We just switch over to two SGE2010 switches from old Cajun routers. Many things worked out just fine... but as always, there were some issues.
We run 4 VLAN's on this network as follows:
The .1 is exclusively for switches and a firewall.
The .20 is general business workstations.
The .30 is an automation network (for computer-controlled machinery in our plant)
The .100 is for servers and some high-level devices.
OK... here's the problem. We have several Intermec WAP's our automation department uses to troubleshoot and repair equipment on the plant floor. These WAP's also are used by handheld portable scanners the dock folks and materials handlers use to track parts movement throughout the facility.
The WAP's are on the .100 VLAN, as are the scanners. This all works well.
However, the automation people need wireless access from their laptops to equipment on the .30 VLAN, and I've been unsuccessful (so far) making that happen. I've tried static addresses on a laptop to the WAP's on the .20, .30, and .100 VLANS. As of now, the only connectivity I get is the result of assigning a static on the .100 VLAN. However, when I do that, I can reach the Internet and other servers on .100 but nothing on .20 or .30.
Can anyone make any suggestions? All help is appreciated!
Just wanted to know if you noticed that the SGE2010 can run in Layer three mode? In other words, it's also Layer 3 switching/router to put it in simple terms.
If you have already set the SGE2010 into Layer 3 mode my apologies.
But it you haven't put the SGE2010 into layer three mode as yet, you can do this via a telnet or console connection.
One in layer 3 mode the switch will probably reset to factory defaults. Go back into the GUI.
Add IP addresses to the VLANs as per the diagram below. Those IP addresses then become the gateway addresses for the IP hosts.
The SGE2010 will then route accordingly. If you wish to restrict access, then use the Access List ( ACL) to provide that level of access restrictions that you deem necessary.
Hope this helps..
Thank you very much for the reply.
The switch is in L3 mode and the laptops discussed above can ping devices on a different vlan, it seems.
However, the software our automaton team uses cannot browse the remote subnet using their software (RSLinx).
Rockwell Automation (Allen Bradley), the maker of the software, claims the issue is on the network side and not within their software. Likely story (-;.
Anyhow, these products use multicast extensively. Is it possible that traffic is not being passed by the switch?
Absolutely there is a possibility that multicasts are not being propogated to other VLANs.
So your problem is that multicast from one VLAN is not being igmp snooped to a different vlan ?
Do you have a IGMP layer 3 querier on the network ?
Thanks again, David.
Pardon me for sounding like a noob but I don't know what an 'IGMP Layer 3 Querier' is.... much less if we have one.
All help and advice is welcome.
No problem. You are most likely great at what you do, I am ok at what I do. So don't feel bad about not knowing how multicast work.
The bottom line is that multicast packets do not normally route or jump between vlans. Multicast packets usually a limited to the vlan they are in.
You have to enable a process within a switch or router to enable the multicast IP packets to, excuse the terms, jump over from one vlan to another vlan.
If you are having trouble with getting these multicasts to jump over from one VLAN to another VLAN, you have some options.
Re-engineer the network so that the multicasting process control devices are in the same network or VLAN as the Human Management Interfaces.
(These Human Management Interfaces (PC's) i guess are monitoring the process control equipment and controlling accordingly.)
I must admit, that's a big ask . So the other option would be to get those multicast packets to jump over to other vlans.
I just checked your machine and it is covered by the following warranty;
Why not give the Small Business Support Center a call and ask them for some advice on enabling multicast forwarding that may help you forward multicasts over VLAN boundries.
One thing to consider from an RSLinx perspective: There are two types of browser which this software uses. One, called the AB-ETH browser makes a TCP connection to the automation device. Provided routing is in place, this should provide connectivity. However, it is painful to use as every IP address needs to be added to the software manually. The other type of browser is called the AB-ETHIP browser. This driver, which is more user-friendly makes use of a directed broadcast. If RSLinx is attempting to connect to a remote subnet then directed broadcasts need to be enabled in the router.
The other factor to consider is that RSLinx uses TCP port 44818 and UDP port 2222 - so you should check that they have not been blocked.
Hope that helps.
Thank you for the detailed reply. Our automation team is currently using the straight IP driver for RSLinx... and it works... but as you said, it's painful to use (as they're always adding/changing/deleting equipment on the plant floor).
I did discuss this with Cisco, and they suggested using VLAN tagging (all of of vlans are currently untagged). Frankly, I'd like to leave them untagged. Anyone who has networks involved with automation will be familiar with the broadcast storms that will arise from protocols like Allen Bradley's.
We have only a handful of devices (laptops) that would need their broadcast traffic to traverse one vlan to another (in this case, from the 10.20.100.x to 10.20.30.x). Is there a way to forward broadcast traffic specifically by IP (or MAC)?
..or...as you suggest.. how do we " If RSLinx is attempting to connect to a remote subnet then directed broadcasts need to be enabled in the router."?
Before anyone asks, the laptops need to be on the 10.20.100 vlan, as they are communicating through a WAP that is not capable of multiple vlan connections (an older Intermec).
Thanks again for the great assistance!
In our demonstration and lab setups, I enable directed broadcasts on the appropriate vlan interfaces of the L3 switch - which does the job. However, it should be recognised that directed broadcasts can present a security risk so it is your call as to whether you would like to enable them.
You mention that have concerns about "broadcast storms" with Allen-Bradley protocols. Do you mean high frequency multicast traffic? This is the way in which input-output devices communicate on ethernet. The frequency of the traffic owes to the need for the automation controller to obtain fast and frequent updates from the end devices that it is controlling. There are several ways to control this traffic. The newest controller firmware has an option to use unicast instead of multicast meaning the automation traffic is point to point. Alternatively IGMP snooping and snooping queriers can help restrict the multicast traffic to the parts of the network where it is needed. Finally, segmenting the automation space into VLAN's corresponding to individual cells or areas may also help. The Converged Plantwide Ethernet Design and Implementation Guide will give you a bit more information on this.
Hope that helps.
I'm just a newbie with cisco and I'm trying to learn the VLAN like what you did. Can you give me points or a tutorials from the web config? Even screenshots that will help, I was trying to make multiple VLAN's and while I'm searching over the net, I saw your post and thats what I want to implement to my study case. Im not much knowledge in cisco but im willing to learn with your help.