Siemens HMI devices uses a single common MAC address.

wim76 · ‎02-06-2024

Hi,

We're using Cisco C9200L's in some of our OT environment to which some very old Siemens hardware is connected. For some reason Siemens decided in the past to use a single MAC address, specifically for LLDP, for all their devices (note: this LLDP MAC address is different from their base MAC address used for unicast IP communication). See also print screen below. Needless to say, when multiple of these devices are connected to the same switch(stack), this causes a lot of MAC flapping and accompanying log entries.

(Note: We've checked, LLDP cannot be disabled on these HMI's.)

My question: Next to a log discriminator which simply hides the problem and its log entries, is there a way to tell the Cisco switch to ignore a MAC address switch wide on a specific port or some other switch configuration which fixes the problem rather than hiding it?

Another solution we're considering is installing a small (managed) switch in between our Cisco and HMI which can terminate the LLDP packets before it reaches our Cisco switch.

Kind regards,

Wim.

pieterh · ‎02-06-2024

if the number of devices is not too large, you can create a separate vlan for those devices
and disable mac address learning on that vlan.

this results in more flooding when packets needs to be sent to that MAC address (egress port not learned!)
so if this vlan also carries "normal" network traffic, then this may not be the best solution
also if there is a large number of siemens devices this may not be the best solution

wim76 · ‎02-06-2024

There are quite a lot of devices on this stack, making it a rather large vlan. Also the HMI's need to communicate with a central server on the same subnet and this server also serves many of the other devices on the vlan.

So while interesting and certainly something I will keep in mind should I encounter this for a smaller setup, for this production line it will indeed not be the best solution.

As far as I've made a quick search, I've also not found a configuration to disable MAC learning on a single port, rather than the VLAN.

pieterh · ‎02-06-2024

how comes this question pops up now ?
has something changed, or are you migrating from other network devices to the 9200's ?
or has this situation been so for a long time an now you have time to search for another solution than just hide the logging?

wim76 · ‎02-06-2024

We used to have Siemens Scalance switches in that environment. The Scalance developers probably knew of this strange quirk in their devices and simply ignored this double MAC address, so it previously never appeared in our logging ... until we updated the network to Cisco

pieterh · ‎02-06-2024

I found this document:
https://cache.industry.siemens.com/dl/files/352/109757352/att_987467/v1/PH_SCALANCE-X-200_76.pdf
Note : The LLDP protocol can be disabled in STEP 7 using the "End of topology discovery" function.

is this another device than in this document?
or is this discovery function essential for your environment?

wim76 · ‎02-06-2024

The documentation you've found is also for an X200 series scalance switch, not an HMI (https://www.siemens.com/global/en/products/automation/simatic-hmi/panels.html). So yes. It's a different device. It is, however, the exactly same documentation I've found (by searching for the MAC address) and how I figured out why it works like this and what was going on.

While LLDP is absolutely not essential for the environment, these devices are too old and it wasn't yet possible to disable LLDP for the hardware versions of the HMI's used in that production line (Information I've received from the PLC programmers, not personally verified). A newer version of this HMI would also fix the issue, but that's a cost the production maintenance did not want to cover ... certainly not for something which doesn't really bother them, it only bothers me

wim76 · ‎02-06-2024

Posting involved MAC address in clear text so it can be potentially be found by internet searches:

0800.069d.3840

08:00:06:9d:38:40

08-00-06-9d-38-40