Usually, when we have to do network segmentation using VLANs, we create the necessary networks either manually or automatically using protocols like Cisco VTP (VLAN Trunking Protocol). After that, we assign each one of the network devices to the different VLANs defined. This means that if I move tomorrow and change my laptop of network connection point, I will have to change the new network connection point so it belongs to the original VLAN I had.
One solution to this problem is the use of the VTP protocol together with the Cisco VMPS (VLAN Management Policy Server) service, which provides a first approximation to a solution of network access control such as the ones offered by manufacturers today. Among other features, VMPS allows to dynamically associate devices to VLANs based on MAC address (with the security issues this involves). This way, I can connect my laptop to any network point of the office and it will always belong to the same correct VLAN.
Any midrange Cisco switch supports VMPS as client. However, only the upper range (higher than 4000) support the server mode. Despite this, it is not necessary to have one of these devices to implement this solution because there are many tools, both free (some outdated) and commercial, that provide the VMPS server functionality we need. Among all them, we have selected vmpsd (http://sourceforge.net/projects/vmps/), a little daemon for GNU/Linux that provides a VMPS server without installing too much software, as a management system database. To configure VMPS on our switch (the Cisco 2960 is the chosen device), we have to perform the following steps:
1) Configure VTP
Switch(config)#vtp mode server
Switch(config)#vtp domain s2
Switch#show vtp status
: running VTP2
Configuration Revision : 1
Maximum VLANs supported locally : 255
Number of existing VLANs : 14
VTP Operating Mode : Server
VTP Domain Name : s2
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xC4 0xE8 0xDB 0x1A 0xF2 0x6B 0xC2 0x79
2) Configure the switch device as a VMPS client
To perform this configuration, we use the IP address of the main VPMS server (we can have several).
Switch(config)# vmps retry 3 Switch(config)# vmps reconfirm 1 Switch(config)# vmps server 172.18.0.150 primary Switch#show vmps VQP Client Status: -------------------- VMPS VQP Version: 1 Reconfirm Interval: 1 min Server Retry Count: 3 VMPS domain server: 172.18.0.150 (primary, current) Reconfirmation status --------------------- VMPS Action: No Dynamic Port
3) Create the VLANs
Switch(config)#vlan 21 Switch(config-vlan)#name MANAGMT Switch(config)#vlan 22 Switch(config-vlan)#name USUARIOS Switch(config)#vlan 23 Switch(config-vlan)#name GUESTS Switch#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 21 MANAGMT active 22 USUARIOS active 23 GUESTS active
4) Mark the interfaces that use VMPS
Switch(config)#interface range fastEthernet 0/10-20 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan dynamic Switch#show interface fastEthernet 0/10 switchport Name: Fa0/10 Switchport: Enabled Administrative Mode: dynamic access ****** Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: unassigned ******* Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL
5) Configure the VMPS server (vlan.db)
vmps domain s2 vmps mode open vmps fallback GUESTS vmps no-domain-req deny vmps-mac-addrs address 0023.8bd7.c2b3 vlan-name MANAGMT
In the configuration must take into account the following:
- The domain must coincide with the one configured in VTP.
- The “GUESTS” VLAN is used to redirect the MACs that are not authorized by the policy because we have configured the open mode. If we use the secure mode, the interface would be disabled.
- We assign the MAC address of my laptop to the VLAN “MANAGMT”.
Once here, we start the daemon and launch a test query (we use the IP address, the VTP domain and MAC address)
perl vqpcli.pl -s 172.18.0.150 -v s2 -m 0023.8bd7.c2b3 Vlan: MANAGMT MAC Address: 00238bd7c2b3 Status: ALLOW
As we can see, the MAC address is authorized and it gets the VLAN “MANAGMT”. Reached this point, we just have to connect to the switch (we set the debug mode on with the command debug vqpc all) to do several tests:
Connect the laptop to one of the network connection points defined to use VMPS (fa0/13).
