cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2870
Views
20
Helpful
19
Replies

VLAN Segmentation

We are a manufacturer, so we have PLCs that do much multicasting.  Sometimes a PLC message doesn't get to a computer or database in time.  I believe we are having timeouts.  
I have many VLANs for different hardware or usage types, but I don't think they are segmenting the traffic the way I thought they should.  For instance, if I put wireshark on a computer, I can see conversations on other vlans.  I think in ignorance, I have just been making VLANs without making routing rules.  We have a core stack of Cisco 3850 Layer 3 switches.  Can I make the type of rules I need to to separate VLAN traffic so that the network can send packets in a timely fashion?

19 Replies 19

Network Diagram - Jan 2020 - plain.jpg

The Core (big 4 switches) is in vtp server mode.  all other switches are in vtp client mode.
If I turn on IGMP during production, there may be a short period (minute) of downtime, and I would get in trouble.
I have Solarwinds if you can tell me what to pull from it.
Below is the plan I gave my boss.  Is there anything majorly work with it?

I have found two things that could improve the network.  They would both require downtime (minutes).  One would be VLAN Pruning (helping the overall network), and the other IGMP Snooping (helping with multicasts).
Both of those options have caveats, and we would not know the result until production started, which could result in downtime to undo.
 
A third fix would be to configure loop prevention on a few trunks that do not currently have this.  I have done this before.  There are quite a few phones out there without this fix.  XYZ said we have some VOIP loops.  The phones are fine to change on the fly.
There are just a couple switch trunks (connections to other switches) that don’t have this loop prevention fix.  I don’t know if the fix would cause downtime (minutes), but I don’t think there are any caveats.
 
We could also upgrade the firmware on the core and 10GB switches.
Finally, the OmniCube upgrades may fix the bug which causes the cubes to ask each other who is boss too often.
 
Together, these ideas could make a good dent in the problem, but the benefit would diminish as we grow.
 
The question is, do we want to try my ideas one by one and see what happens, risking downtime if they don’t work as expected, or wait for the experts to apply their fixes and add a firewall for routing VLANs?  The XYZ outsourced fixes would carry us further into the future.  There would still be downtime, perhaps even more downtime than with my fixes, and the experts would require tuning.
 
At some point everything listed may need to be applied.  At some point, software and physical restructuring of the network will be required.  Currently, our VLANs and DHCP scopes were setup for a small business.  To properly redo the VLAN and DHCP structure will take significant downtime, perhaps as much as a day each.  The VLAN and DHCP restructuring may be two of the ideas the experts would want to apply.

Core switch is the big stack of 4 near middle is layer 3 with routing turned on.  No actual router.

I have started using LACP.  Pic does not show the redundant line.  Assume there is for switches.  Sorry.  Something for me to correct.

All vlans are on all switches. Using VTP.  That is the problem.  No VLAN segmentation

What is a pdus? Power Distributions Units?

Hyperconverged - Hyperconverged Infrastructure: A hyperconverged infrastructure is an infrastructure model that utilizes a software-centric architecture and has a tight integration with the storage, networking, computing and virtualization software and hardware resources. A hyper-converged infrastructure enables the management of all the integrated resources ... www.techopedia.com/definition/31679/hyperconverged-infrastructure

 

We ended up doing all the things Paul Driver suggested and there were some improvements.  We had to hire someone to help us.  Below are Paul's suggestions:

"Few things you can do before you think about applying any QOS  design (if you dont already have it).

  • Manually apply prunnng to all your trunk interconnects to allow only the vlans that need to traverse the interconnect.
  • Enable dhcp-snooping on all access switches, and If you have lan multicast enable igmp snooping also.
  • On all access-ports (edge ports) apply -stp portfast, bpduguard & storm-control for broadcast/multicast/unicast"
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco