Cisco Systems WSC4500X16SFP Manual De Usuario
10-18
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS
VLAN Membership Policy Server
VMPS uses a UDP port to listen to VQP requests from clients, so, it is not necessary for VMPS clients
to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request
from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN
mapping.
to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request
from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN
mapping.
In response to a request, the VMPS takes one of the following actions:
•
If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against
this group and responds as follows:
this group and responds as follows:
–
If the VLAN is allowed on the port, the VMPS sends the VLAN name to the client in response.
–
If the VLAN is not allowed on the port and the VMPS is not in secure mode, the VMPS sends
an “access-denied” response.
an “access-denied” response.
–
If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a
“port-shutdown” response.
“port-shutdown” response.
•
If the VLAN in the database does not match the current VLAN on the port and there are active hosts
on the port, the VMPS sends an “access-denied” (open), a “fallback VLAN name” (open with
fallback VLAN configured), a “port-shutdown” (secure), or a “new VLAN name” (multiple)
response, depending on the secure mode setting of the VMPS.
on the port, the VMPS sends an “access-denied” (open), a “fallback VLAN name” (open with
fallback VLAN configured), a “port-shutdown” (secure), or a “new VLAN name” (multiple)
response, depending on the secure mode setting of the VMPS.
If the switch receives an “access-denied” response from the VMPS, the switch continues to block
traffic from the MAC address to or from the port. The switch continues to monitor the packets
directed to the port and sends a query to the VMPS when it identifies a new address. If the switch
receives a “port-shutdown” response from the VMPS, the switch disables the port. The port must be
manually re-enabled by using the CLI, Cisco Visual Switch Manager (CVSM), or SNMP.
traffic from the MAC address to or from the port. The switch continues to monitor the packets
directed to the port and sends a query to the VMPS when it identifies a new address. If the switch
receives a “port-shutdown” response from the VMPS, the switch disables the port. The port must be
manually re-enabled by using the CLI, Cisco Visual Switch Manager (CVSM), or SNMP.
You can also use an explicit entry in the configuration table to deny access to specific MAC
addresses for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends
an “access-denied” or “port-shutdown” response.
addresses for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends
an “access-denied” or “port-shutdown” response.
For more information on a Catalyst 6500 series switch VMPS running Catalyst operating system
software, refer to the
“Configuring Dynamic Port VLAN Membership with VMPS” chapter at the URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_3/confg_gd/vmps.htm
software, refer to the
“Configuring Dynamic Port VLAN Membership with VMPS” chapter at the URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_3/confg_gd/vmps.htm
Security Modes for VMPS Server
VMPS operates in three different modes. The way a VMPS server responds to illegal requests depends
on the mode in which the VMPS is configured:
on the mode in which the VMPS is configured:
•
•
•
Open Mode
If no VLAN is assigned to this port, VMPS verifies the requesting MAC address against this port:
•
If the VLAN associated with this MAC address is allowed on the port, the VLAN name is returned
to the client.
to the client.
•
If the VLAN associated with this MAC address is not allowed on the port, the host receives an
“access denied” response.
“access denied” response.