The VLAN Query Protocol (VQP) was developed by Cisco and allows end-devices on LANs to be authenticated via their MAC address and an appropriate VLAN attributed to the port, using a VLAN Management Policy Server (VMPS). VQP is a Cisco-only protocol that is supported only by older switches running CatOS. Many vendors (including Cisco) have turned to support dynamic VLAN assignments using the 802.1x authentication protocol with a Radius server that has additional attributes designating the VLAN.
Upon physically connecting a device to a port of a switch configured as a VLAN Management Policy Server (VMPS) client, the switch begins listening for packets, and encapsulates and rebroadcasts the first packet received into a VQP packet, which is sent to one of up to two configured VMPS servers on port udp/1589. The VMPS server will give one of 4 responses (Allow
, Deny
, Shutdown
, Wrong_Domain
) and the switch will either assign the port to the appropriate VLAN, put the port back into the pre-confirmation state, shut down the port until the device or another one is physically reconnected, or log an error indicating that it is incorrectly configured. The latter result is often due to Cisco documentation failing to mention that the domain name in the VMPS configuration file must match the VLAN Trunking Protocol (VTP) domain name.
If reconfirmation of VLAN assignment is required, it is done in the same manner as initial confirmation, with the exception of including the currently assigned VLAN for the port in the VQP packet. Reconfirmation is done periodically based on configuration directives of the client switches, or can be forced with a switch command line directive.
The VQP Protocol has no checksums, encryption or authentication of either the client or the switch messages. The protocol also does not include scope to send a message to the server informing that a device has been disconnected.