1 What is a VMPS ?
The VLAN Membership Policy Server ( VMPS ) makes it possible to use a client/server architecture to manage dynamic VLAN based on the MAC addresses.When someone connects to a port, the client switch connects it to server VMPS to know if this MAC address can be connected to this port.
1.1 How it works
The architecture needs a principal VMPS server and 0-3 secondary servers, and client switches.The server uses a database containing MAC addresses � VLAN mapping, and some rules making it possible to authorize or not a user to be connected on a switch port. This database is downloaded by the VMPS server via a TFTP server. This TFTP server can be anywhere on network.
If the server is stop or restart, it will be reactivated and the database will be downloaded automatically.
If somebody plug on a dynamic port, the switch will not authorise any traffic from or to this port, until it is received a VLAN.
VMPS server creates a UDP socket to communicate and listen clients' requests.
Client switch communicates with VMPS server with protocol VLAN Query Protocol ( VQP ).
Client must specify his VTP domain, so VMPS requires a configured VTP domain .
When the server receives a VQP request, it searches a VLAN corresponding to the MAC address.
The server responses depend of the following :
- If the MAC address is in the VMPS database, the server answers positively by sending the corresponding vlan.
- If the MAC address is not in the VMPS database, VMPS answers negatively, according to its security mode:
- If VMPS is in " open " mode, it sends an " access-denied " answer to the client and continuous to block traffic of the MAC address from the port.
- If VMPS is in " secure " mode, it sends an " port-shutdown " command, and shutdown client port.
There is some particular cases :
If there is a fallback VLAN configured and no addresses MAC - VLAN mapping in the database, this VLAN is assigned to the client port.
You can also specify a ports group authorized for a VLAN. If the VLAN is restricts to this ports group, the VMPS checks client port and answer according to if VLAN is authorized on this port or not.
Several clients can be connected to the same dynamic port (up to 20-50), but they can have only the same VLAN.
If VMPS server already affected a VLAN to a port and a client with a different VLAN connects to this same port, server answer " access-denied " or " port-shutdown ".
1.2 Hardware and software necessary.
VMPS Switches:
- VMPS servers: Catalyst 4000 series and Catalyst 4500 series with IOS 7.2, or Catalyst 5000 and higher.
- VMPS clients: many Cisco switches support this function.
To check the compatibility of your material, look at the switch documentation or launch the command show port capabilities .
VMPS server is generally a switch, but it can be a Windows 2000 server with User Response Tool (URL) which makes it possible to use Active Directory accounts instead of MAC addresses. There is also OpenVMPS on Linux, or java daemon ICARUS VMPSd which connect to a SQL database in real time.
2 Creation of VMPS database
To configure VMPS, it is necessary to create a MAC database and placed it on a TFTP server.
As Cisco configuration files, for comment start the line with: ! .
First part of the file :
- the file must always start with "!VMPS" to prevent another type configuration file to be read by the VMPS server.
- configure VMPS domain (must be the same as VTP domain) :
vmps domain
- define security level: open or secure (open by default) :
vmps mode {open | secure}
- (optional) to define a fallback VLAN, if user MAC address is not in the database :
vmps fallback
- determine if requests without VTP/VMPS domain are authorized (allow by default) :
vmps no-domain-req { allow | deny }
Example, first part of the configuration file will be :
| !VMPS File Format, version 1.1 ! vmps domain TEST vmps mode open vmps fallback default vmps no-domain-req deny |
Second part of the file permits :
- to specify MAC adresses � VLAN mapping.
This part must start with :
vmps-mac-addrs
And followed by MAC addresses definition:
address
You can banish an address with the keyword --NONE-- :
address
vlan-name --NONE--
- to create groups. Indeed, you can create ports groups and VLAN groups and then apply a � vmps-port-policies �.
- Port group :
vmps-port-group < group-name >
device < device-id > { port < port-name > | all-ports }
all-ports to specify all ports.
- VLAN group :
vmps-vlan-group < group-name >
vlan-name < vlan-name >
- to create a "vmps-port-policies" to specify ports which could be use only by one VLAN or a VLAN group :
vmps-port-policies {vlan-name < vlan_name > | vlan-group < group-name > }
{ port-group < group-name > | device < device-id > port < port-name > }
Example :
Network diagram :
VMPS database :
| !VMPS File Format, version 1.1 ! vmps domain TEST vmps mode open vmps fallback default vmps no-domain-req deny ! vmps-mac-addrs ! address aaaa.bbbb.1111 vlan-name vlan2 address aaaa.bbbb.2222 vlan-name --NONE-- address aaaa.bbbb.3333 vlan-name vlan3 address aaaa.bbbb.4444 vlan-name vlan4 address aaaa.bbbb.5555 vlan-name vlan5 address aaaa.bbbb.6666 vlan-name vlan4 ! ! vmps-port-group portgroup1 device 192.168.1.1 port Fa1/3 device 192.168.1.2 port Fa1/4 vmps-port-group portgroup2 device 192.168.10.1 port Fa0/1 device 192.168.10.2 port all-ports ! ! vmps-vlan-group vlangroup1 vlan-name vlan2 vlan-name vlan3 ! ! vmps-port-policies vlan-group vlangroup1 port-group portgroup1 ! vmps-port-policies vlan-name vlan4 device 192.168.10.1 port Fa0/2 ! vmps-port-policies vlan-name vlan5 device 192.168.10.1 port Fa0/3 port-group portgroup2 |
- First "vmps-port-policies" authorizes only vlan 2 and 3 to connect on Fa1/3 port of switch 192.168.1.1, and on Fa1/4 port of switch 192.168.1.2.
