Introduction (field case)

In a recent AV‑over‑IP project with an AV integrator, we saw a familiar pattern:

• A NETGEAR switch (M4250/M4300/M4350) provided Layer‑3 routing and DHCP.
• Devices in the various AV VLANs received IP addresses correctly.
• Local (intra‑VLAN) communication worked fine.
• But:
  • multicast was unstable (dropouts, choppy streams, flaky discovery), and
  • internet access from the AV VLANs did not work.

In most AVoIP deployments, those two symptoms come from:

1. an incorrect (or missing) IGMP Querier in the multicast VLAN, and
2. missing static routes on the internet router to send replies back into the AV VLANs.

This article addresses them in the right order:
get multicast control right first (IGMP Querier), then complete routing (static routes)—because without proper multicast control, AVoIP will never operate reliably.

1) Multicast first: IGMP Querier in AVoIP VLANs

1.1 Why an IGMP Querier is essential

AV‑over‑IP protocols such as Dante, AES67, Q‑SYS, NDI, and SDVoE rely heavily on multicast.
Multicast only stays predictable if each multicast VLAN has exactly one IGMP Querier.

What the Querier does:

• Sends periodic IGMP General Query messages in the VLAN,
• asks hosts whether they are still members of certain multicast groups,
• keeps IGMP Snooping tables fresh,
• prevents multicast flooding,
• and keeps AV streams stable.

In VLANs where multicast is used (Dante, AES67, NDI, SDVoE, discovery), exactly one device within that VLAN must fulfill the role of IGMP Querier.

1.2 How the Querier is chosen

The IGMP‑Querier election occurs between switches within the same VLAN.
The internet router almost never participates, because:

• most internet routers do not support IGMP‑Querier on their platform,
• therefore they do not take part in the election.

The rule is simple:

The switch with the lowest IP address in the VLAN becomes the IGMP Querier.

1.3 Which device should be the Querier?

Always the routing AV switch (the NETGEAR switch doing the L3 job):

• it sees all AV flows,
• it performs IGMP Snooping,
• it understands the multicast logic,
• and it sits at the right point in the topology.

A precise clarification:

You don’t want another switch in the same VLAN—one that does support IGMP‑Querier and has a lower IP address—to accidentally take over the Querier role.

Access points, Wi‑Fi routers, and many simple network appliances typically do not support an IGMP‑Querier on the LAN and therefore do not participate in the election.

1.4 Guaranteeing the correct switch becomes the Querier

Use IP planning:

• Assign the routing NETGEAR switch the lowest IP address in the transit/management VLAN
  • e.g., 192.168.1.1
• Assign the internet router a high IP address in that same VLAN
  • e.g., 192.168.1.254
• Ensure any access/edge switches have higher IPs than the routing switch.

This way, the routing switch always wins the Querier election.

1.5 Multicast checklist

• ✅IGMP Snooping: ON in all AV VLANs
• ✅Exactly one IGMP‑Querier per multicast VLAN
• ✅Routing NETGEAR switch = lowest IP (e.g., .1)
• ✅Internet router = high IP (e.g., .254)
• ✅ No other switch with an IP lower than the routing switch

2) Then complete routing: Inter‑VLAN & static routes

2.1 Why devices get an IP but have no internet

The routing NETGEAR switch:

• routes between AV VLANs using SVI interfaces*, and
• forwards outbound traffic to the internet router via its default route.

However, when the router receives a packet with a source like 192.168.20.50, it:

• does not know where the network 192.168.20.0/24 lives,
• so it cannot send the reply back to the source.

Consequences:

• no internet from the AV VLANs,
• no returning control traffic,
• unreliable discovery,
• management tools don’t see devices.

2.2 The fix: add static routes

Tell the internet router where to find the AV VLANs.

Example (routing switch = 192.168.1.1 in the transit/management VLAN):

 192.168.10.0/24  →  192.168.1.1
 192.168.20.0/24  →  192.168.1.1
 192.168.30.0/24  →  192.168.1.1

This makes traffic bi‑directional (out and back).

2.3 Best‑practice example

Transit/management VLAN (e.g., VLAN 1)

AV VLANs:

• VLAN 10 (Dante): 192.168.10.1
• VLAN 20 (Management): 192.168.20.1
• VLAN 30 (Video): 192.168.30.1

Static routes on the router:

 192.168.10.0/24  →  192.168.1.1
 192.168.20.0/24  →  192.168.1.1
 192.168.30.0/24  →  192.168.1.1

3) Is using VLAN 1 a security risk?

No—using VLAN 1 is not inherently risky.

Security is determined by:

• firewall policy,
• administrative discipline,
• physical access,
• and access control policies.

As I explained to the customer:

“The company firewall and the administrators around it should cover the security PART—that is where the main risk lies.”

4) Summary

Step 1 — Multicast

• Routing NETGEAR switch = lowest IP → becomes IGMP Querier
• Internet router = high IP
• Always one Querier per multicast VLAN
• IGMP Snooping ON in all AV VLANs

Step 2 — Routing

• Internet router needs one static route per VLAN back to the routing switch
• Otherwise, replies never return to the VLAN based subnets

Result

• Stable multicast behaviour
• No Dante/NDI dropouts
• Working internet from all AV VLANs
• Reliable device discovery
• A predictable, professional AVoIP network

                    Internet

                       |

         NETGEAR PR460X Router (192.168.1.254)

                       |

      Transit/Management VLAN (bijv. VLAN 1)

                       |

    NETGEAR GSM4328 / M4250 / M4350 (192.168.1.1)

             → IGMP Querier (laagste IP)

             → SVI VLAN10: 192.168.10.1

             → SVI VLAN20: 192.168.20.1

             → SVI VLAN30: 192.168.30.1

                       |

      --------- Trunks naar AV-switches ---------

          |                 |                |

      VLAN 10           VLAN 20          VLAN 30

      Dante             Mgmt             Video

192.168.10.0/24  →  192.168.1.1
192.168.20.0/24  →  192.168.1.1
192.168.30.0/24  →  192.168.1.1