ProSoundWeb Community

Please login or register.

Login with username, password and session length
Advanced search  

Pages: 1 [2]  All   Go Down

Author Topic: Dedicated or converged network... an idea  (Read 6429 times)

Kieran Walsh

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 88
    • Audinate
Re: Dedicated or converged network... an idea
« Reply #10 on: March 25, 2014, 09:29:00 AM »

Bob I think we are probably saying the same thing....

Lets put it another way then...

I didn't get into Audio for the glamourous job of pulling cable. The less I can do of that the better. If I were the owner of an "in-house" system that a touring team needed to integrate with, I would have security concerns just as network engineers do.

To elaborate further- my prime concern with network security is that I can fix anything that presents itself as an issue as easily and stress free as possible. Of course the nefarious use of the system is something to guard against, but the more serious things to be secured against operationally are people trying to either be "helpful" or do things "their way"- down those roads lies disaster. It doesn't matter whether this is an IT network with its own language and definitions of terms, or an Audio system that is similarly encumbered. I could be using wet string and semaphore to tell things what to do, it could still result in an out of control train wreck if common courtesies are not observed (sadly these often need to be enforced).

As a touring audio engineer I would not dream of telling a venue how they should set their crossovers for the system they maintain the other 364 days of the year... I have heard what I would consider the "best" engineers I know create wonderful audience experiences from ... how do I say it... very under-spec systems... if you see what I mean. OK so they might be able to make that even better on a top spec, highly tuned system... without a doubt... but they get on with it and play the hand they are dealt.

Where there is bandwidth to take audio over the network, and avoid pulling cables, and save some money, and maybe time into the bargain... great. Where there is discomfort with this approach, have a discussion on why that is... normally this boils down to bandwidth and/or security.

I don't think that it will be met with huge opposition if I suggest that where the IT department feel that there is lack of provision of bandwidth for a task, that it may be something to consider incorporating into the longer term infrastructure plan, if this service is set to be a permanent fixture.

At the crux of this I agree- security concerns are key. Providing ports that are directly switched in the same IP subnet, with some kind of connection to a public Internet gateway will suffice for 99.9999% of projects (using a wireless card at FOH in an 85,000 capacity show is just plain miserable... the cell phone doesn't work either... and having a VoIP phone at FOH is Awesome if you happen to have just dragged the fibre in anyway.) From that perspective- by your definition I would call that a "guest" network.

Whether you do this by provisioning separate subnets for the Audio system, the VoIP system etc etc... and whether this even needs to be attached to a router that can connect to internal subnets are all things that the IT department will be able to give very sensible guidance and facilitation on.

I know that this is a more fixed installation topic - but in the case of the vast number of conferencing products we are seeing released by our partners... this "corporate function" has become audio. There are delegate conferencing units that incorporate uncompressed Audio over IP with video, and corporate network access for email, agendas, and internet access. OK so getting a system like this working on a corporate network as a fixed task is the bread and butter of corporate IT people, and I think this is what brings us full circle to the point I was originally trying to make.

Security happens at all layers of course... from the locked door, and security guard at layer 1, to the training and vetting of personnel at layer 8 and all points in between. I am not going to suggest a security scheme... it will inevitably only be suitable for one application... and be wrong for many others. The one truth as Bob says is that it is always a consideration, for everyone.
Logged
Senior Technical Solutions Manager, Audinate EMEA.

Mark McFarlane

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1946
Re: Dedicated or converged network... an idea
« Reply #11 on: March 25, 2014, 10:23:38 AM »

Kieran, I wasn't trying to say that converged networks aren't a great idea in many cases, I was simply responding to your statement about "Audio on the same network as everything else...." and wanted to point out a case of where 'everything else' might not contain what many people expect on a network. Just one example of a corporate network.

