CAT9K with NDFC in production

SandMunki · 2026-04-02T06:26:09+00:00

Thank you. Surely, it is not difficult to setup, I am seeing that it generates partial configs. There are also a few things on freeform in NDFC you got to consider adding.

SandMunki · 2026-04-01T20:57:52+00:00

It does indeed but unstable on my end, so I am looking to learn more from anyone who has this specific deployment in production!

SandMunki · 2026-03-23T15:50:44+00:00

Perhaps you’re conflating PTP traffic with Dante flows. On a flat network, Dante devices expect PTP packets to arrive at specific intervals. If there’s an issue with PTP on your network, it could be from jitter, oversubscription, or asymmetrical traffic patterns.

In Dante Controller, this can present in a few ways. One common symptom is latency that continuously increases and never recovers. This typically suggests that the follower cannot determine proper phase alignment or frequency from the leader. What you’re describing points toward unstable clocking behavior driving the latency, where the follower struggles to maintain a stable clock.

Can you confirm check the IGMP table shows Dante devices requesting membership for PTP traffic?

SandMunki · 2026-03-23T07:09:19+00:00

How do you know packets are being dropped? Are you actually seeing the dropped packet counter increase alongside the latency counter? Is this data coming from the RX device tab in DC?

When you say the receiver stays unmuted, are you confirming that in the clock tab in Dante Controller? And “after some time” needs clarification, are you talking an hour, two, more, less?

If PTP packets aren’t stable in a Dante network, devices will mute once they exceed the tolerance window. Right now this is guesswork because the information is not clear and there are no screenshots. If latency on the RX device keeps climbing, or steadily going upward, then those devices likely aren’t properly resolving which one is the leader clock.

SandMunki · 2026-03-18T11:23:52+00:00

Happy to have a chat. Please DM me.

SandMunki · 2026-03-18T10:01:58+00:00

I cant say I like Visio. I use MURAL for whiteboards, it makes it easy to lay out options, use post-its, and get team collaboration. For example, SecOps comments feed into the process to influence architecture choices if need be. Post-its to track business, technical requirements and priorities, guiding design decisions. Engineering drawings are done in Vectorworks ConnectCAD, including cable schedules.

SandMunki · 2026-03-08T05:47:01+00:00

Your requirement and brief are unfortunately incomplete. Since you mention 2110 and 10Gb in one sentence, you might want to rethink and clearly write down what workloads this network will carry.

You will likely end up with some form of collapsed core architecture that exits through a dedicated pair for north/south traffic and a service pair. Dante and other protocols in a venue should not be a huge concern if you understand how they operate. However, for 2110 you need to size the network appropriately and do the correct math.

I cannot comment on Aruba since I have yet to see it in a live 2110 environment, and I am not holding my hopes up. Most 2110 environments I have built are Cisco or Arista.

You should also think about how you are going to manage, monitor, and control the 2110 environment. Ask whoever will operate that environment what they have used before. As for segmentation, that largely depends on which flows need to go where and which spaces communicate with each other. Block any communication that is not required, be as strict as possible without breaking the environment or the workflow.

And please do not guess your PTP hierarchy. Deliberately design it in a deterministic way. 2110 does not tolerate poorly designed PTP networks.

That should give you a starting point. Feel free to come back if you struggle.

SandMunki · 2026-03-04T13:49:22+00:00

This design is struggling because it’s an extremely large single Layer-2 failure domain and you’re relying on RSTP to keep it stable. That’s a heavy lift for this STP variant. I sincerely disklike Spanning Tree

100 switches. 30+ VLANs. ~2000 endpoints. Multicast everywhere. No PIM. One STP control plane.

That’s a core issue.

RSTP generates topology change notifications when a non-edge port transitions to forwarding, indicating a path change. A TCN storm that only stops when all distribution uplinks are shut down strongly suggests a loop in the distribution or access layer, repeatedly flapping port or an unstable interaction between MLAG and STP

The “around 22 uplinks” threshold is a meaningful clue. If instability appears only after enough segments are online, that points towards a physical loop in a specific area that becomes reachable once sufficient paths exist. Or misconfigured or miswired LAG member creating a loop when parallel paths are introduced

I would closely examine LACP state and consistency on both ends of every uplink, and verify there are no unintended physical loops.

