Ask the Expert: Cisco Prime Infrastructure - Implementation and Deployment

Similar Messages

• Ask the Expert: Cisco's 802.11ac Solutions - Deployment, Design, and Interop

  Ask your Questions on Cisco’s 802.11ac Solutions - Deployment, Design, and Interop with Cisco Experts: Richard Hamby and Shankar Ramanathan.
  Monday, March 30th, 2015 to Friday, April 10th, 2015
   Richard Hamby is a senior technical support engineer and Team Lead of the Cisco Technical Assistance Center in Richardson, Texas.  He is an expert in Indoor and Outdoor wireless for the full line of Cisco Unified and Converged Access Wireless products, as well as TAC Engineering Engagement Engineer liaison to project engineering teams for new Cisco wireless products.  Prior to his current role, Richard was a customer support engineer with the AAA Security TAC team supporting Cisco identity management solutions and been with Cisco since 2009.
  Shankar Ramanathan is a Customer Support Engineer at the Cisco Technical Center. He is a Technical Content Engineer and Subject Matter Expert for Cisco Enterprise Unified and Converged Access wireless mobility solution including Wireless LAN Controller  2500/5500/WISM2/7500/8500, Converged access 5760/3650/3850 switches,  Access Points Lightweight and Autonomous, VoWLAN (792x/9971) , Cisco Prime Infrastructure SNMP management, Cisco Mobility Services Engine(MSE/ CMX). Prior to joining Cisco in  November 2011, he worked as a wireless network engineer at Elan Technologies, responsible for RF wireless network planning, simulation, propagation path analysis, and optimization of Wi-Fi 802.11 mesh and WiMax (802.16 d/e) networks for various system  integration and automation projects. Shankar holds a master of science degree in electrical engineering specializing in communications and signal process from the State University of New York, Buffalo. Shankar has a CCIE in Wireless(#40548) and CCNA  certified (number 410004168640IMZF) and has over six years of industry experience.
  Find other  https://supportforums.cisco.com/expert-corner/events.
  **Ratings Encourage Participation! **
  Please be sure to rate the Answers to Questions

  A common question we are asked is 'why is my device not achieving 11ac data rates?'
  One of the most common answers relates to client compatibility/capability. To get the highest possible data rates of 11ac (assuming proper distance and RF health), the AP and the client device must both be capable supporting the requirements - 5GHZ, 80MHz Channel, short guard interval, 3 spatial streams. Each spatial stream has a max of 433.3Mb/s (at 80MHz, short GI).
  The majority of 11ac-capable wireless cards on the market do not support 3 spatial streams. Most adapters in wireless-capable devices are 1SS or 2SS.  For example, the Intel 7260 11ac adapter used in many devices is a 2SS adapter - therefore it's max possible data rate is 866.7.  Another common adapter in use is the 11ac Broadcom 3SS that Apple uses in the newer Macbooks.  These devices can achieve the 1.3GBs PHY data rate.
  This guidance is the same for 11n adapters as well.  To achieve max rate, your 11n AP and adapter must both support 40MHz channels, 3SS, short GI.
  Note: The 11n and 11ac standards both define support for 4SS.  4SS-capable devices are rare, so 3SS is essentially our reality.
  One of the most useful references for questions related to this topic is the AP Data Sheet for each AP.  Here's the AP3700 for example:
  http://www.cisco.com/c/en/us/products/collateral/wireless/3700-series-access-point/data_sheet_c78-729421.html
  Table 1 lists the expected data rate per MCS Index value by #SS at each channel width and GI. Indexes 0-7 are the same for 11n and 11ac (11n limited to 40MHz channels of course).  And MCS 8 & 9 are 11ac-only 256-QAM modulations. 

• Ask the Expert:Cisco Prime Network Registrar

  With Pete Newcomb & Jim Brown 
  Welcome to the Cisco Support Community Ask the Expert conversation. Learn from experts Peter Newcomb and Jim Brown about  Cisco Prime Network Registrar, Cisco's industry leading solution for integrated DNS, DHCP and  IP address management (IPAM) services  for both IPv4 and IPv6. 
  Pete Newcomb is a technical marketing engineer in Cisco's Network Management and Technology Group and has over 30 years of experience in the voice and data communications industry, including sales support and product engineering support with several companies. His design and development background includes wireless services, switching, routing, TCP/IP, Frame Relay, X.25, telephony services, risk management, and network security. 
  Jim Brown is a customer support  engineer in Cisco's Network Management and Technology Group. He has over 35 years of experience in development engineering and customer service, real-time and fault tolerant operating systems, and network management for the telecommunications and software industries. For the last 14 years he has been with the Network Registrar Development Team, interfacing with Customer Service and directly with customers in problem solving.
  Remember to use the rating system to let Pete and Jim know if you have received an adequate response.  
  Pete and Jim might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infrastructure sub-community   forum shortly after the event. This event lasts through January 18, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Jorge,
     Absolutely, Prime CNR supports IPv6 since CNR 6.x versions...
     For IPv6 configuration instructions on latest versions of CPNR you should start here;
        http://www.cisco.com/en/US/partner/docs/net_mgmt/prime/network_registrar/8.1/user/guide/UG25_IP6.html
                                                      Best Regards
                                                      Jim Brown

