VMPS Tests Conducted

1. Two hosts (Mac address/Vlan pairs) were configured as being allowed in the VMPS database. When either of the allowed hosts were plugged into the switch, a VMPS request was generated and the server replies allowing the connection. No log messages are generated by the Switch.

2. Unplugging a PC causes no VMPS activity.

3. If a PC is connected with a MAC address that is not allowed, the switch logs an error and refuses access to the network:
DVLAN-1-DENYHOST:Host 00-03-ba-27-54-9b denied on port 2/1
Optionally, the server can tell the switch to shutdown the port, in which case it must be manually enabled again (this “secure” mode is perhaps useful for switches in physically exposed places).

4. If the primary VMPS does not reply, the switch retries with the secondary.

5. The switch tries to contact a server 3 times by default, before stopping. This value can be programmed on the switch (to a maximum of 10), on CatOS:
set vmps server retry XX, on IOS vmps retry XX

6. Reconfirmation:

The switch reconfirms (by default every 60 minutes, Cat OS: set vmps server reconfirminterval XX, IOS in ‘con t’ mode: vmps reconfirm XX) if the port is authorised.

If a host was previously enabled and the VMPS server was updated to disable this host, then this will be noticed by the switch on the next reconfirmation interval. On reconfirmation it blocks the ports and logs an appropriate message: "DVLAN-1-DENYHOST:Host 00-03-ba-27-54-9b denied on port 2/1"

If the primary and secondary are not available, the switch logs an error, but does not disconnect the PC/port (this is important to prevent cascaded network failures): "DVLAN-2-MACNOTRECONFIRMED:Mac [00-03-ba-27-54-9b] is not reconfirmed"

If the switch cannot contact a VMPS server, show vmps (IOS: sho vmps stat) displays No Host but does not log a message. The time of the last reconfirmation and the IP address of the server accessed.
VMPS Action: No Host
VMPS Last Accessed: 192.168.245.19
Last Reconfirmation: Fri Sep 10 2004, 08:30:02

Reconfirmation can be manually activated on the switch (Cat OS): reconfirm vmps (IOS: vmps reconfirm on IOS). During the confirmation show vmps shows a status or “In Progress” and then “Success” with the timestamp of the last reconfirmation updated.

To clear vmps statistics (IOS): clear vmps status

7. If two PCs define their MAC address to the same value then the switch authenticates on each packet, thus some packets are allowed from each PC. This would cause disruption to both PCs. It is not noted as an error by the switch, but can be detected by analysing the logs for frequent authentication of a specific MAC address within a short period of time.

8. If two PCs are connected to a hub (or unmanaged switch), which is connected to one (vmps) Switch port, then:
• If both PCs are authorised on the same VLAN they can both communicate.
• If only one is authorised, the traffic from the second is blocked. The authorised PC continues to work fine.
• If both are authorised, but in different VLANs, the switch changes the port constantly between the two VLAN, causing havoc, some packets pass from each machine. No errors are logged by the switch or VMPS server, since the authentications are successful. To detect this scenario, a monitoring would have to detect a VMPS “authentication storm” from one port and notify the network administrator.

9. If a PC is disabled in the VMPS database, and VMPS is restarted, there is no immediate effect. The PC continues to have access until the cable is added/removed or, the next VMPS reconfirmation (every 60 minutes).

10. If a PC’s MAC is added to the VMPS database, and VMPS is restarted, there is no immediate effect. The PC continues to be forced to the defaultvlan until the cable is added/removed or, the next VMPS reconfirmation (every 60 minutes).

Other findings

Several “VMWARE” virtual machines were running on the network, each looking like a real PC, with its own address. This usage is not really a risk; it allows tests to be conducted on virtual machines, but does confuse network management.

Some laptops have a docking station, which has a MAC different address from the built in Laptop MAC address.

Several users were used Wireless rather than Fixed Lan.

User acceptance was high (all problems were solved quickly).

A change/authorisation/expiry process needs to be developed/written and adhered to. What happens when a user leaves and a new user come, taking over an already authorised PC?

There is no noticeable delay when using the network.

If a user is refused access, and then added to the VMPS DB to allow access, he must either wait one hour, or re-authenticate. To ere-authenticate, there are several options
• disable and re-enable the network connection in the connections control panel (this is the quickest method)
• unplug/plug in his network cable, it takes some time for windows to realize it is on another network
• click on the network icon -> support -> "repair": it first tries to release its old address, but can't as the DHCP server is not here anymore, this may take 5 minutes