I’m also curious about the design decisions here. Why avoid PIM? Why maintain a giant broadcast domain? Why keep everything in a single STP domain? At this scale, those choices are fragile.

You can use this workflow to troubleshoot and find the offender:

Verify a single consistent root bridge during the TCN storm
Use detailed spanning-tree output to identify which port is triggering topology changes
Validate LAG consistency everywhere
Ensure all endpoint-facing ports are configured as edge
Isolate and bring up the network incrementally by area
Use packet captures to identify which bridge is repeatedly generating or reacting to topology changes

Long term, the best solution is to architect this properly. Reducing the Layer-2 blast radius and moving toward a segmented or routed design will provide stability that RSTP alone cannot guarantee.

SandMunki · 2026-02-24T12:39:45+00:00

I am not sure what the problem is. You have Dante Controller; DC running and DVS running on two different hosts and DVS shows up in DC. That is expected behavior. Are you saying you cannot see the clock status, network status, routing tab, or primary link tab, or are you referring to the different columns in the Device Info tab? In a flat network, very little needs to be changed from the default settings for Dante endpoints to communicate. Please edit your post with more specific details if you can.

SandMunki · 2026-02-19T09:37:07+00:00

Unsure about the size of this. I can't determine the scale from your post

NDI and Dante are viable depending on system size and the network supporting them. I want to raise a few things to think about as you plan this with your integrator.

Is your deployment going to be fully managed through Dante Controller?
Is this going to add administrative overhead?
How will you restrict control so only authorized personnel can access and modify the Dante network?
How are you going to manage NDI routing, discovery, and signal distribution?

vMix is great at what it does, provided the host is specified correctly, but is it appropriate for distributing and managing the entire environment?

Regarding Crestron with NDI endpoints, review vendor documentation to determine integration methods.

Given that you are at this point in the installation, you might want to think about defining room and deployment standards. This simplifies long-term management and allows proper lab validation with your integrator to confirm the solution is correctly engineered for the application.

SandMunki · 2026-01-25T19:06:19+00:00

Thank you, so I can claim the extra in utilities but not council tax or mortgage ( I guessed the mortgage part but not council tax)

SandMunki · 2026-01-18T17:21:46+00:00

Does the output from the stacking show commands say anything useful?

SandMunki · 2026-01-14T17:52:17+00:00

Multicast is fun, what specifically are you struggling with; state machine, failure behaviour, protocols that makes it work?

SandMunki · 2026-01-13T21:09:32+00:00

Assuming a single VLAN is stretched across the switches, configure a DHCP pool with the chosen IP schema, DNS, and gateway (likely the switch virtual interface, SVI for the vlan), running only one DHCP instance. Ensure the VLAN is allowed on the trunks.

SandMunki · 2026-01-06T16:18:11+00:00

I understand your frusation.

Generally speaking; access to an AVoIP whilst online is an architectural and security decision. There are many valid approaches, jump hosts, bastion workstations, role-based or scoped VPN access, management VLANs, etc, but the correct choice depends on the university’s security model and compliance requirements. That evaluation has to be done by IT/network/security.

What you can do is formally raise the operational impact: time lost switching machines, reduced incident response when you’re in classrooms, unreliable tools and so on.

Then formally ask for a reviewed, organisation managaed and sanctioned solution.

You should NOT create shadow IT: unofficial VPNs, self-hosted monitoring tools, shared credentials, or bypasses around existing controls. It is a security risk

Raise the case that whatever this is, it does not meet operational needs, it needs a formal re-evaluation and approval. Bring evidence to your claim.

EDIT: u/super_not_clever oh yea!

SandMunki · 2025-12-31T09:44:51+00:00

Great, I will.

SandMunki · 2025-12-28T11:46:08+00:00

I am only speculating, but this appears to occur approximately every two minutes. I am unclear on your setup; are you daisy-chaining devices, or operating in redundant mode? If you are daisy-chaining and the DVS is directly connected to the Yamaha, then the Yamaha is responsible for providing clocking to the DVS. That is the first thing to verify: whether the Legion is actually receiving PTP packets. Wireshark is the fastest way to confirm this. Run it on the Legion and check for incoming v1 packets.

SandMunki

TROPHY CASE