*Mar 1 02:23:09.070: VQPC EVENT: -pm_port_vqp_start: port Fa0/13
*Mar 1 02:23:11.075: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar 1 02:23:12.081: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed
state to up
*Mar 1 02:23:13.986: VQPC LEARN:
*Mar 1 02:23:13.986: VQPC LEARN: -learning mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13
*Mar 1 02:23:13.986: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13, type = 0x0021
*Mar 1 02:23:13.986: VQPC: allocating transID 0x00000471
*Mar 1 02:23:13.986: VQPC PAK: xmt transaction ID = 0x00000471
*Mar 1 02:23:13.986: VQPC PAK: sending query to VMPS
*Mar 1 02:23:13.986: VQPC PAK:
*Mar 1 02:23:13.986: VQPC PAK: rcvd packet from VMPS
*Mar 1 02:23:13.994: VQPC PAK: transaction ID = 0x00000471
*Mar 1 02:23:13.994: VQPC: rcvd response, transID = 0x00000471
*Mar 1 02:23:13.994: VQPC PAK: VLAN name TLV, vlanName = MANAGMT
*Mar 1 02:23:13.994: VQPC PAK: Cookie TLV, cookie = 0023.8bd7.c2b3, length = 6
*Mar 1 02:23:13.994: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 21, mac: 0023.8bd7.c2b3
*Mar 1 02:23:13.994: VQPC EVENT: saving 0023.8bd7.c2b3 from old vlan 0
*Mar 1 02:23:13.994: VQPC EVENT: changing Fa0/13 to vlan 21
*Mar 1 02:23:13.994: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 21, port Fa0/13, type = 0x0001
*Mar 1 02:23:13.994: VQPC LEARN: deleting mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13
*Mar 1 02:23:13.994: VQPC LEARN: changing mac 0023.8bd7.c2b3 on vlan 21, port Fa0/13 to FORWARDING
As we can see, it assigns to the MAC address the VLAN 21 (“MANAGMT”):
Switch#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 21 MANAGMT active Fa0/13 22 USUARIOS active 23 GUESTS active Switch#show interface fastEthernet 0/13 switchport Name: Fa0/13 Switchport: Enabled Administrative Mode: dynamic access Operational Mode: dynamic access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 21 (MANAGMT) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled
Now we disconnect it and connect it to other switch port (fa0/17):
*Mar 1 02:24:42.938: VQPC EVENT: -pm_port_vqp_start: port Fa0/17
*Mar 1 02:24:44.650: VQPC LEARN:
*Mar 1 02:24:44.650: VQPC LEARN: -learning mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17
*Mar 1 02:24:44.650: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17, type = 0x0021
*Mar 1 02:24:44.650: VQPC: allocating transID 0x00000491
*Mar 1 02:24:44.650: VQPC PAK: xmt transaction ID = 0x00000491
*Mar 1 02:24:44.650: VQPC PAK: sending query to VMPS
*Mar 1 02:24:44.650: VQPC PAK:
*Mar 1 02:24:44.650: VQPC PAK: rcvd packet from VMPS
*Mar 1 02:24:44.650: VQPC PAK: transaction ID = 0x00000491
*Mar 1 02:24:44.650: VQPC: rcvd response, transID = 0x00000491
*Mar 1 02:24:44.650: VQPC PAK: VLAN name TLV, vlanName = MANAGMT
*Mar 1 02:24:44.650: VQPC PAK: Cookie TLV, cookie = 0023.8bd7.c2b3, length = 6
*Mar 1 02:24:44.650: VQPC EVENT: -set_hwidb_vlanid: port Fa0/17 to vlan 21, mac: 0023.8bd7.c2b3
*Mar 1 02:24:44.650: VQPC EVENT: saving 0023.8bd7.c2b3 from old vlan 0
*Mar 1 02:24:44.650: VQPC EVENT: changing Fa0/17 to vlan 21
*Mar 1 02:24:44.658: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 21, port Fa0/17, type = 0x0001
*Mar 1 02:24:44.658: VQPC LEARN: deleting mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17
*Mar 1 02:24:44.658: VQPC LEARN: changing mac 0023.8bd7.c2b3 on vlan 21, port Fa0/17 to FORWARDING
*Mar 1 02:24:44.943: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up
*Mar 1 02:24:45.950: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/17,
changed state to up
Switch#sh mac-address-table | inc DYNAMIC
21 0023.8bd7.c2b3 DYNAMIC Fa0/17
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
21 MANAGMT active Fa0/13, Fa0/17
22 USUARIOS active
23 GUESTS active
We see that the Fa0/13 interface is still assigned to the VLAN “MANAGMT”, so we connect other computer to that port:
*Mar 1 00:03:35.016: VQPC EVENT: -pm_port_vqp_start: port Fa0/13
*Mar 1 00:03:36.887: VQPC LEARN:
*Mar 1 00:03:36.887: VQPC LEARN: -learning mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar 1 00:03:36.887: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 0, port Fa0/13, type = 0x0021
*Mar 1 00:03:36.887: VQPC: allocating transID 0x00000061
*Mar 1 00:03:36.887: VQPC PAK: xmt transaction ID = 0x00000061
*Mar 1 00:03:36.887: VQPC PAK: sending query to VMPS
*Mar 1 00:03:36.887: VQPC PAK:
*Mar 1 00:03:36.887: VQPC PAK: rcvd packet from VMPS
*Mar 1 00:03:36.887: VQPC PAK: transaction ID = 0x00000061
*Mar 1 00:03:36.887: VQPC: rcvd response, transID = 0x00000061
*Mar 1 00:03:36.887: VQPC PAK: VLAN name TLV, vlanName = GUESTS
*Mar 1 00:03:36.887: VQPC PAK: Cookie TLV, cookie = 0005.1b00.3f81, length = 6
*Mar 1 00:03:36.887: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 23, mac: 0005.1b00.3f81
*Mar 1 00:03:36.887: VQPC EVENT: saving 0005.1b00.3f81 from old vlan 0
*Mar 1 00:03:36.887: VQPC EVENT: changing Fa0/13 to vlan 23
*Mar 1 00:03:36.895: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 23, port Fa0/13, type = 0x0001
*Mar 1 00:03:36.895: VQPC LEARN: deleting mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar 1 00:03:36.895: VQPC LEARN: changing mac 0005.1b00.3f81 on vlan 23, port Fa0/13 to FORWARDING
*Mar 1 00:03:37.021: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar 1 00:03:38.028: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13,
changed state to up
As the MAC address is not authorized by the defined policy, it assigns dinamically the VLAN “GUESTS”.
