Understanding The Vmps Server - Cisco Catalyst 4500 series Administration Manual

Chapter 16 Configuring VLANs, VTP, and VMPS
•
•

Understanding the VMPS Server

A VLAN Membership Policy Server (VMPS) provides a centralized server for selecting the VLAN for
a port dynamically based on the MAC address of the device connected to the port. When the host moves
from a port on one switch in the network to a port on another switch in the network, that switch
dynamically assigns the new port to the proper VLAN for that host.
A Catalyst 4500 series switch running Cisco IOS software does not support the functionality of a VMPS.
It can only function as a VLAN Query Protocol (VQP) client, which communicates with a VMPS
through the VQP. For VMPS functionality, you need to use a Catalyst 4500 series switch (or Catalyst
6500 series switch) running Catalyst operating system (OS) software.
VMPS uses a UDP port to listen to VQP requests from clients, so, it is not necessary for VMPS clients
to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request
from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN
mapping.
In response to a request, the VMPS takes one of the following actions:
•
•
Security Modes for VMPS Server
VMPS operates in three different modes. The way a VMPS server responds to illegal requests depends
on the mode in which the VMPS is configured:
•
•
•
OL_28731-01
Fallback VLAN, page 16-22
Illegal VMPS Client Requests, page 16-23
If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against
this group and responds as follows:
If the VLAN is allowed on the port, the VMPS sends the VLAN name to the client in response.
–
If the VLAN is not allowed on the port and the VMPS is not in secure mode, the VMPS sends
–
an "access-denied" response.
If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a
–
"port-shutdown" response.
If the VLAN in the database does not match the current VLAN on the port and active hosts exist on
the port, the VMPS sends an "access-denied" (open), a "fallback VLAN name" (open with fallback
VLAN configured), a "port-shutdown" (secure), or a "new VLAN name" (multiple) response,
depending on the secure mode setting of the VMPS.
If the switch receives an "access-denied" response from the VMPS, the switch continues to block
traffic from the MAC address to or from the port. The switch continues to monitor the packets
directed to the port and sends a query to the VMPS when it identifies a new address. If the switch
receives a "port-shutdown" response from the VMPS, the switch disables the port. The port must be
manually reenabled by using the CLI, Cisco Visual Switch Manager (CVSM), or SNMP.
You can also use an explicit entry in the configuration table to deny access to specific MAC
addresses for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends
an "access-denied" or "port-shutdown" response.
Open Mode, page 16-22
Secure Mode, page 16-22
Multiple Mode, page 16-22
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
VLAN Membership Policy Server
16-21