In addition to the scientific network I mentioned, we also run a 'mostly isolated' network where user's desktop Windows machines are connected.  Basically one world for Unix variants and another for Windows/OSX.  There are some secure connections between these two networks.  Our security is fairly strict, and getting more strict every month, e.g. to get two computers to communicate there is an approval process to open ports for specific protocols. Social sites, hotmail. forums, youtube and the like are all blocked, even ftp is blocked which is a real PITA because I develop and support software and do systems design (I'm not a network guy, I'm a scientific domain expert, a software engineer, and an HPC consultant - i.e. I do high level parallel systems designs: I don't design the switches, I just spec things like latency and aggregate bandwidth requirements between cloud components and someone else designs the physical network)

More information than anyone probably cares to hear. Just came home from an exhausting day at work.
Logged
Mark McFarlane

Kieran Walsh

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 88
    • Audinate
Re: Dedicated or converged network... an idea
« Reply #12 on: March 25, 2014, 11:28:21 AM »

Just a point on corporate networks in general...

The building I am in has a shared corporate network.

I have a bunch of Jacks on the wall that access the structured cabling in the building.

When I moved in the IT manager gave me my subnet.

From thereon in - it is entirely up to me with what I do with those precious public IP addresses... and one things for sure- i'm not positing what I am doing on the Internet!

Basically I persuaded him to drop a tie-line for me to the basement by doing a patch in his closet... fairly standard thing. This means I have copper to a space I sometimes use for demos, that comes up in the lab... and I'm not hurting anyone if I use it or not. The jacks that I have that terminate at the router somewhere else in the building (I actually neither know nor care where... and have never been in there)

This building's network passes the requirements for government sensitive data... so not that I have tried it... but I can't just randomly walk around the building with a bit of cat5 causing chaos.

I have about 700 channels of Dante running around here, and Internet connection and only a few tens of terabytes of data Voip phones, servers etc on the single subnet in here... only about 80 devices... so admittedly not huge. The wider building probably has several hundred nodes, and the other site on the campus about the same... there is a fiber running over to the other site for DNS and connection redundancy.

I have a miniature converged network where I dictate the security... I then access the outside through the campus infrastructure. The IT guys can theoretically create routes between my subnets and others... I cannot do this unilaterally, so if I wanted to connect to another office here, it would have to be by mutual agreement and a change request to IT (and a very good reason)... Therefore materially... i'm only really going to hurt myself in this context... if at all...
Logged
Senior Technical Solutions Manager, Audinate EMEA.

Chris Johnson [UK]

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 446
Re: Dedicated or converged network... an idea
« Reply #13 on: March 26, 2014, 11:56:08 AM »

Interesting thread.

In short, I'm a big fan of converging physical networks. There aren't normally many good reasons that a bunch of devices and services can't share the same switches and pieces of copper/glass (bandwidth allowing).

Sometimes there is a good reason for devices not to be on the same 'functional network', but there are ways of achieving that without necessarily duplicating switches or cabling (using VLANs, isolating parts of switches, etc...).

I tend to use a hybrid approach, and infact I'm currently working toward a system for use on live/broadcast events that will be based on a pair of parallel physical networks, each with 3 VLANs (each VLAN having a seperate subnet). The parallel networks provide isolated primary and secondary VLANs for Dante, and provide MSTP redundancy for the other 2 VLANs.

The main reason for the VLANs in this case is that I need to be able to have DHCP servers operating on only certain parts of the network, and I need to be able to connect certain groups of devices to third party networks. Having VLANs enables me to do this and only expose certain pieces of the network to the third party. I am also forcing certain switch ports to negotiate a 100Mbit link (even though they are Gigabit switches) so that I can 'hard-limit' the bandwidth of certain devices so they don't inadvertently saturate the fibre links.
Logged
Riedel Communications

Bob Leonard

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 6807
  • Boston, MA USA
Re: Dedicated or converged network... an idea
« Reply #14 on: March 26, 2014, 02:45:26 PM »

Vlans are your friend.
Logged
BOSTON STRONG........
Proud Vietnam Veteran

I did a gig for Otis Elevator once. Like every job, it had it's ups and downs.

