Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1043
Views
0
Helpful
6
Replies

CBS350 Allowing Inter-VLAN Multicast

Go to solution
rschember1
Level 1
Level 1

‎11-14-2024 08:12 AM

I have multiple CBS350 switches on our site and after installing some new security software, I became aware that multicast traffic seems to be traversing between VLANs. I initially saw this on one of my sites that's using older SG200 switches so I thought maybe there was an issue with them, but I'm also seeing it on my CBS350s.

Setup is as follows:

VLAN 1 (10.10.5.0/24) is internal traffic, (native VLAN, untagged).

VLAN 25 (10.20.5.0/24) is Guest traffic, tagged.

Using Wireshark, I can see SSDP and MDNS multicast traffic from VLAN 25 devices being picked up by devices on VLAN 1. How is this being allowed? The switch is operating in layer 2 mode and there is no routing between these two networks on my router, so it's got to be the switch that's allowing it.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
KJK99
Level 3
Level 3

‎11-14-2024 03:21 PM

@rschember1 

I think that you are observing the expected behavior.

Re. #1. Here you have your PC connected to a port that is a member of VLAN 30 and VLAN 25 so the switch will send traffic for both VLANs. The switch cannot guess what VLAN your PC wants to be. You could've configured your PC to accept frames tagged with VID 25, instead of untagged.

Re. #2. Here your PC is connected to a port that is a member of just VLAN 1 so the switch sends only traffic from VLAN 1.

Re. #3. Here your PC is connected to a SSID that is associated with only one particular VLAN. That's like connecting a PC to an access port.

If you have a port that is a member of several VLANs, the switch will send traffic for all VLANs the port is member of. It is not a case of "crossing over." It would be a case of "crossing over" if you've seen traffic from VLANs that port is not a member of. Depending on its configuration, a PC connected to a multi-VLAN port will accept either untagged frames or frames with a specific VLAN tag.

Kris K

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Flavio Miranda
VIP
VIP

‎11-14-2024 08:31 AM

@rschember1 

 Two configs could cause this

 

FlavioMiranda_0-1731601734187.png

FlavioMiranda_1-1731601829993.png

 

0 Helpful

Go to solution
rschember1
Level 1
Level 1
In response to Flavio Miranda

‎11-14-2024 08:56 AM

Hi @Flavio Miranda --

I just checked the switches -- both of those settings are already disabled on all switches.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to rschember1

‎11-14-2024 09:10 AM

 

Check this one also. Make sure is not Multicast TV VLAN

 

FlavioMiranda_0-1731604190992.png

 

0 Helpful

Go to solution
rschember1
Level 1
Level 1
In response to Flavio Miranda

‎11-14-2024 12:49 PM

@Flavio Miranda 

Ok, I did some extended testing on this. 

Test scenario 1: Connected my PC with ethernet to a port with VLAN 30 untagged, VLAN 25 tagged. With my PC on VLAN 30, I'm still seeing multicast packets from VLAN 25 crossing over. This means the problem isn't just with VLAN 1.

Test scenario 2: Connected my PC with ethernet to a port with VLAN 1 untagged, VLAN 25 excluded. This silenced the multicast packets. However, I'm still concerned that multicast traffic is allowed to cross the VLANs.

Test scenario 3: Connected my PC using WiFi to a port with VLAN 1 untagged, VLAN 25 tagged. Not receiving any multicast packets from outside the VLAN, so it could be that the WiFi AP is correctly blocking these packets.

I do have several ports that require both VLAN 1 and 35 due to having IP phones, so I can't set every port to "Access" -- some will still require "General" with access to 1 and 35, but I can exclude the misbehaving VLAN 25 on all ports that don't have a wireless AP on the other end.

0 Helpful

Go to solution
KJK99
Level 3
Level 3

‎11-14-2024 03:21 PM

@rschember1 

I think that you are observing the expected behavior.

Re. #1. Here you have your PC connected to a port that is a member of VLAN 30 and VLAN 25 so the switch will send traffic for both VLANs. The switch cannot guess what VLAN your PC wants to be. You could've configured your PC to accept frames tagged with VID 25, instead of untagged.

Re. #2. Here your PC is connected to a port that is a member of just VLAN 1 so the switch sends only traffic from VLAN 1.

Re. #3. Here your PC is connected to a SSID that is associated with only one particular VLAN. That's like connecting a PC to an access port.

If you have a port that is a member of several VLANs, the switch will send traffic for all VLANs the port is member of. It is not a case of "crossing over." It would be a case of "crossing over" if you've seen traffic from VLANs that port is not a member of. Depending on its configuration, a PC connected to a multi-VLAN port will accept either untagged frames or frames with a specific VLAN tag.

Kris K
0 Helpful

Go to solution
rschember1
Level 1
Level 1
In response to KJK99

‎11-15-2024 09:02 AM

@KJK99 

Thank you for the clarification. I sorted it out by removing VLAN 25 from all ports except those with APs and those being used as trunks.

0 Helpful
Customers Also Viewed These Support Documents