Dell Powerconnect 7048p Bind MAC to VLAN

33_viper_33

Member
Aug 3, 2013
200
2
18
Hello all,

I finally got around to upgrading to a PowerConnect 7048P from my netgear GS748TP (For sale if anyone is interested) primarily because it couldn't power my PTZ PoE camera. it also adds two 10GBE SFP ports and two 10GBE RJ-45 ports for uplinks. The switch is in place and working well with one exception, Bind MAC to VLAN...

I have separate VLANS configured and working to segregate servers and general users, Kids Network (heavily filtered), IOT (things I don't completely trust), and security. This all works well as long as I configure each port to a specific VLAN or enable tagging as appropriate. Because the number of devices are growing and because one of the kids figured out they can circumvent this security by switching ports, I am looking at switching certain devices to MAC Bind to VLAN.

I started off by playing with a security camera and was surprised that it didn't show up on the network in the proper (or any) VLAN. After trying a couple VLANs to see if it showed up, it only worked when I plugged it into a port that was on VLAN1 and MAC Bind was set to VLAN1. I attempted to do the same thing with a windows box and found that it wouldn't receive an IP on any other MAC bind VLAN other than VLAN1. I attempted to set an IP manually and ping other devices on the configured MAC bind VLAN other than VLAN1 and it couldn't ping anything. It appears to be off in space if set to anything other than VLAN1.

Can anyone identify something I'm doing wrong? Do I need to change the port configuration in some way to automatically change VLANS based on the binding rules? All testing ports belong to VLAN1 inherently unless configured for another VLAN (something that will change soon...) I don't think it needs to be set for tagging as the traffic isn't tagged as I understand it.

Thanks for the help,
-V
 

Haitch

Member
Apr 18, 2011
122
14
18
Albany, NY
I'm not familiar with the Dell PowerConnect configuration, but based on my experience with HPe FlexFabric switches, the port does need to be allowed to access all the possible bind vlans.

In the FlexFabric config, the ports are configured as type Hybrid, with multi *untagged* vlans. eg:

mac-vlan mac-address 0040-8c00-0000 mask ffff-ff00-0000 vlan 90
mac-vlan mac-address 3c41-3800-0000 mask ffff-ff00-0000 vlan 100
vlan 90
Desc "some devices"
vlan 100
desc "other devices"
int gi1/0/1
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 10,90,100 untagged
port hybrid pvid vlan 10
mac-vlan enable

Would configure the 1/0/1 Gb port to put any devices with a MAC Prefix of 0040-8c into VLAN 90, Prefix 3c41-38 into VLAN 100, and any device not matching those rules into VLAN 10. I would expect the Dell needs to something smilar to indicate which VLAN are permissible on a port, along with the rules to put specific MAC Addresses/Prefixes to a specific VLAN.

H.
 

33_viper_33

Member
Aug 3, 2013
200
2
18
Thanks Haitch!

I think I solved it thanks in part to Haitch's experience with his HP switch. I set a test port to untagged on all VLANs, something my previous switches would prevent as only one VLAN should accept untagged traffic. I then plugged my camera that had a MAC address bound to one of my VLANS. The camera did receive an IP address from the appropriate VLAN and started pinging properly. My only concern at this point is security. For a device that has an MAC binding configured, it works as expected. My concern is what would happen if I plug in a random device with no MAC configuration? Will it access VLANs at random? I still think that I'm missing something.

-V
 

Haitch

Member
Apr 18, 2011
122
14
18
Albany, NY
Happy to be of assistance :)

There should be a way to specify the default VLAN if no binding rule applies. In the FF setup it's the "port hybrid pvid vlan 10" - anything not matching a binding rule goes into VLAN 10 Untagged.
 

33_viper_33

Member
Aug 3, 2013
200
2
18
Thanks Haitch!

There is a port setting that defaults to VLAN 1. In my old net gear switch, this setting would default the port to untagged for VLAN1 and you wouldn't be able to change that port to tagged for VLAN 1 which isn't true in this switch. All other VLANs in the netgear had the ability to be either tagged or false for that port. This switch has the additional ability to be untagged. Is this giving me the default VLAN for untagged not MAC specified force VLAN1, MAC VLAN specified to VLAN specified?

The additional option I have in port settings is port VLAN mode which allows me to select "access, trunk, general". When access is selected and VLAN1 is selected, by default, the port has a U for VLAN1. I then can select U or F for all other VLANs for that port. I'm thinking this is what I want. In order to do tagged traffic, you have to change the VLAN mode to trunk.