Kieran Walsh

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 88
    • Audinate
Re: Dedicated or converged network... an idea
« Reply #15 on: March 26, 2014, 04:43:37 PM »

Vlans are your friend.

Yes - I agree... they can be when treated properly.

I say this - for general consumption rather than to inspire terror! Please be very careful when using IP multicast with VLANs- there is a "soft" default port mode that I have seen on Cisco and HP enterprise switches.

IP multicast can sometimes "escape" from a VLAN, as this is a "feature" used by services like IPTV.

This can really give you a bad day with some clocking schemes.

Solution:

On Cisco- say we want ports 1-4 to be VLAN 2 and ports 5-8 to be VLAN 3 (I am deliberately leaving out VLAN 1 for the moment- this will become clear)

My first task is to do
(please excuse innacuracies... this is off the "top of my head"

>enable
#config t
#interface range gi 0/1 - 0/8
config-if#switchport mode access

<-- the last step above is very important, you don't want the switch doing its default thing of choosing whether a port is a trunk or an access port ad-hoc... this is cool for an edge switch in a branch office... very uncool for a serious data network !-->

next we want to put some ports in a VLAN

#interface range gi 0/1 - 0/4
config-if# switchport access VLAN 2

Normally - most people stop here... on an IP unicast network, this is all you have to do...

However services like Dante clock - when there is a primary and secondary network sharing a switch need to be kept separate... we do this as so

config-if# switchport forbid VLAN 3
config-if# switchport forbid VLAN 1

This is assuming that there are only VLANs 1,2,and 3 in the switch

I am also assuming that the whole VLAN-DA process has been done to create the VLANs in the first place.

next up, we do the same for the secondary

config-if# interface range gi 0/5 - 0/8
config-if# switchport access VLAN 3
config-if# switchport forbid VLAN 2
config-if# switchport forbid VLAN 1

I will cross check this against a Cisco IOS device... but the point above is to show a principle, not a method of execution.

NB - once we have the access ports all nicely separated... we can still do a dot1q trunk and put the primary and secondary VLANs on the same physical port, after all we are sure that the IP multicast has been put in frames that have the dot1q header filled in correctly.

I only know this because I had to do it a few hundred times... took a while to work out... hopefully will save some of you time and stress.

As they say on a popular show here- stay safe and don't have nightmares
Logged
Senior Technical Solutions Manager, Audinate EMEA.

Kieran Walsh

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 88
    • Audinate
Re: Dedicated or converged network... an idea
« Reply #16 on: March 26, 2014, 04:52:11 PM »



On Cisco- say we want ports 1-4 to be VLAN 2 and ports 5-8 to be VLAN 3 (I am deliberately leaving out VLAN 1 for the moment- this will become clear)


I said I would explain.. and forgot to... VLAN 1 is by default on most equipment called variously the "default VLAN" or the "untagged" VLAN.

The default vlan is awesome if you need to sneak around and access admin functions on every port on the network... it can however act like a virtual "shorting wire" if you aren't careful... basically, any traffic put into an access port can be put in 2 VLANs at once... the VLAN of the port and the default VLAN...

In a pure unicast IPv4 world, this doesn't matter so much, as most of the time the IP addressing scheme has VLANs treated as IP subnets, and therefore data doesn't get up past layer 3 because the IP address should make it clear to which stack the data is going... not all traffic is IP... and specifically... not all traffic is IP unicast...
Logged
Senior Technical Solutions Manager, Audinate EMEA.

ProSoundWeb Community

Re: Dedicated or converged network... an idea
« Reply #16 on: March 26, 2014, 04:52:11 PM »


Pages: 1 [2]  All   Go Up
 



Site Hosted By Ashdown Technologies, Inc.

Page created in 0.038 seconds with 25 queries.