Hey all, I have a location that has some very serious network degradation issues being caused by multicast traffic from Ethernet/IP, so serious it constantly knocks devices offline. This location has 6 fiber connected industrial switches that are managed, but not Cisco. I just ordered a 3650V2 (IP Base) switch for the inside server rack and termination location for the fiber. I plan to replace the industrial switch in this location with the Cisco 3650V2. My plan is to implement IGMP snooping and some QoS management from this switch, but I know VLANS are my best option.
Here is the problem though, because this is all industrial equipment and from all sorts of vendors, I cannot reconfigure the IP’s of this equipment. They are all on the same 192.168.1.X /24 network. The 3650 will be directly connected to the servers that this equipment needs to communicate with.
First. Do I have any other options with this setup to limit the multicast traffic?
Second. Can I implement Vlan’s with only 1 subnet and no option to reconfigure the IP scheme?
Third. Assuming I can have multiple Vlan’s with only 1 Subnet, How do I route the traffic to the servers? I’m confused because I can’t use the standard IP’ing policy for a gateway if they are all on the same subnet??
Not entirely sure i follow all your setup but i will try to answer some of your questions.
1) IGMP snooping on the 3560 will only be local to the switch. If the source of the multicast streams are connected to the 3560 or the multicast traffic has to go via the 3560 then it could help. But if the multicast streams can between the other switches without going via the 3560 then IGMP snooping will be of limited use.
Is it the servers you are trying to protect with IGMP snooping ?
2) Not sure i uderstand about the routing. The equipment uses 192.168.1.x addressing. Presumably the servers do to. Are you saying you cannot readdress the servers at all ?
3) You can use two vlans with same IP subnet and then something has to bridge those two vlans together. This is usually a device like such as a transparent firewall or a load balancer in L2 mode ie. -
vlan 10 -> firewall -> vlan 11
where the same IP subnet is used for both vlans. The issue is that generally there is only connection on each side of the firewall but in your setup i don't this that is the case. So i doubt very much that you will be able to do this and you actually create L2 loops in your network and take the whole thing down.
However the issue is really the multicast. So which devices are generating the mulitcast and which devices are being knocked offline by it.
There must be a significant amount of multicast traffic to do this ?
Jon, thanks for the reply. The traffic is VERY significant; so much so that I cannot even access the management interface on any of the existing switches to verify their configurations. I used wire shark and had 27,000 connections in 15 seconds from just one PLC. I "might" be able to change the server IP's, but I was trying to avoid that because I am not sure if the industrial controllers are looking to a certain IP to send some data; this is a SCADA network. The traffic is knocking thin clients off the network, locking up server interfaces (NIC’s), and putting switches into fault modes.
From what I have read this is a very common scenario for ‘Ethernet/IP’ the industrial protocol being used on this network. It was a very poor implementation and should never have been setup this way to begin with. Now, I am trying to make it viable with a long-term goal of making it right. Unfortunately this is a 24/7 operation facility with very little scheduled downtime as well.
From the documentation I have read about the existing industrial switches, they also support IGMP, however I cannot get to the management interfaces to verify the configuration. I do plan to check this during a planned down situation this Friday. For the most part it is the Server>Thin client>Workstations I am trying to protect from this traffic, the industrial network PLC’s and controllers do not seem to have a problem with it.
What about storm control? Never used it, don’t fully understand it. Does it have a place in this setup?
Also, are you saying Vlans are not an option, given that I do not have a firewall? I do have a router and the switch is Layer 3 capable.
You say TCP connections but multicast is usually UDP ? I probably need to have a read up on Ethernet IP.
So the servers/clients etc., you do not want them to receive the multicast ie. do they need it ?
Vlans are not an option as far as i can see. Nothing to do with not having a firewall, that was just an example, it's just you won't be able to do it with some many different physical connections in the same vlan.
If you are trying to protect the servers etc. from the mutlicast do you have enough ports on the 3560 for all of them ?
The industrial switches need to support IGMP snooping functionality not just IGMP. If they do this would help because the 3560 supports the IGMP snooping querier function which is needed if there is no L3 multicat routing protocol in the network.
Only one switch needs to support the querier function as opposed to all switches needing to support IGMP snooping so you may be in luck.
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...