動態VLAN

then then then

動態VLAN

動態VLAN根據終端用戶的MAC地址,決定屬於哪一個VLAN;VMPS(VLAN 管理策略伺服器) 中包含一個文本檔案,檔案中存有VLAN與MAC地址對應表。交換機對這個檔案進行下載,然後對檔案中的MAC地址進行校驗。
靜態VLAN是根據交換機的連線埠劃分VLAN。

原理

當啟動了VMPS以後,交換機首先會從一個預先指定好的TFTP伺服器上下載MAC地址-VLAN的映射資料庫,這個資料庫是一個預先寫好的文本檔案,然後它會打開一個UDP進程來監聽從客戶端發來的請求,並進行處理。當VMPS接到從客戶端發來的一個合法請求後,首先是查看資料庫中是否有該MAC地址 -VLAN的映射記錄。如果有,則把對應的VLAN號發給客戶端交換機;如果沒有,且VMPS處於非安全模式下,則客戶端只是簡單地拒絕該主機的訪問;同樣是沒有該MAC地址的映射記錄,但VMPS處於安全模式下,則客戶端交換機上連線該MAC的斷口被關閉,想要重新開啟此連線埠,只有進行手工操作。
用戶可以配置一個預設的VLAN,如果資料庫中沒有該MAC的記錄,則它會被分配到這個VLAN上。用戶也可以使用NONE關鍵字來明確地指定一個MAC 不能屬於某個VLAN。VMPS還提供了一些策略,以使VMPS配置起來更加靈活。這些策略包括連線埠組(Port-group)和VLAN組(VLAN- group)

