New Adtrans 12 Port Switch, putting devices in "Public Network"

[sc302 Veteran]

any way you could try an adtran at the top layer and see if you could get that to work when directly connected to a DC on the same switch? 

 

Something is going on with that and not making any sense.  Have you tried adtran support?  It certainly doesn't make sense.  I do not have issues with cisco switches (when connected to business class to small business class)

[xendrome]

1 minute ago, sc302 said:

any way you could try an adtran at the top layer and see if you could get that to work when directly connected to a DC on the same switch? 

 

Something is going on with that and not making any sense.  Have you tried adtran support?  It certainly doesn't make sense.  I do not have issues with cisco switches (when connected to business class to small business class)

Yeah I'd have to do it after hours or take the DC2 system and connect it to the adtrans and leave the DC1 up, however I dunno if that would cause it's own problems. I am thinking it's an issue with the Netgear vs Adtran switches, because no problems on a Adtran>TP-Link Router>site-to-site vpn>Sonicwall>Netgear>Fiber>Netgear>Domain Controllers.

[+BudMan MVC]

ok lets take a step back and go over what we know and don't know.

 

Switches no matter what brand should play nice, is this not always the case - maybe not.  But lets go over what they might be having an issue with and see how that might cause the problem.  You stated that stuff works other than the machine saying its in a public network vs domain.

 

Understanding the full process to how the machine determines this could help us pinpoint the part of the process that is failing.  To be honest I am not 100% sure of the whole process, and off the top of my head not clear to what could be causing this problem.  But lets go over what we know.  When you say things work, is the performance 100% - or could it be possible that the uplink from the adtran to the netgear has a problem, could it be in  a duplex mismatch for some reason?  While stuff can work with mismatch, the performance should be pretty bad.  Have you done a file copy to see that your getting full speed?

 

You mentioned you thought there might be a broadcast storm going on?  Have you looked into this more?

 

Why are you setting static vs dhcp?  Is dhcp not working either?  Part of machine being a member of a domain is that its dns gets updated both the forward and the PTR, DHCP running on the AD has a part that it can play in this registration.  Maybe this is a contributing factor?  I would see what happens when using dhcp.

 

I would suggest you do a packet capture of a machine booting up and working correctly, and then one of this machine connected to the adtran switch and see what is going on - this for sure should tell us why its not seeing the network as domain.  You should be able to do this with a span port, so you can catch the whole boot up process and traffic on the network even before login, etc.  And then the whole login process.  Curious when you login are you actually talking to the domain or are you logging in from cache?

 

Is it possible the network is just coming up too slow, and the machine can not yet talk to the domain when it determines what network its on?

 

Here is an article that talks about such a scenario with the NLA service

https://newsignature.com/articles/network-location-awareness-service-can-ruin-day-fix

[xendrome]

So messing with this some more this morning, I have my Domain joined workstation, plugged into an Adtran 1638P, it is then plugged into a Netgear 48port fiber switch, and all of the servers are plugged into that.

 

I believe this is 100% due to some way the Adtran is initilizing the link. I am now able to reproduce the problem as well as the solution (not 100% solution) all of the time.

 

In the Adtran settings, under ports, there is an option you can apply to ports of "Edge Port Mode" with a description of "Edge-ports will transition directly to the forwarding state. THis setting only requests that this port operate in edge-port mode, but the port will not operate in that mode if a spanning tree BPDU is received on this port. Edge-Port Status indicates wheather or not this port is actually operating in that mode.

 

If I Enable edge port mode, on the port that the workstation is configured for. Then reboot the workstation or enable/disable the adapter in Windows, it literally spends 3 seconds "identifying" and then goes to "Domain Network".

 

The problem comes into play when I reboot the switch, the system then sits at "Identifying" for 20 seconds, and goes back to "Public Network" and never returns to "Domain Netwokr" even after sitting for 30+  minutes. It's like the links are taking too long to come up fully so Windows defaults to "Public Network" So that's why I say it's not a 100% solution.

 

Also, I'm not sure of the ramifications of setting "Edge Port Mode" to Enable for all of the workstation ports.

[+BudMan MVC]

"ports of "Edge Port Mode" with a description of "Edge-ports will transition directly to the forwarding state."

 

This sounds the same as port fast.  This is normal setting for all ports that actually connect to devices and not switches or routers, etc..  Ie "edge" devices

 

So if you see my article about NLA being set to delay start this could also help with your issue.  So as I stated I think it was just taking too long for the network to actually come up and the NLA service was not seeing the domain so defaults to public.

 

dumb switches normally don't have such a feature because they do not support any sort of spanning tree protocol, but yes normally on smart/managed switches connected to actual "edge" type devices, workstations, servers, etc. then port fast or whatever they want to call it should be enabled.

