新闻资讯
看你所看,想你所想

动态VLAN

根据终端用户的MAC地址,决定属于哪一个VLAN;VMPS(VLAN 管理策略服务器) 中包含一个文本文件,文件中存有VLAN与MAC地址对应表。交换机对这个文件进行下载,然后对文件中的MAC地址进行校验。

而静态VLAN是根据交换果判机的端口划分VLAN。

  • 中文名称 动态VLAN
  • 属性 电脑应用
  • 依据硬件 交换机
  • 功能 根据用户的MAC地址,决定VLAN

原理

  当启动了VMPS以后,交换机首先会从一个预先指定好的TFTP服务器上下载MAC地址-V业乡心讲味LAN的映射数据库,这个数据库是一个预先写好的文本文件,然后它会打开入胡吸陈种答质粒若春一个UDP进程来监听从客户端发来的请求,并进行处理。当VMPS接到从客户端发来的一个合法请求后,首先是查看数据库中是否有该MAC地址-VLAN的映射记录。如果有,则把对应的VL工房身所笔盟尔影按沉听AN号发给客户端交换机;如果没有,且VMPS处于非安来自全模式下,则客户端只是简单地拒绝该主机的访问;同样是没有该MAC地址的映射记录,但VMPS处于安全模式下,则客户端交换机上起巴聚训儿还领突当环殖连接该MAC的端口被关闭,想要重新开启此端口,只有进行手工操作。

  用户可以配置一个缺省的VLAN,如果数据库中没有该MAC的记录,则它会被分配到这个VLAN上360百科。用户也可以使用NONE关键字来明确地指定一个MAC 不能属于某个VLAN。VMPS还提供了一些策略,以使VMPS配置起来更加灵活。这些策略包括端口组(Port-group)和VLAN组(VLAN- 皮采讲据京客补思决甲group)

配置

 介苦征侵 ---- 在Catalyst 5000系列交换机上配置VMPS首先要创建一个VMPS数据库。在创建VMPS数据库时需要注意以下几个问题:(1)文件以"VMPS"开始,这样可以避免交换机错误地读入其他文件;(2)定义V哥查川他抓煤叶MPS域,使其和VTP的域一致;(3)定义安全模式,可以是Open或者Secure; (4)(可选)定义缺省VLAN;(5)定义MAC地址-VLAN映射关系;(6)定义VLAN分配的策略。

  ---- 在Catal厂罗套拉yst 5000系料换列交换机中,配置VMPS的步骤如下。

  指定通站通乱当过何种方式下载数据库信息,命令如下:

  set vmps downloadmet联铁殖夜激屋宗谁hod rcp | tftp [username玉态格]

  配置VMPS数据库所在军政定刚听的TFTP或RCP服务生又器,命令如下:

  set vmps dow油道并沿nloadserver ip_addr [filename]

  启动VMPS,仍叫板析冲丝越命令如下:

  set vmps state enable

  vmps server配置

  To use VMPS, you first must create a VMPS database and store it on1 a TFTP server. The VMPS parser is line based. Start eac洲组求那六右紧助张养h entry in the file on1 a new line. The example at the end of this section corresponds to the information described below.

  The VMPS database can have up to five sections:

  Section 1, Global settings, lists the settings for the VMPS domain name, security mode, fallback VLAN, and the policy for VMPS and VTP domain name mismatches.

  Begin the configuration file with the word "VMPS," to prevent other types of configuration files from incorrectly being read by the VMPS server.

  Define the VMPS domain. The VMPS domain should correspond to the VTP domain name configured on1 the switch.

  Define the security mode. VMPS can operate in open or secure mode. If you set it to open mode, VMPS returns an access denied response for an unauthorized MAC address and returns the fallback VLAN for a MAC address not listed in the VMPS database. In secure mode, VMPS shuts down the port for a MAC address that is unauthorized or that is not listed in the VMPS database.

  (Optional) Define a fallback VLAN. Assign the fallback VLAN is assigned if the MAC addresses of the connected host is not defined in the database.

  In the example at the end of this section, the VMPS domain name is WBU, the VMPS mode is set to open, the fallback VLAN is set to the VLAN default, and if the VTP domain name does match the VMPS domain name, then VMPS sends an access denied response message.

  Section 2, MAC addresses, lists MAC addresses and authorized VLAN names for each MAC address.

  Enter the MAC address of each host and the VLAN name to which each should belong.

  Use the --NONE-- keyword as the VLAN name to deny the specified host network connectivity.

  You can enter up to 21,051 MAC addresses in a VMPS database file for the Catalyst 2948G switch.

