Networking on Thoughts and Ramblings by Mike

Updating SSL Certificates for CML

Sun, 03 May 2026 09:00:00 -0400

If you have a Cisco Modeling Labs appliance in your lab or running on a piece of dedicated hardware, you have probably noticed two browser warnings every time you log in. CML ships with self-signed certs on both the main web UI and the Cockpit management UI, and your browser will complain about both. Cisco publishes an official guide for installing an SSL certificate on CML, and it is a solid starting point, but in my own runs it did not get me 100% of the way to the outcome I wanted. The procedure focuses on the nginx side, leaves Cockpit's quirks largely unaddressed, and does not cover renewal, rollback, or any pre and post checks. The helper script in this post fills those gaps so a single command handles the install, the renewal six months from now, and a rollback if something goes sideways. This post walks through what the script does, how to use it, and how to keep things tidy when your wildcard cert renews.

Why CML Earned a Permanent Spot in My Workflow

Wed, 22 Apr 2026 09:00:00 -0400

If you are a network engineer who has ever stared down a change window and wished you could test the exact topology before touching production, this post is for you. I want to walk through why Cisco Modeling Labs (CML) has become one of the most used tools in my day to day, and how it has shaped the way I approach design, migrations, and team enablement. The short version: a sandbox that mirrors real gear means fewer surprises at 2 AM, faster validation on design work, and a safer way to bring the next engineer up to speed.

Issues with DCBX and LLDP on NX-OS 10.x

Fri, 14 Mar 2025 08:00:00 -0400

I recently deployed a new Nexus 93180YC-EX switch into my home lab, to replace the aging 9372PX. Sure, for a home lab this was fine, but I wanted to get up to some 25Gbe speeds! I've got various equipment connected to that old Nexus, with 2 Nutanix clusters and single VMware cluster, plus various other things, nothing too difficult to move at all.

Migrating from the 9372PX to the 93180YC-EX was fairly simple, the most cumbersome part was migrating the FEX from the old switch to the new switch. Then I started the code upgrades, as the switch was on an older v7 of NX-OS, and the recommended release for this model was 10.3(6). So off I went, and the next morning, I woke up, got some coffee, headed to my office to get ready for a demo, and noticed that my primary Nutanix Cluster was offline, but everything else was fine. CIMC showed that the host was up, but it wasn't pingable. Ok, let's troubleshoot.

Weekly Tech Tip: Check your FEC!

Fri, 26 Jul 2024 00:00:00 +0000

Connectivity issues between Cohesity C5016 Nodes and Nexus 93180YC-FX3H Switches

Very recently, I was deploying a new Cohesity C5016 appliance with 25Gb NICs, connecting up to a pair of Nexus 93180YC-FX3H switches. When using the 9K's in a VPC pair, my personal preference is to configure the Cohesity nodes with LACP to get the most bandwidth possible (regardless if it's 10Gb or 25Gb connectivity). Nothing super creative there, and I've done this dozens of times in the past with no issue, on both the Cohesity appliances and Nexus 9k's. But this time, it was different...

Zero Day Threat - Cisco Remote Access on ASA/FTD

Thu, 25 Apr 2024 00:00:00 +0000

Cisco recently patched two critical vulnerabilities in their firewall products, discovered after probable nation-state actors targeted them in a campaign dubbed "Arcane Door". These zero-day vulnerabilities, found in devices running ASA and FTD software, were exploited to implant malware and possibly steal data. Cisco released three patches and has tracked the hacking group under UAT4356 and STORM-1849 by Microsoft. These flaws, involving HTTP header parsing and a legacy VPN client preloading capability, allowed attackers root-level access, emphasizing the need for immediate patching and security upgrades.

FMCv 7.2 Upgrade Gotchas on AHV

Fri, 01 Jul 2022 00:00:00 +0000

Posting this more as a note to myself as a reminder and to also read the release notes a bit more carefully! After recently going thru an upgrade of the Firepower Management Center from 7.0.x to 7.2 FMCv, specifically on the Nutanix AHV platform I ran into a bug where the VM would not boot after the upgrade.

While the upgrade completed, the VM stalled at boot, and then finally booted. However there was no network access and couldn't log in via console, which was odd. Thought to myself well here's a scenario where I'm glad I know I've got a backup!

