Currently I have each closet switch setup with a "default" Vlan such as Vlan150 for one closet, Vlan151 for another closet, etc. All ports are assigned to these Vlans except when something like a printer is plugged in. I then change that port's vlan to a printer only Vlan. This is a pain sometimes with moves so I'm looking at VMPS.
I have it working using OpenVMPS but it appears that I can only have one fallback Vlan. Instead of entering a 1000 mac addresses, I would prefer to say if a device is not in the list and plugged into a certain switch, it goes into a fallback vlan specific for that closet. If the device is a printer, it would be in the VMPS database file and be assigned to the printer vlan. They way it's working now though is if a device is not in the database, it goes into one vlan regardless of the switch it's plugged into.
Anyone know how this can work? I've been through the documentation several times and just can't figure it out.
Unfortunately it is not possible to configure multiple fallback vlans on the
same VMPS server, like a catalyst 5500 or catalyst 6500 switch.
If you are running the User Registration Tool ( URT ) in association with the VPS server
application device, it is possible to manage multiple VPS ( VMPS ) domains using one URT server
by configuring the URT server to manage multiple VTP domains.
One can configure a different logon ( fallback ) vlan for each VTP domain defined on the URT server
and thus have one server that is configured with multiple logon ( fallback ) vlans. But then the problem is you have to create as many VTP domains and switches that are able to support VMPS server functionaility which is not there for most IOS based switches. So in short , it can be done as long as all conditions are met. All switches are in separate vtp domains are able to function as vtp servers.
I am not sure if thats something doable for you. But you bring up a very good point and I will see if I can take that up to cisco development team as a possible enhancement request.
For more information on URT please go to
Thanks for the URT info. I had not worked with it before so I will read up and see if it might work. I already have ACS so that is a good start.
Although I know VMPS is not ideal for a large network, an enhancement to add multiple fallbacks based on switch IP would make this work perfect. Unfortunately our techs just can't grasp the concept of Vlans and they can't just move any device around and expect it to work.
I have also been reading up on the 802.1x auth setup but we still have about 500 windows 2000 PCs. It looks like a pretty good setup though if using XP.
Probably 802.1x would be the best solution for you if we were to assign vlans dynamically to the users. There is a lot of work going on in 802.1x area and going forward it will be a method of choice when it comes to assigning vlans / policies dynamically. Windows 2000 SP4 does have the support for 802.1x and you do not have to have Windows XP essentially to make it work.
Please make sure to check 802.1x out in more detail and see if it could be a method of choice for you.
One more followup question on 802.1x if you don't mind. How do you assign Vlans for devices like printers? Being a hospital, we have many non-PC devices like xray and MRI modalities, drug dispensing carts, etc that wouldn't support 802.1x.
there are 4 types of vlans that you can assign.
1. To users who support dot1x.
2. Guest vlans - users who do not support dot1x , legacy devices , printers etc.
3. Auth-Fail vlan - the users who fail security can either be put in this vlan or can be left unconnected.
4. Server-unreachable vlan - when acs server / radius server is unavailable.
Hope this helps.