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• Ask the Expert: Cisco Nexus 2000, 5000, and 6000 Series Switches

  with Cisco Expert Vinayak Sudame
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions how to configure and troubleshoot the Cisco Nexus 2000, 5000 and 6000 Series Switches with Cisco subject matter expert Vinayak Sudame. You can ask any question on configuration, troubleshooting, features, design and Fiber Channel over Ethernet (FCoE).
  Vinayak Sudame is a Technical Lead in Data Center Switching Support Team within Cisco's Technical Services in RTP, North Carolina. His current responsibilities include but are not limited to Troubleshooting Technical support problems and Escalations in the areas of Nexus 5000, Nexus 2000, FCoE. Vinayak is also involved in developing technical content for Cisco Internal as well as external. eg, Nexus 5000 Troubleshooting Guide (CCO), Nexus 5000 portal (partners), etc. This involves cross team collaboration and working with multiple different teams within Cisco. Vinayak has also contributed to training account teams and partners in CAE (Customer Assurance Engineering) bootcamp dealing with Nexus 5000 technologies. In the past, Vinayak's responsibilities included supporting MDS platform (Fiber Channel Technologies) and work with EMC support on Escalated MDS cases. Vinayak was the Subject Matter Expert for Santap Technologies before moving to Nexus 5000 support. Vinayak holds a Masters in Electrical Engineering with Specialization in Networking from Wichita State University, Kansas. He also holds Cisco Certification CCIE (#20672) in Routing and Switching.
  Remember to use the rating system to let Vinayak know if you have received an adequate response.
  Vinayak might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community, Other Data Center Topics discussion forum shortly after the event.
  This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

  Hi Vinayak,
  Output of "show cfs internal ethernet-peer database"
  Switch 1
  ETH Fabric
  Switch WWN              logical-if_index
  20:00:54:7f:ee:b7:c2:80 [Local]
  20:00:54:7f:ee:b6:3f:80 16000005
  Total number of entries = 2
  Switch 2
  ETH Fabric
  Switch WWN              logical-if_index
  20:00:54:7f:ee:b6:3f:80 [Local]
  20:00:54:7f:ee:b7:c2:80 16000005
  Total number of entries = 2
  Output of "show system internal csm info trace"
  Switch 1 in which "show cfs peers" show proper output
  Mon Jul  1 05:46:19.145339  (CSM_T) csm_sp_buf_cmd_tbl_expand_range(8604): No range command in buf_cmd_tbl.
  Mon Jul  1 05:46:19.145280  (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
  Mon Jul  1 05:46:19.145188  (CSM_T) csm_sp_handle_local_verify_commit(4291):
  Mon Jul  1 05:46:19.145131  csm_continue_verify_ac[597]: peer is not reachable over CFS so continuing with local verify/commit
  Mon Jul  1 05:46:19.145071  csm_tl_lock(766): Peer information not found for IP address: '172.16.1.54'
  Mon Jul  1 05:46:19.145011  csm_tl_lock(737):
  Mon Jul  1 05:46:19.144955  (CSM_EV) csm_sp_build_tl_lock_req_n_send(941): sending lock-request for CONF_SYNC_TL_SESSION_TYPE_VERIFY subtype 0 to Peer ip = (172.16.1.54)
  Mon Jul  1 05:46:19.143819  (CSM_T) csm_copy_image_and_internal_versions(788): sw_img_ver: 5.2(1)N1(2a), int_rev: 1
  Mon Jul  1 05:46:19.143761  (CSM_T) csm_sp_get_peer_sync_rev(329): found the peer with address=172.16.1.54 and sync_rev=78
  Mon Jul  1 05:46:19.143699  (CSM_T) csm_sp_get_peer_sync_rev(315):
  Mon Jul  1 05:46:19.143641  (CSM_EV) csm_sp_build_tl_lock_req_n_send(838): Entered fn
  Mon Jul  1 05:46:19.143582  (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
  Switch 2 in which "show cfs peers" does not show proper output
  Mon Jul  1 06:13:11.885354  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 77 seq 482
  Mon Jul  1 06:13:11.884992  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 357 seq 369
  Mon Jul  1 06:13:11.884932  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 357 seq 368
  Mon Jul  1 06:13:11.884872  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 357 seq 367
  Mon Jul  1 06:13:11.884811  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 357 seq 366
  Mon Jul  1 06:13:11.884750  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 352 seq 365
  Mon Jul  1 06:13:11.884690  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 352 seq 364
  Mon Jul  1 06:13:11.884630  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 352 seq 363
  Mon Jul  1 06:13:11.884568  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 352 seq 362
  Mon Jul  1 06:13:11.884207  (CSM_EV) csm_sp_acfg_gen_handler(3011):  Preparing config into /tmp/csm_sp_acfg_1733916569.txt
  Mon Jul  1 06:13:11.878695  csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
  Mon Jul  1 06:13:11.878638  (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
  Mon Jul  1 06:12:29.527840  (CSM_T) csm_pss_del_seq_tbl(1989): Freeing seq tbl data
  Mon Jul  1 06:12:29.513255  (CSM_T) csm_sp_acfg_gen_handler(3106): Done acfg file write
  Mon Jul  1 06:12:29.513179  (CSM_EV) csm_sp_acfg_gen_handler(3011):  Preparing config into /tmp/csm_sp_acfg_1733911262.txt
  Mon Jul  1 06:12:29.508859  csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
  Mon Jul  1 06:12:29.508803  (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
  Mon Jul  1 05:53:17.651236  Collecting peer info
  Mon Jul  1 05:53:17.651181  Failed to get the argumentvalue for 'ip-address'
  Mon Jul  1 05:40:59.262736  DB Unlocked Successfully
  Mon Jul  1 05:40:59.262654  Unlocking DB, Lock Owner Details:Client:1 ID:1
  Mon Jul  1 05:40:59.262570  (CSM_T) csm_sp_del_buf_cmd(1713): Deleting comand with Id = 1
  Mon Jul  1 05:40:59.262513  DB Lock Successful by Client:1 ID:1
  Mon Jul  1 05:40:59.262435  Recieved lock request by Client:1 ID:1
  Mon Jul  1 05:40:41.741224  ssnmgr_ssn_handle_create_get: Session FSM already present, ID:1
  Mon Jul  1 05:40:41.741167  ssnmgr_handle_mgmt_request: Create/Get request received for session[process_n5kprof]
  show cfs lock gives no output.
  Just to further clarify, we have 4 5548UP switches in the same management vlan. 2 switches are in one location lets say location A and they are CFS peers and are working fine.
  These two switches which are having problem are in location B. All the switches are in the same vlan. Essentially the all CFS multicast messages will be seen by all 5548 switches as they are in the same vlan. I am assuming that this might not create any problems as we specify the peers in the respective configurations. Or do we have to change the CFSoIPv4 multicast addresses in location B or may be configure a different region.
  Regards.