- Second rule, authorizes only the vlan 4 to connect on Fa0/2 port of switch 192.168.10.1.
- Third rule authorizes only vlan 5 to connect on Fa0/3 port and Fa0/1 of switch 192.168.10.1 and on all ports of switch 192.168.0.2 .
3 Switches configuration
3.1 VMPS Server
Now that the database is ready, it is necessary to configure the VMPS server switch. For that, we have to:
- Specify the TFTP server address containing the MAC database:
set vmps tftpserver < ip-address> [ filename ]
The default filename is: vmps-config-database.1 .
- Activate vmps:
set vmps state enable
This command downloads the MAC database from TFTP server and then, if all is ok, launch VMPS server. If the download fails, an error is returned and VMPS server is down.
3.2 VMPS Client
a) Entering the IP Address of the VMPS
It is now necessary to configure access switches.
It is necessary to specify the address of VMPS server:
vmps server < ip-address> primary
You can add 3 secondary servers:
vmps server < ip-address>
b) Configuring Dynamic Access Ports on VMPS Clients
To configure an interface in dynamic access mode :
- in interface configuration mode:
interface < interface >
configure the switch in access mode :
switchport mode access
activate dynamic Vlan:
switchport access vlan dynamic
- in privileged mode:
set port membership < mod_num / port_num> dynamic
Options :
Clients VMPS reconfirm at a certain interval of time VMPS server informations. To modify this interval :
vmps reconfirm < minutes>
To launch reconfirm, not to specify not minutes : vmps reconfirm .
You can also specify the number of times that the switch will try to connect to a VMPS server before connect to the next one. It must be a number between 1 and 10 (default : 3).
vmps retry < count>
You can download the MAC database manually with the command:
download vmps
3.3 Example
VMPS servers configuration :
set vmps tftpserver 192.168.0.10 vmps.conf
set vmps state enable
Clients switches configuration :
vmps server 192.168.0.5 primary
vmps server 192.168.0.6
!
interface fa0/1
switchport mode access
switchport access vlan dynamic
4 Administration & Monitoring
4.1 Monitoring
The principal command for VMPS is :show vmps .
You can run this command either on VMPS servers or clients and you it display in the order: VQP version used to communicate with clients, time of reconfirm, Server Retry Count, VMPS domain and the result of the last reconfirmation.
Example :
| Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: Reconfirmation status --------------------- VMPS Action: other |
You can also with this command know the VLAN of a MAC address :
show vmps mac < mac_address >
or opposite:
show vmps vlan < vlan_name >
And display ports corresponding to a restricted VLAN :
show vmps vlanports < vlan_name >
Command :show dvlan statistics permit to display result of the last reconfirmation.
To display VMPS statistics use the command: show vmps statistics . You can clear statistics with: clear vmps statistics .
Example :
| Switch# show vmps statistics VMPS Client Statistics ---------------------- VQP Queries: 0 VQP Responses: 0 VMPS Changes: 0 VQP Shutdowns: 0 VQP Denied: 0 VQP Wrong Domain: 0 VQP Wrong Version: 0 VQP Insufficient Resource: 0 |
4.2 Administration
There are many tools making it possible to facilitate VMPS administration.
Usertracking application permit to manage more easily dynamic VLANs using VMPS. Indeed, you can update the MAC database via a graphic interface. Usertracking requires that ftp service is activated on TFTP server to access the configuration file of the VMPS.
CiscoWorks 2000 or CiscoWorks for Switched Internetworks is also very effective and proposes advanced functionalities in the management of dynamic VLAN.
Conclusion
VMPS is a good technology, fast to configure and effective, but the administration tools is average and the functionalities limited. Moreover, VMPS server is available only from the switch Catalyst 4500 and everyone cannot invest in it.
The User Registration Tool (URT) application answers these problems. Installed on a Windows 2000 Server, it acts like a VMPS server and offers administration functionalities and intelligent monitoring. You can for example use Active Directory accounts instead of MAC addresses to authenticate users.
