Security Modes For Vmps Server - Cisco Catalyst 4500 Series Software Configuration Manual
Cisco ios xe release 3.9.xe and cisco ios release 15.2(5)ex
Hide thumbs
Also See for Catalyst 4500 Series:
- Administration manual (1814 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Chapter 17
Configuring VLANs, VTP, and VMPS
•
Security Modes for VMPS Server
VMPS operates in three different modes. The way a VMPS server responds to illegal requests depends
on the mode in which the VMPS is configured:
•
•
•
Open Mode
If no VLAN is assigned to this port, VMPS verifies the requesting MAC address against this port:
•
•
If a VLAN is already assigned to this port, VMPS verifies the requesting MAC address against this port:
•
•
Secure Mode
If no VLAN is assigned to this port, VMPS verifies the requesting MAC address against this port:
•
If the VLAN is allowed on the port, the VMPS sends the VLAN name to the client in response.
–
If the VLAN is not allowed on the port and the VMPS is not in secure mode, the VMPS sends
–
an "access-denied" response.
If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a
–
"port-shutdown" response.
If the VLAN in the database does not match the current VLAN on the port and active hosts exist on
the port, the VMPS sends an "access-denied" (open), a "fallback VLAN name" (open with fallback
VLAN configured), a "port-shutdown" (secure), or a "new VLAN name" (multiple) response,
depending on the secure mode setting of the VMPS.
If the switch receives an "access-denied" response from the VMPS, the switch continues to block
traffic from the MAC address to or from the port. The switch continues to monitor the packets
directed to the port and sends a query to the VMPS when it identifies a new address. If the switch
receives a "port-shutdown" response from the VMPS, the switch disables the port. The port must be
manually reenabled by using the CLI, Cisco Visual Switch Manager (CVSM), or SNMP.
You can also use an explicit entry in the configuration table to deny access to specific MAC
addresses for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends
an "access-denied" or "port-shutdown" response.
Open Mode, page 17-21
Secure Mode, page 17-21
Multiple Mode, page 17-22
If the VLAN associated with this MAC address is allowed on the port, the VLAN name is returned
to the client.
If the VLAN associated with this MAC address is not allowed on the port, the host receives an
"access denied" response.
If the VLAN associated with this MAC address in the database does not match the current VLAN
assigned on the port, and a fallback VLAN name is configured, VMPS sends the fallback VLAN
name to the client.
If a VLAN associated with this MAC address in the database does not match the current VLAN
assigned on the port, and a fallback VLAN name is not configured, the host receives an "access
denied" response.
If the VLAN associated with this MAC address is allowed on the port, the VLAN name is returned
to the client.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
VLAN Membership Policy Server
17-21
Advertisement
Chapters
Table of Contents
Troubleshooting
