9-34
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter 9 Creating and Maintaining VLANs
Understanding VMPS
If the switch receives an access-denied response from the VMPS, it continues to block traffic from the
MAC address to or from the port. The switch continues to monitor the packets directed to the port and
sends a query to the VMPS when it identifies a new address. If the switch receives a port-shutdown
response from the VMPS, it disables the port. The port must be manually re-enabled by using the CLI,
CMS, or SNMP.
You can also use an explicit entry in the configuration table to deny access to specific MAC addresses
for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends an
access-denied or port-shutdown response, depending on the VMPS secure mode setting.
Dynamic Port VLAN Membership
A dynamic (nontrunking) port on the switch can belong to only one VLAN. When the link comes up, the
switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The
VMPS receives the source MAC address from the first packet of a new host connected to the dynamic
port and attempts to match the MAC address to a VLAN in the VMPS database.
If there is a match, the VMPS sends the VLAN number for that port. If the client switch was not
previously configured, it uses the domain name from the first VTP packet it receives on its trunk port
from the VMPS. If the client switch was previously configured, it includes its domain name in the query
packet to the VMPS to obtain its VLAN number. The VMPS verifies that the domain name in the packet
matches its own domain name before accepting the request and responds to the client with the assigned
VLAN number for the client. If there is no match, the VMPS either denies the request or shuts down the
port (depending on the VMPS secure mode setting).
Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN;
however, the VMPS shuts down a dynamic port if more than 20 hosts are active on the port.
If the link goes down on a dynamic port, the port returns to an isolated state and does not belong to a
VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS
before the port is assigned to a VLAN.
VMPS Database Configuration File
The VMPS contains a database configuration file that you create. This ASCII text file is stored on a
switch-accessible TFTP server that functions as a VMPS server. The file contains VMPS information,
such as the domain name, the fallback VLAN name, and the MAC-address-to-VLAN mapping. The
Catalyst 3550 switch cannot act as the VMPS, but you can use a Catalyst 5000 or Catalyst 6000 series
switch as the VMPS.
You can configure a fallback VLAN name. If you connect a device with a MAC address that is not in the
database, the VMPS sends the fallback VLAN name to the client. If you do not configure a fallback
VLAN and the MAC address does not exist in the database, the VMPS sends an access-denied response.
If the VMPS is in secure mode, it sends a port-shutdown response.
Whenever port names are used in the VMPS database configuration file, the server must use the switch
convention for naming ports. For example, Gi0/4 is fixed Gigabit Ethernet port number 4. If the switch
is a cluster member, the command switch adds the name of the switch before the type. For example,
es3%Gi0/4 refers to fixed Gigabit Ethernet port 4 on member switch 3. When port names are required,
these naming conventions must be followed in the VMPS database configuration file when it is
configured to support a cluster.