Bill's Blog on Industrial Ethernet

On August 11, 2007, nearly 20,000 passengers (by some estimates) were stranded for many hours at Los Angeles International Airport. The incident involved a U.S. Customs computer network containing information used to screen passengers seeking entry to the United States. It went down around 1 p.m. PDT and was not restored until 11:45 p.m. The last of the backlogged travelers from some 73 flights were not processed for another five hours.

Acting port director Peter Gordon reported, "This is probably one of the worst days we've had. I've been with the agency for 30 years, and I've never seen the system go down and stay down for as long as it did". U.S. Customs and Border Protection spokesman Mike Fleming added, "This was unprecedented in terms of impact."

Early reports blamed a "computer glitch", then suggested faulty hardware in general and insufficient backup, then perhaps the fiber optic cabling. It was determined three days later to be a sputtering network interface adapter.

Whether the interface adapter was generating a broadcast storm or some other torrent of Ethernet frames is unclear, but there is no doubt that the system was derailed by the card's incessant output.

While this incident involved no loss of life (although many passengers were hospitalized), the inconvenience to the travelling public was monumental. In some areas of Industrial Ethernet, such an outage could prove very costly in terms of economics and lives threatened.

The lack of systems backup was bemoaned by several analysts, but providing backup is never complete nor perfect. With the use of rate limiting (or rate control) that is available on some managed switches such as those from Contemporary Controls, the problem could have been so minimized that the network would likely have survived the card failure.

The exact nature of rate limiting varies by equipment, but typically ingress and egress port traffic can be controlled for the rate and type of traffic. Switches with this functionality allow you to control the rate of broadcast, multicast or unicast messages — and perhaps even destination look-up failures and MAC control frames. With these tools, bandwidth allocation can be fine tuned.

By limiting all frame types, the full bandwidth of a port can be controlled. Selecting only broadcast frames will create broadcast storm control governed by an adjustable maximum bandwidth setting. Rate control can be useful for connecting a Windows® computer to the control network and for limiting communications from an unknown or uncontrolled network such as when interconnecting the office and control networks.

For more about the airport incident, follow the link below:

Some time ago, a customer called to ask, "Are ports 1628 and 1629 open or blocked in your Industrial Ethernet switch?"

In general, the question was referring to TCP/UDP ports — the numbering scheme by which OSI layer-four messages are identified and controlled. Note that TCP/UDP ports are mere numerical abstractions that serve record-keeping and permissions purposes. Such ports are altogether different from the physical ports where CAT5 cables attach to Industrial Ethernet switches.

This specific inquiry was about the LonTalk protocol which uses port 1628 for normal messaging and port 1629 for urgent messaging. TCP/UDP ports are identified by 16 bits and are therefore numbered from 0–65,535. The lowest-numbered ports (0–1023) are reserved for specific TCP/UDP functions. Ports 1024–49151 are reserved by organizations. The remaining ports up to 65535 are for private use.

Regarding the question posed by the customer, the simple answer was that neither these ports nor any others were blocked because our devices are layer-two switches. Layer-two switches are ignorant of TCP/UDP functionality. To selectively block such a port requires what is often called a layer-three switch (or a router).

In summary, if you are using a layer-two switch — whether plug-and-play, configurable or managed — you need not worry about it blocking any TCP/UDP port. A configurable or managed layer-two switch could impose blocking of a physical port, but it does not have the ability to block TCP/UDP ports.