynamic
• Dynamic-access ports cannot be monitor ports.
• Secure ports cannot be dynamic-access ports. You must disable port security on a port before it becomes
• Dynamic-access ports cannot be members of an EtherChannel group.
• Port channels cannot be configured as dynamic-access ports.
• The VLAN configured on the VMPS server should not be a voice VLAN.
• 1K VLAN is supported only on switches running the LAN Base image with the lanbase-default template
• For a normal-range VLAN configuration, to avoid warning messages of high CPU utilization it is

Information About VMPS

Dynamic VLAN Assignments

The VLAN Query Protocol (VQP) is used to support dynamic-access ports, which are not permanently assigned
to a VLAN, but give VLAN assignments based on the MAC source addresses seen on the port. Each time an
unknown MAC address is seen, the switch sends a VQP query to a remote VLAN Membership Policy Server
(VMPS); the query includes the newly seen MAC address and the port on which it was seen. The VMPS
responds with a VLAN assignment for the port. The switch cannot be a VMPS server but can act as a client
to the VMPS and communicate with it through VQP.
Each time the client switch receives the MAC address of a new host, it sends a VQP query to the VMPS.
When the VMPS receives this query, it searches its database for a MAC-address-to-VLAN mapping. The
server response is based on this mapping and whether or not the server is in open or secure mode. In secure
mode, the server shuts down the port when an illegal host is detected. In open mode, the server denies the
host access to the port.
If the port is currently unassigned (that is, it does not yet have a VLAN assignment), the VMPS provides one
of these responses:
Catalyst 2960-X Switch VLAN Configuration Guide, Cisco IOS Release 15.0(2)EX
82
a dynamic-access (VQP) port, an error message appears, and IEEE 802.1x is not enabled. If you try to
change an IEEE 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the
VLAN configuration is not changed.
interface configuration command for a trunk port. In this case, the switch retains the setting and applies
it if the port is later configured as an access port. You must turn off trunking on the port before the
dynamic-access setting takes effect.
dynamic.
set.
recommended to have no more than 256 VLANs. In such cases, approximately 10 access interfaces or
5 trunk interfaces can flap simultaneously with negligible impact to CPU utilization (if there are more
interfaces that flap simultaneously, then CPU usage may be excessively high.)
Configuring VMPS
OL-29065