Restrictions for VMPS•IEEE802.1x ports cannot be configured as dynamic-access ports. If you try to enable IEEE 802.1x on
adynamic-access (VQP) port, an error message appears, and IEEE 802.1x is not enabled. If you try to
changean IEEE 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the
VLANconfiguration is notchanged.
•Trunkports cannot be dynamic-access ports, but you can enter the switchport access vlan dynamic
interfaceconfiguration command for a trunk port. In this case, the switch retains the setting and applies
itif the port is later configured as an access port.
Youmust turn off trunking on the port before the dynamic-access setting takes effect.
•Dynamic-accessports cannot bemonitor ports.
•Secureports cannot be dynamic-access ports. You must disable port security on a port before it becomes
dynamic.
•PrivateVLAN portscannot bedynamic-access ports.
•Dynamic-accessports cannot bemembers ofan EtherChannelgroup.
•Portchannels cannotbe configuredas dynamic-accessports.
•Adynamic-access port canparticipate in fallbackbridging.
•TheVTP management domain of the VMPS client and the VMPS server must be the same.
•TheVLAN configured on the VMPS server should not be a voice VLAN.
Information About VMPSDynamic VLAN Assignments
TheVLAN Query Protocol (VQP) is used to support dynamic-access ports, which are not permanently assigned
toa VLAN, but give VLAN assignments based on the MAC source addresses seen on the port. Each time an
unknownMAC address is seen, the switch sends a VQP query to a remote VLAN Membership Policy Server
(VMPS);the query includes the newly seen MAC address and the port on whichit was seen. The VMPS
respondswith a VLAN assignment for the port. The switch cannot be a VMPS server but can act as a client
tothe VMPSand communicatewith it throughVQP.
Eachtime the client switch receives the MAC address of a new host, it sends a VQP query to the VMPS.
Whenthe VMPS receives this query, it searches its database for a MAC-address-to-VLAN mapping. The
serverresponse is based on this mapping and whether or not the server is in open or secure mode. In secure
mode,the server shuts down theport when an illegalhost is detected. In open mode, the server denies the
hostaccess to theport.
Ifthe port is currently unassigned (that is, it does not yet have a VLAN assignment), the VMPS provides one
ofthese responses:
•Ifthe host is allowed on the port, the VMPS sends the client a vlan-assignment response containing the
assignedVLAN name andallowing access to thehost.
Catalyst 2960-XR Switch VLAN Configuration Guide, Cisco IOS Release 15.0(2)EX1
108 OL-29440-01
Configuring VMPS
Restrictions for VMPS