14-25
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 14 Configuring VLA Ns Configuring VMPS
Monitoring the VMPS section on page 14-31
Trouble sho oting Dy nami c Por t V LAN Me mb ershi p sec tion on page 14-31
VMPS C onfiguration Exa mple section on page 14-32

Understanding VMPS

When the VMPS receives a VQP request from a client switch, it searches its database for a
MA C-address-to-VLAN mapping. The server response is based on this mapping and whether or not the
serv er i s in se cure mode. Secu re m ode de ter mines whethe r the se rv er s hu ts down the port whe n a VLAN
is not allowed on it or just de nies the port access to th e VLAN.
In response to a request, the VMPS takes one of these actions:
If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against
this grou p a nd r espond s a s fol lows:
If the VL AN is allowe d on the port, the VMPS sen d s th e V LAN name to the c lien t in response.
If the VLAN is not allowed on the port and the VMPS is not in secure mode, the VMPS sends
an a ccess-de nied respon se.
If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a
port-shutd own response.
If the VLAN in the database does not match the current VLAN on the port and acti v e hosts exist on
the port, the VMPS sends an access-denied or a port-shutdown r esp onse, depe ndin g o n th e sec ure
mode of the VMPS.
If the switch receives an access-denied res ponse fro m the VM PS, it contin ues to block t raffi c from the
MAC address to o r from the port. The switch contin ues to monitor the packets directed to the port and
sends a query to the VMPS when it identifies a new address. If the switch receives a port-shutdown
response fr om t he V MPS, it d isable s th e por t. T he po rt must b e ma nual ly r e-en ab led by using the CL I,
CMS, or SNMP.
You can also use an explicit entry in the configuration table to deny access to specific MAC addresses
for security reasons. If you enter the none keyword for the VLA N na me, the V MPS se nds a n
access-denied or port-shutdown respons e, depending on the VMPS secure mode setting.

Dynamic Port VLAN Membership

A dynamic (nontru nking) port on the switch can belong to only one VLAN, with a VLAN ID from 1 to
1005. When the link comes up, the switch does not forward traffic to or from this port until the VMPS
provides the VLAN assignment. The VMPS receives the source MAC address from the first packet of a
ne w host connected to the dynamic po rt and attempts to match the MA C add ress to a VLAN in the VMPS
database .
If there is a match, the VMPS sends the VLAN number for that port. If the client switch was not
previously configured, it uses the domain name from the first VTP packet it receives on its trunk port
from the VM PS. If the clien t switch w as pre viou sly conf ig ured, it incl udes its domain name i n the que ry
pack et to the VMPS to obtai n it s VLAN numbe r. T he VMPS v erif ies tha t the d omain n ame i n the pack et
matches it s own domain name be fore acc epting the request and responds to the client with the assigned
VLAN n umber f or the c lien t. If there is no match , th e VMP S e ither d enies the request o r shut s d own the
port (depending on the VMPS secure mode setting).
Multiple hosts (MAC addresses) can be ac tive on a dynamic port if they are all in the same VLAN;
however, th e VMPS shuts down a dy na mic port if m ore th an 20 ho sts a re a ctive on the por t.