Dell PowerSwitch N2000/N3000 Broadcast Traffic Leaking Between VLANS

It appears that you are experiencing broadcast traffic leakage between VLANs on your Dell PowerSwitch N2000/N3000 switches despite using 802.1X with VLAN assignment. This issue can be a result of various factors, and troubleshooting it may require a step-by-step approach. Here are some things to check and consider:

1. Port Configuration: Ensure that the port configurations on both the N2048 and N3048 switches are correctly set up. Make sure that each port is configured to assign the correct VLAN based on the authentication result. Verify that the switchport settings for VLAN assignment are accurate.

2. Authentication: Double-check your 802.1X authentication settings. Ensure that the authentication server (RADIUS) is correctly configured to send the appropriate VLAN assignment based on the user or device authentication.

3. MAB (MAC Authentication Bypass): It seems you are using MAB as well. Make sure that the MAB configuration is correctly set up and not interfering with the VLAN assignment from 802.1X. Check if there are any conflicting configurations between MAB and 802.1X.

4. VLAN Configuration: Review the VLAN configuration on the switches. Ensure that VLAN 1 is not specified as the native VLAN on the trunk ports or used for untagged traffic. Also, make sure that VLAN 1 is not configured as the default VLAN for unauthenticated devices.

5. VLAN Isolation: Verify that VLAN isolation is correctly set up. VLANs should be isolated from each other by default, and broadcast traffic from one VLAN should not be leaking into another VLAN. Check for any specific configurations or access control lists (ACLs) that may be affecting VLAN isolation.

6. Firmware/Software Updates: Ensure that your switches are running the latest firmware or software versions provided by Dell. Sometimes, firmware updates may include bug fixes related to VLAN and 802.1X functionality.

7. RADIUS Server Configuration: Review the RADIUS server configuration to confirm that it is correctly assigning VLAN attributes based on user or device authentication. Ensure that the RADIUS server is not sending VLAN 1 as a default or fallback VLAN.

8. Testing and Packet Capture: Continue to use packet captures to identify the source and destination of the broadcast traffic that is leaking between VLANs. This can help pinpoint the issue and whether it is occurring at the switch or elsewhere in the network.

9. Consult Dell Support: If the issue persists after checking the above configurations and troubleshooting steps, it may be beneficial to contact Dell's technical support. They can provide specialized assistance and guidance for your specific switch models and configurations.

Remember to make configuration changes with caution, as misconfigurations can impact network stability. It's a good practice to test changes in a controlled environment before applying them to a production network.

Hello,

Thanks for the information.

I have verified that the VLAN leakage is only on the 802.1X ports, and not occurring due to a misconfiguration elsewhere in the network.

VLAN 1 is being used when authentication fails (authentication event fail action authorize vlan 1).

On the N2048, I can remove vlan 1 (switchport general allowed vlan remove 1) and the broadcast traffic is no longer present. When a device fails authentication, it is correctly placed on VLAN 1.

On the N3048, I can remove vlan 1 and broadcast traffic is no longer present. However, when a device fails authentication, it is NOT placed onto any VLAN.

Assigning a different pvid has no impact. Even when I assign a "blackhole" VLAN (pvid 666 for example), and a device is authorized on vlan 10, I am still seeing the VLAN 1 broadcast traffic.

It seems the only reliable way to remove the traffic is to remove VLAN 1, but this breaks authorization onto VLAN 1 on the N3000s with the latest available firmware.