Cisco Systems WSC2960XR48FPSI Dynamic-Access Port VLAN Membership

•Ifthe host is not allowed on the port and the VMPS is in open mode, the VMPS sends an access-denied

response.

•Ifthe VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a port-shutdown

response.

Ifthe port alreadyhas a VLAN assignment, the VMPS provides one of these responses:

•Ifthe VLAN in the database matches the current VLAN on the port, the VMPS sends an success response,

allowingaccess to the host.

•Ifthe VLAN in the database does not match the current VLAN on the port and active hosts exist on the

port,the VMPS sends an access-denied or a port-shutdown response, depending on the secure mode of

theVMPS.

Ifthe switch receives an access-denied response from the VMPS, it continues to block traffic to and from the

hostMAC address. The switch continues to monitor the packets directed to the port and sends a query to the

VMPSwhen it identifies a new host address. If the switch receives a port-shutdown response from the VMPS,

itdisables the port. The port must be manually reenabled by using Network Assistant, the CLI, or SNMP.

Related Topics

ConfiguringDynamic-Access Ports on VMPS Clients, on page 111

Example:VMPS Configuration, on page117

Dynamic-Access Port VLAN Membership

Adynamic-access port can belong to only one VLAN with an ID from 1 to 4094. When the link comes up,

theswitch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The

VMPSreceives the source MAC address from the first packet of a new host connected to the dynamic-access

portand attempts to match the MAC address to a VLAN in the VMPS database.

Ifthere is a match,the VMPS sends the VLAN number for thatport. If the client switch was not previously

configured,it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS.

Ifthe client switch was previously configured, it includes its domain name in the query packet to the VMPS

toobtain its VLAN number. The VMPS verifies that the domain name in the packet matches its own domain

namebefore accepting the request and responds to the client with the assigned VLAN number for the client.

Ifthere is no match,the VMPS either denies the request or shuts down the port (depending on theVMPS

securemode setting).

Multiplehosts (MAC addresses) can be active on a dynamic-access port if they are all in the same VLAN;

however,the VMPS shuts down a dynamic-access port if more than 20 hosts are active on the port.

Ifthe link goes downon adynamic-access port, the port returns to an isolated state and does not belong to a

VLAN.Any hoststhat come online through the port are checked again through the VQP with the VMPS

beforethe port isassigned to aVLAN.

Dynamic-accessports can be used for direct host connections, or they can connect to a network. A maximum

of20 MAC addresses are allowed per port on the switch. A dynamic-access port can belong to only one VLAN

ata time,but the VLAN canchange over time,depending on the MACaddresses seen.