15-23
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 15 Configuring VLANs, VTP, and VMPS
VLAN Membership Policy Server
Fallback VLAN
You can configure a fallback VLAN name on a VMPS server.
If no VLAN has been assigned to this port, VMPS compares the requesting MAC address to this port:
• If you connect a device with a MAC address that is not in the database, the VMPS sends the fallback
VLAN name to the client.
• If you do not configure a fallback VLAN name and the MAC address does not exist in the database,
the VMPS sends an “access-denied” response.
If a VLAN is already assigned to this port, VMPS compares the requesting MAC address to this port:
• If the VMPS is in secure mode, it sends a “port-shutdown” response, whether a fallback VLAN has
been configured on the server.
Illegal VMPS Client Requests
Two examples of illegal VMPS client requests are as follows:
• When a MAC-address mapping is not present in the VMPS database and “no fall back” VLAN is
configured on the VMPS.
• When a port is already assigned a VLAN (and the VMPS mode is not “multiple”) but a second
VMPS client request is received on the VMPS for a different MAC-address.
Overview of VMPS Clients
The following subsections describe how to configure a switch as a VMPS client and configure its ports
for dynamic VLAN membership.
The following topics are included:
• Understanding Dynamic VLAN Membership, page 15-23
• Default VMPS Client Configuration, page 15-24
• Configuring a Switch as a VMPS Client, page 15-24
• Administering and Monitoring the VMPS, page 15-28
• Troubleshooting Dynamic Port VLAN Membership, page 15-29
Understanding Dynamic VLAN Membership
When a port is configured as “dynamic,” it receives VLAN information based on the MAC-address that
is on the port. The VLAN is not statically assigned to the port; it is dynamically acquired from the VMPS
based on the MAC-address on the port.
A dynamic port can belong to one VLAN only. When the link becomes active, the switch does not
forward traffic to or from this port until the port is assigned to a VLAN. The source MAC address from
the first packet of a new host on the dynamic port is sent to the VMPS as part of the VQP request, which
attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, the VMPS
sends the VLAN number for that port. If there is no match, the VMPS either denies the request or shuts
down the port (depending on the VMPS security mode setting). See the “About VMPS” section on
page 15-21 for a complete description of possible VMPS responses.
To Next Page
Loading...
Need help?
General