Switch#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 21 MANAGMT active Fa0/17 22 USUARIOS active Fa0/24 23 GUESTS active Fa0/13
If we now change the policy to the secure mode and without a fallback VLAN we connect the same PC:
*Mar 1 00:12:57.019: VQPC LEARN:
*Mar 1 00:12:57.019: VQPC LEARN: -learning mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar 1 00:12:57.019: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 0, port Fa0/13, type = 0x0021
*Mar 1 00:12:57.019: VQPC: allocating transID 0x00000151
*Mar 1 00:12:57.019: VQPC PAK: xmt transaction ID = 0x00000151
*Mar 1 00:12:57.019: VQPC PAK: sending query to VMPS
*Mar 1 00:12:57.019: VQPC PAK:
*Mar 1 00:12:57.019: VQPC PAK: rcvd packet from VMPS
*Mar 1 00:12:57.019: VQPC PAK: transaction ID = 0x00000151
*Mar 1 00:12:57.019: VQPC: rcvd response, transID = 0x00000151
*Mar 1 00:12:57.019: %VQPCLIENT-2-SHUTDOWN: Interface Fa0/13 shutdown by VMPS
*Mar 1 00:12:57.019: %PM-4-ERR_DISABLE: vmps error detected on Fa0/13, putting Fa0/13 in
err-disable state
*Mar 1 00:12:57.019: VQPC EVENT: -pm_port_vqp_stop: port Fa0/13
*Mar 1 00:12:57.019: VQPC EVENT: port Fa0/13, REMOVE dynamic access config
*Mar 1 00:12:57.019: VQPC EVENT: deleting all addresses on vlan 0,t Fa0/13
*Mar 1 00:12:57.019: VQPC EVENT: Deleted TCAM catch-all for port Fa0/13
*Mar 1 00:12:57.019: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 0, mac: NULL
*Mar 1 00:12:57.019: VQPC EVENT: changing Fa0/13 to vlan 0
*Mar 1 00:12:58.026: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13,
changed state to down
*Mar 1 00:12:59.024: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
Switch#show interfaces fas 0/13 status
Port Name Status Vlan Duplex Speed Type
Fa0/13 err-disabled unassigned auto auto 10/100BaseTX
We can see as it has disconnected the interface from the switch and so it shows in the VPMS protocol stats:
Switch#show vmps statistics VMPS Client Statistics ---------------------- VQP Queries: 53 VQP Responses: 20 VMPS Changes: 0 VQP Shutdowns: 5 VQP Denied: 0 VQP Wrong Domain: 0 VQP Wrong Version: 0 VQP Insufficient Resource: 0
As shown, this solution provides more security than the usual solution, improving the mobility in our network. However, it has other security problems we will see in future posts.
Hola Fabrizzio, sobre lo que comentas:
– el servidor openvmps cuando se conecta a un puerto estático, este puerto debe tener algun tipo de configuración adicional o dejarlo como esta predeterminado en la vlan 1? lo pongo en modo trunk o access? o simplemente no hago nada ?
Para la prueba se dejo en la vlan por defecto (1), no obstante, supongo que puede estar configurado en cualquier vlan en modo acceso; si esta en modo trunk, tu servidor tiene que estar tambien en modo trunk, no creo que haya mayor problema, pero no he probado esa configuracion.
– se debe habilitar algún puerto en el mismo linux para que escuche?¿y si es asi que puerto es y que lineas de código necesito?
Cuando arrancas el demonio, escucha automaticamente en el puerto UDP/1589, no obstante puede escuchar en el puerto que indiques con el parametro -p durante el arranque.
un saludo!
hola , quisiera saber como reinicio el servidor, cuando modifico una mac a una vlan (cambiar una mac de vlan a otra en el vlan.db) es necesario reiniciar el servidor, cual seria en nombre del demonio, he intentado con vmps y vmpsd y no me funciona, gracias
Wow, fantastic weblog format! How long have you ever been blogging for?
you made blogging look easy. The full look
of your web site is great, as smartly as the content
material!