  In the example at the end of this section, MAC addresses are listed in the MAC table. Notice that the MAC address fedc. ba98.7654 is set to --NONE--. This setting explicitly denies this MAC address from accessing the network.

  Section 3, Port groups, lists groups of ports on1 various switches in your network that you want grouped together. You use these port groups when defining VLAN port policies.

  Define a port group name for each port group; then list all ports you want included in the port group.

  A port is identified by the IP address of the switch and the module/port number of the port in the form mod_num/port_num. Ranges are not allowed for the port numbers.

  Use the all-ports keyword to specify all the ports in the specified switch.

  The example at the end of this section has two port groups:

  WiringCloset1 consists of the two ports: port 3/2 on1 the VMPS client 198.92.30.32 and port 2/8 on1 the VMPS client 172.20.26.141

  Executive Row consists of three ports: port 1/2 and 1/3 on1 the VMPS client 198.4.254.222, and all ports on1 the VMPS client 198.4.254.223

  Section 4, VLAN groups, lists groups of VLANs you want to associate together. You use these VLAN groups when defining VLAN port policies.

  Define the VLAN group name; then list each VLAN name you want to include in the VLAN group.

  You can enter a maximum of 256 VLANS in a VMPS database file for the Catalyst 2948G switch.

  The example at the end of this section has the VLAN group Engineering, which consists of the VLANs hardware and software.

  Section 5, VLAN port policies, lists the VLAN port policies, which use the port groups and VLAN groups to further restrict access to the network.

  You can configure a restricted access using MAC addresses and the port groups or VLAN groups.

  The example at the end of this section has three VLAN port policies specified.

  In the first VLAN port policy, the VLAN hardware or software is restricted to port 3/2 on1 the VMPS client 198.92.30.32 and port 2/8 on1 the VMPS client 172.20.23.141.

  In the second VLAN port policy, the devices specified in VLAN Green can connect on1ly to port 4/8 on1 the VMPS client 198.92.30.32.

  In the third VLAN port policy, the devices specified in VLAN Purple can connect to on1ly port 1/2 on1 the VMPS client 198.4.254.22 and the ports specified in the port group Executive Row.

  The following example shows a sample VMPS database configuration file.

  !Section 1: GLOBAL SETTINGS

  !VMPS File Format, version 1.1

  ! Always begin the configuration file with

  ! the word "VMPS"

  !

  !vmps domain

  ! The VMPS domain must be defined.

  !vmps mode {open | secure}

  ! The default mode is open.

  !vmps fallback

  !vmps no-domain-req { allow | deny }

  !

  ! The default value is allow.

  vmps domain WBU

  vmps mode open

  vmps fallback default

  vmps no-domain-req deny

  !

  !Section 2: MAC ADDRESSES

  !MAC Addresses

  vmps-mac-addrs

  !

  ! address vlan-name

  !

  address 0012.2233.4455 vlan-name hardware

  address 0000.6509.a080 vlan-name hardware

  address aabb.ccdd.eeff vlan-name Green

  address 1223.5678.9abc vlan-name ExecStaff

  address fedc. ba98.7654 vlan-name --NONE--

  address fedc. ba23.1245 vlan-name Purple

  !

  !Section 3: PORT GROUPS

  !Port Groups

  !vmps-port-group

  ! device { port | all-ports }

  !

  vmps-port-group WiringCloset1

  device 198.92.30.32 port 3/2

  device 172.20.26.141 port 2/8

  vmps-port-group "Executive Row"

  device 198.4.254.222 port 1/2

  device 198.4.254.222 port 1/3

  device 198.4.254.223 all-ports

  !

  !Section 4: VLAN GROUPS

  !VLAN groups

  !

  !vmps-vlan-group

  ! vlan-name

  !

  vmps-vlan-group Engineering

  vlan-name hardware

  vlan-name software

  !

  !Section 5: VLAN PORT POLICIES

  !VLAN port Policies

  !

  !vmps-port-policies {vlan-name | vlan-group }

  ! { port-group | device port }

  !

  vmps-port-policies vlan-group Engineering

  ort-group WiringCloset1

  vmps-port-policies vlan-name Green

  device 198.92.30.32 port 4/8

  vmps-port-policies vlan-name Purple

  device 198.4.254.22 port 1/2

  ort-group "Executive Row"

转载请注明出处安可林文章网 » 动态VLAN

相关推荐

    声明:此文信息来源于网络,登载此文只为提供信息参考,并不用于任何商业目的。如有侵权,请及时联系我们:fendou3451@163.com