Cisco ASA Dropped Traffic Notice: Critical Bug Alert

Fri, 31 Mar 2017 00:00:00 +0000

Cisco seems to be having a rough go of it lately with bugs that have a time bomb for certain hardware and software. Following up on the Signal Component issues – that plagued a large number of product lines (And in Cisco’s defense affected more than just Cisco – other vendors are affetected). I’m still waiting to find out when my Meraki MX84 will be replaced on that one 🙂

Yesterday, Cisco released another Field Notice as well as a blog post, this time affecting a good number of ASA code versions dating back to 9.1.x, and certain FirePower versions. The Field Notice states that all appliances are affected, so this is not a hardware issue like the Signal Component, but a software bug. After around ~ +213 days, the appliance will just start to stop passing network traffic.

Cisco Nexus 7K Design with Active/Active FEX

Mon, 06 Feb 2017 00:00:00 +0000

Back in November 2015 I wrote a post about FEX Topologies with the Cisco Nexus platforms, and at the time the Nexus 5K/6K line was the only model that would support the active/active FEX topology (FEX-AA), which was unfortunate in designing redundant connectivity for downstream devices.

But with the release of NX-OS code 7.2 and above, we now get FEX-AA support on the 7000 and 7700 series switches!

Recap

To recap, if you were running the 7k or the 9k switches with FEXs, you’d need single home (Straight Through) the FEX to the parent Nexus, much like the image below. The FEX was tied to the parent switch, and we’d rely on nic teaming or multiple nics on the servers/devices connected to the FEX to provide dual homing or redundancy for connectivity.

Deploying NSX in a Home Lab - Part 2

Fri, 01 Apr 2016 00:00:00 +0000

It’s been over 6 months since I last had NSX working in my home lab, and with a rebuild I decided it was time to wrap up Part 2 of my NSX in a home lab blog post.

In Part 1 of my Deploying NSX series, we covered the prep of NSX in the environment, including deploying the NSX Manager appliance, deploying NSX Controllers and vSphere host preparation. In this part of the series, we’ll cover the creation of Logical Switches and our NSX Edge, which consist of our Edge Services Gateway (Providing DHCP, Firewall, VPN, NAT, Routing and Load Balancing capabilities). Part 3 will cover the deployment of the Logical Router, which provides our routing and bridging for the existing networks, as well as configuring routing to get traffic into and out of our new NSX environment.

Deploying NSX in a Home Lab - Part 3

Fri, 01 Apr 2016 00:00:00 +0000

Onto the Logical Router….

In Part 1 of my Deploying NSX series, we covered the prep of NSX in the environment, including deploying the NSX Manager appliance, deploying NSX Controllers and vSphere host preparation. In Part 2 this part of the series, we covered the creation of Logical Switches and our NSX Edge, which consist of our Edge Services Gateway (Providing DHCP, Firewall, VPN, NAT, Routing and Load Balancing capabilities). In our 3rd part in the series, we’ll cover the deployment of the Logical Router, which provides our routing and bridging for the existing networks, as well as configuring routing to get traffic into and out of our new NSX environment.

FEX Topologies for Nexus: Complete Configuration Guide

Thu, 19 Nov 2015 00:00:00 +0000

I’m a big an of the Cisco Fabric Extenders when it comes to getting more ports in a data center topology, I like the easy of management and simple layout for getting connections onto the FEX. However, after speaking with a few coworkers and friends, I came to the conclusion that the supported FEX topologies are still somewhat confusing between the Nexus line, and what is actually supported from a connectivity standpoint on the FEX’s.

Installing ManageEngine OpUtils on CentOS 7

Fri, 13 Nov 2015 00:00:00 +0000

Background
I’ve been using ManageEngine’s OpUtils product for a few years now for IP Address Management (IPAM). While it has a lot of other great features, I’ve really liked the way they do IPAM. Yes, Microsoft has IPAM now built into Windows, but I’ve never liked the setup of the Windows IPAM configuration, and the lack of a good Web UI for IPAM made me like it even less.

OpUtils provides a subset of the OpManager Suite from Manage Engine, and subsequently integrates into OpManager. OpUtils 8 runs on both Windows and Linux platforms, and I’ve always run it on Windows, a) because it’s easier to setup and get going, and 😎 it offers the ability to pull OS level information once you setup domain credentials thru WMI.

Deploying NSX in a Home Lab - Part 1

Thu, 22 Oct 2015 00:00:00 +0000

I’m a fan of NSX.

Ever since I deployed it for the first time, and got it working, I realize the power, AND ease of what it would provide.

I’ve had VMware NSX deployed in my lab for a while now, but I wanted to migrate my vSphere environment over to utilizing NSX fully for all VM’s, minus vCenter, the PSC, etc.

At the time, I never put much thought into how I deployed NSX, just got it install, working and done. I decided since I’m starting the process of rebuilding my lab (again…), to document the process of getting it installed.