VLAN Management Policy Server

Last updated

A VLAN Management Policy Server (VMPS) is a network switch that contains a mapping of device information to VLAN.

A network switch is networking hardware that connects devices on a computer network by using packet switching to receive, and forward data to the destination device.

The primary goal of VMPS is VLAN assignment for general network management purposes, but can also be used for providing security through segregating clients with an unknown MAC address, or through further extension of the protocol to provide login for Cisco ACLs. This last functionality is now deprecated by Cisco, in favour of 802.1X, and as the VMPS technology is Cisco proprietary, the VLAN assignment can now be carried out in the 802.1X framework.

A media access control address of a device is a unique identifier assigned to a network interface controller (NIC). For communications within a network segment, it is used as a network address for most IEEE 802 network technologies, including Ethernet, Wi-Fi, and Bluetooth. Within the Open Systems Interconnection (OSI) model, MAC addresses are used in the medium access control protocol sublayer of the data link layer. As typically represented, MAC addresses are recognizable as six groups of two hexadecimal digits, separated by hyphens, colons, or no separator.

Client switches query the VMPS server using the VLAN Query Protocol, or VQP. Only Cisco produces hardware with VMPS client functionality, and is currently fully supported across their IOS switching lines. Cisco officially only supports the use of Catalyst 4000, 5000 and 6500 switch platforms (with appropriate firmware) as VMPS servers, but these have limited functionality, and only support a static text file transferred into them using tftp.

The VLAN Query Protocol (VQP) was developed by Cisco and allows end-devices on LANs to be authenticated via their MAC address and an appropriate VLAN attributed to the port, using a VLAN Management Policy Server (VMPS). VQP is a Cisco-only protocol that is supported only by older switches running CatOS. Many vendors have turned to support dynamic VLAN assignments using the 802.1x authentication protocol with a Radius server that has additional attributes designating the VLAN.

vmps helps with the dynamic allocation of vlan across the network.

Third party servers

To enhance functionality, which can talk to SQL or use external programs to decide on network access for a given request. The first publicly available of these was OpenVMPS, by Dori Seliskar and others, with FreeRADIUS and Icarus VMPSd available and including additional management tools to help manage hundreds or thousands of clients and MAC addresses and their VMPS support.

FreeRADIUS is a modular, high performance free RADIUS suite developed and distributed under the GNU General Public License, version 2, and is free for download and use. The FreeRADIUS Suite includes a RADIUS server, a BSD-licensed RADIUS client library, a PAM library, an Apache module, and numerous additional RADIUS related utilities and development libraries.

Related Research Articles

The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links to provide fault tolerance if an active link fails.

A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer. LAN is the abbreviation for local area network and in this context virtual refers to a physical object recreated and altered by additional logic. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

Virtual private network Allows a private network to go through a public network

A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running on a computing device, e.g., a laptop, desktop, smartphone, across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common, though not an inherent, part of a VPN connection.

A multilayer switch (MLS) is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers.

IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems in 1994 by Keith McCloghrie and Dino Farinacci. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.

IEEE 802.1Q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration Protocol.

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the whole local area network. To do this, VTP carries VLAN information to all the switches in a VTP domain. VTP advertisements can be sent over 802.1Q, and ISL trunks. VTP is available on most of the Cisco Catalyst Family products. Using VTP, each Catalyst Family Switch advertises the following on its trunk ports:

EtherChannel

EtherChannel is a port link aggregation technology or port-channel architecture used primarily on Cisco switches. It allows grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers. An EtherChannel can be created from between two and eight active Fast, Gigabit or 10-Gigabit Ethernet ports, with an additional one to eight inactive (failover) ports which become active as the other active ports fail. EtherChannel is primarily used in the backbone network, but can also be used to connect end user machines.

The Multiple Spanning Tree Protocol (MSTP) and algorithm, provides both simple and full connectivity assigned to any given Virtual LAN (VLAN) throughout a Bridged Local Area Network. MSTP uses BPDUs to exchange information between spanning-tree compatible devices, to prevent loops in each MSTI and in the CIST, by selecting active and blocked paths. This is done as well as in STP without the need of manually enabling backup links and getting rid of bridge loops danger.

Wireless security prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP is an old IEEE 802.11 standard from 1997, which was superseded in 2003 by WPA, or Wi-Fi Protected Access. WPA was a quick alternative to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.1X.

Multiple Registration Protocol (MRP), which replaced Generic Attribute Registration Protocol (GARP), is a generic registration framework defined by the IEEE 802.1ak amendment to the IEEE 802.1Q standard. MRP allows bridges, switches or other similar devices to register and de-register attribute values, such as virtual LAN identifiers and multicast group membership across a large local area network. MRP operates at the data link layer.

Supplicant (computer)

In computer networking, a supplicant is an entity at one end of a point-to-point LAN segment that seeks to be authenticated by an authenticator attached to the other end of that link. The IEEE 802.1X standard uses the term "supplicant" to refer either to hardware or to software. In practice, a supplicant is a software application installed on an end-user's computer. The user invokes the supplicant and submits credentials to connect the computer to a secure network. If the authentication succeeds, the authenticator typically allows the computer to connect to the network.

The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol used by network devices for advertising their identity, capabilities, and neighbors on a local area network based on IEEE 802 technology, principally wired Ethernet. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery specified in IEEE 802.1AB and IEEE 802.3 section 6 clause 79.

Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given "uplink". The restricted ports are called "private ports". Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port connected to a router, firewall, server, provider network, or similar central resource.

IEEE 802.1ad was an Ethernet networking standard informally known as QinQ as an amendment to IEEE standard IEEE 802.1Q-1998. 802.1ad was incorporated into the base 802.1Q standard in 2011. The technique is also known as provider bridging, Stacked VLANs, or simply QinQ or Q-in-Q. "Q-in-Q" can for supported devices apply to C-tag stacking on C-tag.

FTOS or Force10 Operating System is the firmware family used on Force10 Ethernet switches. It has a similar functionality as Cisco's NX-OS or Juniper's Junos. FTOS is running on NetBSD.
As part of a re-branding strategy of Dell FTOS will be renamed to Dell Networking Operating System (DNOS) 9.x or above, while the legacy PowerConnect switches will use DNOS 6.x: see the separate article on DNOS.