Dynamic-Access Port Vlan Membership - Cisco Catalyst 2960 series Configuration Manual

Configuring VMPS
• If the host is allowed on the port, the VMPS sends the client a vlan-assignment response containing the
• If the host is not allowed on the port and the VMPS is in open mode, the VMPS sends an access-denied
• If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a port-shutdown
If the port already has a VLAN assignment, the VMPS provides one of these responses:
• If the VLAN in the database matches the current VLAN on the port, the VMPS sends an success response,
• If the VLAN in the database does not match the current VLAN on the port and active hosts exist on the
If the switch receives an access-denied response from the VMPS, it continues to block traffic to and from the
host MAC address. The switch continues to monitor the packets directed to the port and sends a query to the
VMPS when it identifies a new host address. If the switch receives a port-shutdown response from the VMPS,
it disables the port. The port must be manually reenabled by using Network Assistant, the CLI, or SNMP.
Related Topics
Configuring Dynamic-Access Ports on VMPS Clients, on page 85
Example: VMPS Configuration, on page 91

Dynamic-Access Port VLAN Membership

A dynamic-access port can belong to only one VLAN with an ID from 1 to 4094. When the link comes up,
the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The
VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access
port and attempts to match the MAC address to a VLAN in the VMPS database.
If there is a match, the VMPS sends the VLAN number for that port. If the client switch was not previously
configured, it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS.
If the client switch was previously configured, it includes its domain name in the query packet to the VMPS
to obtain its VLAN number. The VMPS verifies that the domain name in the packet matches its own domain
name before accepting the request and responds to the client with the assigned VLAN number for the client.
If there is no match, the VMPS either denies the request or shuts down the port (depending on the VMPS
secure mode setting).
Multiple hosts (MAC addresses) can be active on a dynamic-access port if they are all in the same VLAN;
however, the VMPS shuts down a dynamic-access port if more than 20 hosts are active on the port.
If the link goes down on a dynamic-access port, the port returns to an isolated state and does not belong to a
VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS
before the port is assigned to a VLAN.
Dynamic-access ports can be used for direct host connections, or they can connect to a network. A maximum
of 20 MAC addresses are allowed per port on the switch. A dynamic-access port can belong to only one VLAN
at a time, but the VLAN can change over time, depending on the MAC addresses seen.
OL-29065
assigned VLAN name and allowing access to the host.
response.
response.
allowing access to the host.
port, the VMPS sends an access-denied or a port-shutdown response, depending on the secure mode of
the VMPS.
Catalyst 2960-X Switch VLAN Configuration Guide, Cisco IOS Release 15.0(2)EX
Dynamic-Access Port VLAN Membership
83