Ethan Banks On productivity.

NMC DOiT Vol.2 Scenario 1 Day 7 – VMPS + Private VLANs


I have completed scenario 1…finally. It took me the 2 hours I predicted last night to complete my review of VLAN Management Policy Server and private VLANs, and then write the IOS code.

VMPS allows you to force a specific MAC address into a specific VLAN.

  1. The switch has been configured as a VMPS client with “vmps server xx.xx.xx.xx” command.
  2. The VMPS server the client points to is a Catalyst switch that can act as a VMPS server, like a Cat4000 or 6000 series. 35xx switches are not capable of being VMPS servers, but rather clients only.
  3. A new host MAC hits a switch port that has been configured for “switchport access vlan dynamic”.
  4. The switch, acting as a VMPS client, sends a query to the VMPS server via VQP (VLAN Query Protocol, I think).
  5. The VMPS server (a Cat4000/6000 switch) receives the VQP message from the VMPS client, and responds in a variety of ways, depending on whether the prospective new MAC address is in the VMPS database or not.
  6. The VMPS server could deny access to the host by telling the VMPS client to shutdown the port. Or if the host MAC is known to the VMPS server, the VMPS server would most likely instruct the VMPS client what VLAN to put the dynamic port in.

Private VLANs are a whole other topic that would take more time than I want to take to completely explain. But here’s a brief overview.

  • Private VLAN is a technology allowing complete or partial layer 2 isolation, on an interface basis. In other words, using private VLANs, we can keep 2 hosts in the same layer 2 VLAN from talking to one another.
  • Think of a private VLAN as a parent container that can hold one or more child VLANs. Within a private VLAN, you’ve got 2 types of child VLANs:
    • Isolated VLANs – ports in an isolated VLAN can only talk to a “promiscuous” port in that same VLAN.
    • Community VLANs – ports in an a community VLAN can talk to other ports in the same community VLAN, and to promiscuous ports. But not to other community VLANs or other isolated VLANs.
  • Within a child VLAN, you have normal ports, and promiscuous ports. A promiscuous port can talk to anyone else in that child VLAN. This feature is typically used for a layer 3 gateway.

There’s a lot more to VMPS and private VLANs both. There is no hardware in the CCIE lab that can act as a VMPS server, so I am not going to study how to turn a Catalyst into a VMPS server. Private VLANs we need to know, so hitting the link above will get you into the IOS syntax to configure them.

So, I’m off to NMC scenario 2 now…here we go!

By Ethan Banks
Ethan Banks On productivity.

You probably know Ethan Banks because he writes & podcasts about IT. For example, he co-authored "Computer Networks Problems & Solutions" with Russ White.

This site is Ethan on productivity--not tech so much.

Find out more on his about page.