VMPS parameters

Posted August 10th, 2007 by sean

Vlans

The Vlan names and number must be configured on switches exactly the same as in the Vlan table in FreeNAC. NAC does not configure this on the switches for you.

So for example, if NAC is going to attribute the Vlans 'Printer' and 'Workstation', these two must be defined exactly with the same name and number on the Switches, and in FreeNAC.

FreeNAC also allows 'location based vlans' i.e. the vlans names do not have to be the same on all switches, refer to the FreeNAC Users Guide >> Windows GUI >> Configuration: Vlans.

syslog

Its recommended to configure the switches to send a copy of their logs to the NAC server, helping in troubleshooting.

See also http://www.cisco.com/en/US/products/hw/switches/ps607/products_configura...

vmps server

CATOS:

  set vmps server   192.168.245.40
  clear vmps server 192.168.245.18
  reconfirm vmps
  sho vmps

IOS:

conf t   
vmps server     192.168.245.40  
no vmps server  192.168.245.18 
end
vmps reconfirm
sho vmps

VMPS “retry” switch parameter

The following is an extract from "Troubleshooting Connectivity Between the VMPS Client and the VMPS server", http://www.cisco.com/warp/public/473/157.html#topic1-3

VMPS reconfirmation occurs when the VMPS client asks the VMPS if the dynamic port assignments are correct and if the correct MAC addresses have been assigned to the right ports. By default, this happens about every 60 minutes. Issue a show vmps command on the VMPS client to determine the VMPS reconfirmation time.
If the connectivity between the VMPS client and VMPS is intermittent (some data gets lost along the way) then you can try to increase the VMPS retry interval on the VMPS client, as a workaround. Issue the set vmps server retry command. By default, the VMPS client will try three times. In an environment with intermittent connectivity, when you increase the VMPS retry interval, you give the client more chances to connect to the VMPS before it gives up and VLAN membership fails.

Since Version 2.0, FreeNAC queries an SQL database in real time when authenticating end devices. There is also an optional "hub detection" feature which means it tries to detect and ping all devices already on a hub. Thus authentication can take seconds.

This can lead to the switch getting impatient, sending several requests and logging MACNOTRECONFIRMED messages to syslog, especially when reconfirming all ports each hour. One solution is to increase the vmps retry count from the standard 3, to say, 10.

When there is a loss of connectivity between a VMPS client and a VMPS, the VMPS reconfirmation might fail and produce the DVLAN-2-MACNOTRECONFIRMED error message. The port will lose its DVLAN assignment, as in this example:

     %DVLAN-2-MACNOTRECONFIRMED:Mac [00-00-f4-11-11-0f] is not reconfirmed
     %DVLAN-1-DENYHOST:Host 00-00-11-11-11-0f denied on port 3/10

Cam” timeouts on “silent” servers

After the end-device transmits and the switch receives a valid response from the VMPS server, the switch enables the interface in the correct VLAN. If the client sits idle for a while causing the bridge aging timer to expire for the entry, the Catalyst returns the port to an unassigned state.

Therefore

  • 'silent' servers, (or printers for example) would be disconnected from the network if they did not transmit packets at least every 5 minutes.
  • If the VMPS daemon died during the night, users would not be able to login in the morning. (Of course this can be mitigated by with redundnacy mechanisms).

The aging timer (or CAM: content addressable memory) can be viewed on CatOS switches with:

sh cam agingtime (The default value is 300 seconds).

This timeout can be increased to several hours. This increases the risk of arp flooding (we think), but this is a low risk on internal network hopefully. It is recommended to set a value like 12 hours for dynamic/VMPS ports. This is important for switches that have servers/printers that may not send out any packets for several minutes or hours.

Its also recommended to use logcheck or a similar tool, to watch for unusual Switch syslog entries, especially floods.

CatOS:
The value can be set in seconds and per vlan. It needs to be set for each VLAN, for example on VLAN 4:

 show cam agingtime VLAN_NR
set cam agingtime VLAN_NR XXX  (secs, e.g. 24h=86400, 12h=43200)

IOS:

arp mac-address-table aging-time XXX  (secs)

Other notes

A graphical example

IOS example1

 

Example of migrating Switches to use a new VMPS server

Assuming we had two previous VMPS servers 192.168.245.18 and 192.168.245.19, and we now wish to change the switches to use a new server 192.168.245.40. Then logon on to the switches and do the following.

Monitoring: watch the syslog entries on the vmps server, the updating of the “last seen” times and “Server log” in the Windows GUI.

CATOS:
set vmps server 192.168.245.40
clear vmps server 192.168.245.19
clear vmps server 192.168.245.18
reconfirm vmps
sho vmps

IOS:
conf t
vmps server 192.168.245.40
no vmps server 192.168.245.18
no vmps server 192.168.245.19
end
vmps reconfirm
sho vmps

‹ Configuring Network Switchesnach obenCisco CatOS configuration examples ›
Inhalt abgleichen