Dynamic VLANs (DVLANs)

• Definition: Dynamic VLANs (DVLANs) automatically assign switch ports to VLANs based on specific
criteria, unlike static VLANs where ports are manually assigned. This provides greater flexibility, security,
and scalability, especially in larger networks where users and devices move frequently.

• How They Work: Dynamic VLANs rely on a VLAN Management Policy Server (VMPS) to determine the
VLAN assignment for a port. When a device connects to a switch port, the switch queries the VMPS to
determine the appropriate VLAN for that device.

• Benefits:

• Mobility: Users can move to different locations and automatically be assigned to the correct VLAN.

• Scalability: Easier to manage large networks with frequent user movements.

• Security: VLAN assignments can be based on user authentication, providing enhanced security.

• Centralized Management: Simplifies VLAN management through the VMPS.

II. Switches Configured in Dynamic VLANs

Two types of switches are involved in dynamic VLAN configurations:

1. VMPS (VLAN Management Policy Server) Server:

• The central server that stores the MAC address-to-VLAN mappings.

• Responds to VLAN membership queries from VMPS client switches.

• Typically a Cisco switch configured to act as a VMPS server.

2. VMPS Client Switches:

• Switches that query the VMPS server to determine the VLAN assignment for a port.

• Send VLAN membership queries to the VMPS when a device connects to a port.

• Dynamically assign ports to VLANs based on the VMPS response.

III. VLAN Trunking Protocol (VTP)

• Modes of Operation:

• Server Mode: Can create, modify, and delete VLANs. Advertises VLAN information to other VTP-
enabled switches. There should be only one or two servers in large scale implementation and best if one
server is used for managing large infrastructure

• Client Mode: Cannot create, modify, or delete VLANs. Receives VLAN information from VTP servers
and updates its VLAN database. Client switches forward VTP advertisements.

• Transparent Mode: Does not participate in VTP domain (doesn't learn or advertise VLAN
information). Can create, modify, and delete VLANs locally, but these changes are not propagated. It just
forwards VTP advertisements.

• Off Mode: VTP is disabled.

• VTP Pruning: Reduces unnecessary broadcast traffic by limiting VLAN information to only those
switches that need it. When pruning is enabled, the VTP server only advertises VLAN information to
switches that have ports assigned to that VLAN.

• VTP Configuration Revision Number: A number used to track changes to the VLAN database. Each
time a VLAN is added, modified, or deleted on a VTP server, the revision number is incremented. Client
switches use the revision number to determine if they need to update their VLAN database.

• Security Considerations Use VTP passwords to prevent unauthorized access to the VTP domain.
Otherwise attackers can propagate malicious traffic.

IV. Practical Scenario: Configuring Dynamic VLANs

Scenario:

You have a network with two switches (Switch1 and Switch2) and several PCs. You want to implement
dynamic VLAN assignment based on the MAC address of the PCs. Switch1 will act as the VMPS server,
and Switch2 will be the VMPS client.

Steps:

1. Configure Switch1 (VMPS Server):

Switch1#configure terminal

Switch1(config)#vlan 10

Switch1(config-vlan)#name Marketing

Switch1(config-vlan)#exit

Switch1(config)#vlan 20

Switch1(config-vlan)#name Sales

Switch1(config-vlan)#exit

Switch1(config)#vmps server

Switch1(config)#vtp domain EXAMPLE !Set the VTP Domain

Switch1(config)#vtp mode transparent //Set the VTP Mode

!Define MAC Address to VLAN Mappings (vmps vlan mapping <mac_address> <vlan_id>)

Switch1(config)#vmps vlan mapping 000A.1111.2222 10 !PC1 MAC, VLAN 10

Switch1(config)#vmps vlan mapping 000B.3333.4444 20 !PC2 MAC, VLAN 20

Switch1(config)#end

Switch1#copy running-config startup-config

Note: Newer IOS versions may deprecate the vmps server command. Use mac address-table notification
mac-address mac <mac_address> vlan <vlan_id> as an alternative method for assigning MAC addresses
to VLANs, especially if you're not using the full VMPS setup.

2. Configure Switch2 (VMPS Client):

Switch2>enable

Switch2#configure terminal

Switch2(config)#vtp domain EXAMPLE !Set the VTP Domain (must match server)
 Switch2(config)#vtp mode client !Set VTP Mode to client

Switch2(config)#vmps client

Switch2(config)#interface FastEthernet0/1 !Assuming PC1 is connected to Fa0/1

Switch2(config-if)#switchport mode access

Switch2(config-if)#switchport access vlan dynamic

Switch2(config-if)#end

Switch2#copy running-config startup-config

! Configure trunking for VLAN communication

Switch2(config)#interface FastEthernet0/24 !Assuming Fa0/24 connects to the server switch

Switch2(config-if)#switchport mode trunk

Switch2(config-if)#switchport trunk encapsulation dot1q !Might be automatically determined

Switch2(config-if)#switchport trunk allowed vlan 10,20

Switch2(config-if)#end

3. VTP Password (Optional, but recommended):

For both switches

Switch(config)# vtp password mysecretpassword

4. Configure Trunking (Between the Switches):

5. Verify Dynamic VLAN Assignment:

• Connect a PC (with MAC address 000A.1111.2222) to Fa0/1 on Switch2.

• Use the show mac address-table interface FastEthernet0/1 command on Switch2. You should see
that the MAC address is dynamically assigned to VLAN 10.

• Repeat with a PC having MAC address 000B.3333.4444. The result will assign port FA0/1 to VLAN 20.

* Test connectivity to those segments once assigned dynamically.

Additional Notes:

• VMPS Configuration File: On some Cisco switches, you can use a VMPS configuration file to store the
MAC address-to-VLAN mappings. This file is uploaded to the VMPS server.

• Security: Secure the VMPS server to prevent unauthorized access and modifications to the VLAN
mappings. Use strong passwords and access control lists (ACLs).

• Testing: Thoroughly test the dynamic VLAN configuration to ensure that devices are assigned to the
correct VLANs.

• VTP version and Domain Name. Ensure that all switches are operating in the same VTP domain name
and VTP versions.

This scenario provides a foundation for understanding and configuring dynamic VLANs in a Cisco
network. Remember that VMPS is an older technology, and modern networks often use other methods
for dynamic VLAN assignment, such as 802.1X authentication with RADIUS servers.