 

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10553-12.html

Using PortFast and Other Commands to Fix Workstation Startup Connectivity Delays

 

While the above is cisco centric it goes over some of the technologies that make up your stp, and what can slow down a port from going into forwarding mode.

 

You will notice I mentioned this back earlier in the thread, and specifically brought up port fast

 

"Try changing that to delayed start, also are you ports to set to port fast on the switch which may or may not be part of default setup?  If not they can take a long time to come up and your NLA could be starting first and not seeing the domain sets public..."

 

A typical symptom of not having port fast enabled is dhcp doesn't work on the client, which is one of the reasons why I ask about why you were using static and not dhcp.

[xendrome]

5 hours ago, BudMan said:

A typical symptom of not having port fast enabled is dhcp doesn't work on the client, which is one of the reasons why I ask about why you were using static and not dhcp.

Yeah it is the equivilant of port fast, Adtran just calls it "Edge Port mode". I am testing with this option enabled on the Workstation devices and it seems promising so far. By default this is disabled for all ports on all of these Adtran switches.

 

Should I only enable it for Workstation/Servers and keep it disabled for links to other switches? What about wireless APs as well, enable or disable?

[+BudMan MVC]

AP would be fine for port fast, other switches - normally not since you would want to make sure their is no loop before you bring up link.  The whole point of stp.

 

As your network grows your going to want to plain out your stp and decide what specific protocol you use.  But seems your just not getting into smart switches, all your other switches were dumb?

 

Connecting a device that might create a loop is something you do not want to have portfast enabled on.. So switch to another switch these ports should not have it enabled on, etc.  if the computer/server has multiple nics you have to make sure these nics are not bridged that could cause a loop.

 

Keep in mind changing your NLA service to delayed start can be very helpful on machine that network is slow to come up as well.

[xendrome]

4 minutes ago, BudMan said:

AP would be fine for port fast, other switches - normally not since you would want to make sure their is no loop before you bring up link.  The whole point of stp.

 

As your network grows your going to want to plain out your stp and decide what specific protocol you use.  But seems your just not getting into smart switches, all your other switches were dumb?

 

Connecting a device that might create a loop is something you do not want to have portfast enabled on.. So switch to another switch these ports should not have it enabled on, etc.  if the computer/server has multiple nics you have to make sure these nics are not bridged that could cause a loop.

Got it. Actually all of the switches at 7 buildings are all being changed to Adtran switches, all buildings are already connected via aerial fiber. So I will make sure to enable the setting on all of the gigabit interface ports, except where a switch to switch link might be, and leave it also disabled on the fiber interface ports between switches. The switches default for RSTP which is what we are currently using on the Netgears. The network as it stands will not grow anymore over time, but we may add additional site-to-site networks.

 

My only issue is still, when I reboot one of these switches, they lose their network identity since the port is enabled but doesn't start forwarding traffic before Windows defaults to "Public Network". The solution is for me now, if I notice an outage (switches are monitored with e-mail/text notification) I will have to putty into switches CLI and do a "select port 1-24" and do a "shutdown" then "no shutdown" to reset them. It's kind of stupid I have to do this, but they won't be rebooted unless something happens like a power failure beyond battery backup capacity. I've tested this work around and it does work.

[+BudMan MVC]

"all being changed to Adtran switches"

 

Who picked that brand?  I have one customer we deal with that has a some of them - not really impressed with what seen of them.  Luckily they are all being phased out with cisco..

 

As too your issue on the reboot of the machines, change the NLA to delayed start that should fix that problem.

[xendrome]

4 minutes ago, BudMan said:

"all being changed to Adtran switches"

 

Who picked that brand?  I have one customer we deal with that has a some of them - not really impressed with what seen of them.  Luckily they are all being phased out with cisco..

 

As too your issue on the reboot of the machines, change the NLA to delayed start that should fix that problem.

Telco provider, apparently Adtran has some over the web service features that they can interface back to their management/monitoring service. Wasn't really my choice, but we'll see how things go.

 

So probably best way to do that is set NLA to delayed start via GPO on the workstations?

 

Actually just thought of this, it's OK if I reboot a workstation after a switch restart, then it does detect the "Domain Network" it's only when the switch is restarted and the workstation tries to re-identify to the switch as it is coming up, before it starts forwarding. So NLA service delayed start won't help.

[+BudMan MVC]

switch restart?  Yeah that should be really really rare.. We have some switches that have not been rebooted in years.. Does not reflect on that they are keeping up with patches   But if you have ups setup for your switches they should just run and run and run and should only require reboot on update of their firmware.