配置

---- 在catalyst 5000系列交換機上配置VMPS首先要創建一個VMPS資料庫。在創建VMPS資料庫時需要注意以下幾個問題:(1)檔案以“VMPS”開始,這樣可以避免交換機錯誤地讀入其他檔案;(2)定義VMPS域,使其和VTP的域一致;(3)定義安全模式,可以是Open或者Secure; (4)(可選)定義預設VLAN;(5)定義MAC地址-VLAN映射關係;(6)定義VLAN分配的策略。
---- 在Catalyst 5000系列交換機中,配置VMPS的步驟如下。
指定通過何種方式下載資料庫信息,命令如下:
set vmps downloadmethod rcp | tftp [username]
配置VMPS資料庫所在的TFTP或RCP伺服器,命令如下:
set vmps downloadserver ip_addr [filename]
啟動VMPS,命令如下:
set vmps state enable
vmps server配置
To use VMPS, you first must create a VMPS database and store it on1 a TFTP server. The VMPS parser is line based. Start each entry in the file on1 a new line. The example at the end of this section corresponds to the information described below.
The VMPS database can have up to five sections:
Section 1, Global settings, lists the settings for the VMPS domain name, security mode, fallback VLAN, and the policy for VMPS and VTP domain name mismatches.
Begin the configuration file with the word "VMPS," to prevent other types of configuration files from incorrectly being read by the VMPS server.
Define the VMPS domain. The VMPS domain should correspond to the VTP domain name configured on1 the switch.
Define the security mode. VMPS can operate in open or secure mode. If you set it to open mode, VMPS returns an access denied response for an unauthorized MAC address and returns the fallback VLAN for a MAC address not listed in the VMPS database. In secure mode, VMPS shuts down the port for a MAC address that is unauthorized or that is not listed in the VMPS database.
(Optional) Define a fallback VLAN. Assign the fallback VLAN is assigned if the MAC addresses of the connected host is not defined in the database.
In the example at the end of this section, the VMPS domain name is WBU, the VMPS mode is set to open, the fallback VLAN is set to the VLAN default, and if the VTP domain name does match the VMPS domain name, then VMPS sends an access denied response message.
Section 2, MAC addresses, lists MAC addresses and authorized VLAN names for each MAC address.
Enter the MAC address of each host and the VLAN name to which each should belong.
Use the --NONE-- keyword as the VLAN name to deny the specified host network connectivity.
You can enter up to 21,051 MAC addresses in a VMPS database file for the Catalyst 2948G switch.
In the example at the end of this section, MAC addresses are listed in the MAC table. Notice that the MAC address fedc. ba98.7654 is set to --NONE--. This setting explicitly denies this MAC address from accessing the network.
Section 3, Port groups, lists groups of ports on1 various switches in your network that you want grouped together. You use these port groups when defining VLAN port policies.
Define a port group name for each port group; then list all ports you want included in the port group.
A port is identified by the IP address of the switch and the module/port number of the port in the form mod_num/port_num. Ranges are not allowed for the port numbers.
Use the all-ports keyword to specify all the ports in the specified switch.
The example at the end of this section has two port groups:
WiringCloset1 consists of the two ports: port 3/2 on1 the VMPS client 198.92.30.32 and port 2/8 on1 the VMPS client 172.20.26.141
Executive Row consists of three ports: port 1/2 and 1/3 on1 the VMPS client 198.4.254.222, and all ports on1 the VMPS client 198.4.254.223
Section 4, VLAN groups, lists groups of VLANs you want to associate together. You use these VLAN groups when defining VLAN port policies.
Define the VLAN group name; then list each VLAN name you want to include in the VLAN group.
You can enter a maximum of 256 VLANS in a VMPS database file for the Catalyst 2948G switch.
The example at the end of this section has the VLAN group Engineering, which consists of the VLANs hardware and software.
Section 5, VLAN port policies, lists the VLAN port policies, which use the port groups and VLAN groups to further restrict access to the network.
You can configure a restricted access using MAC addresses and the port groups or VLAN groups.
The example at the end of this section has three VLAN port policies specified.
In the first VLAN port policy, the VLAN hardware or software is restricted to port 3/2 on1 the VMPS client 198.92.30.32 and port 2/8 on1 the VMPS client 172.20.23.141.
In the second VLAN port policy, the devices specified in VLAN Green can connect on1ly to port 4/8 on1 the VMPS client 198.92.30.32.
In the third VLAN port policy, the devices specified in VLAN Purple can connect to on1ly port 1/2 on1 the VMPS client 198.4.254.22 and the ports specified in the port group Executive Row.
The following example shows a sample VMPS database configuration file.
!Section 1: GLOBAL SETTINGS
!VMPS File Format, version 1.1
! Always begin the configuration file with
! the word "VMPS"
!
!vmps domain
! The VMPS domain must be defined.
!vmps mode {open | secure}
! The default mode is open.
!vmps fallback
!vmps no-domain-req { allow | deny }
!
! The default value is allow.
vmps domain WBU
vmps mode open
vmps fallback default
vmps no-domain-req deny
!
!Section 2: MAC ADDRESSES
!MAC Addresses
vmps-mac-addrs
!
! address vlan-name
!
address 0012.2233.4455 vlan-name hardware
address 0000.6509.a080 vlan-name hardware
address aabb.ccdd.eeff vlan-name Green
address 1223.5678.9abc vlan-name ExecStaff
address fedc. ba98.7654 vlan-name --NONE--
address fedc. ba23.1245 vlan-name Purple
!
!Section 3: PORT GROUPS
!Port Groups
!vmps-port-group
! device { port | all-ports }
!
vmps-port-group WiringCloset1
device 198.92.30.32 port 3/2
device 172.20.26.141 port 2/8
vmps-port-group "Executive Row"
device 198.4.254.222 port 1/2
device 198.4.254.222 port 1/3
device 198.4.254.223 all-ports
!
!Section 4: VLAN GROUPS
!VLAN groups
!
!vmps-vlan-group
! vlan-name
!
vmps-vlan-group Engineering
vlan-name hardware
vlan-name software
!
!Section 5: VLAN PORT POLICIES
!VLAN port Policies
!
!vmps-port-policies {vlan-name | vlan-group }
! { port-group | device port }
!
vmps-port-policies vlan-group Engineering
ort-group WiringCloset1
vmps-port-policies vlan-name Green
device 198.92.30.32 port 4/8
vmps-port-policies vlan-name Purple
device 198.4.254.22 port 1/2
ort-group "Executive Row"

相關搜尋

熱門詞條

聯絡我們