• Ask the Expert: NGWC (3850/5760): Architecture and Deployment

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about NGWC (3850/5760): Architecture and Deployment.
  Ask questions from Monday, April 13th, 2015 to Friday, April 24th, 2015
  This Ask the Expert Session will cover questions spanning NGWC products (3850/5760) on Implementation and Deployment from the Wired and Wireless perspective. This will be more specific to Customer’s and Partners questions covering 3850/5760 configuration, Implementation and deployment.
  Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Wireless CUWN and NGWC Product line. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC-Written) and CCIE Wireless certification.
  Naveen Venkateshaiah is working as a Customer support engineer in High-Touch Technical Services (HTTS) handling  and supporting Lan-switching and Data center Products. His areas of expertise include Catalyst 3k,4k , 6500 , Nexus 7k Platform  He has over 7 years of industry experience working with large Enterprise and Service Provider networks. He also holds CCNA, CCNP (RS) and  CCDP-ARCH,CCIE-R&S Written, AWLANFE, LCSAWLAN Certification.
  Find other  https://supportforums.cisco.com/expert-corner/events.
  **Ratings Encourage Participation! **
  Please be sure to rate the Answers to Questions

  Hi Dhiyadav,
  thank you for your reply it cleared some doubts that were in my mind but i need your more support to guide me a converged access deployment which i am going to deploy within few days.
  i have 
  2x5508 in HA as MC
  30x3850 switches, and all will be used as MA(s) with multiple SPGs
  2X5508  1:1 as an anchor controller
  1xISE 1.3 for guest access
  1xCPI for wireless mgmt and monitoring purpose
  1xMSE3355 with wips and context aware licenses
  200x cisco 3702i WAP
  50x WSSI module for monitoring the channels
  can you please put a light on the design and guide me that which are the best possible solutions to get this job done very smoothly.
  i will also let you know about my proposed design scenario but for sure i need your recommendations as well :)
  so,
  i will use 2x5508 wlcs in HA as a MC which are AP-Count and HA licensed..
  3850 switches will be MA and i ll configure SPGs per floor switches stacks 
  WAPs will join on these 3850 MAs base on each floor
  i would have 2 ssid like employee and guest
  i will configure them on each 3850 stack MA along with their SVIs for users access like (empolyee and guest ssid)
  here my question is for guest ssid and its vlan... do i configure it here or on anchor controller???
  i want ISE to be integrated with wireless for employee 802.1x and for guest web Auth. so, how i will integrate ISE with wireless. i mean weather i will integrate it anchor controller or with each 3850 MA???
  between foreign and anchor controller i will use new mobility instead of old EOIP!!!
  where shall place ISE in my network, in DMZ or with Core switch?
  my target for guest users to do not have access to any corporate network sources ?
  MSE:
  can i use both wips and context aware on the single MSE box?
  if yes, than what is the best practice for configuring them?
  are each 3850 MA will be added in MSE?
  WSSI module . will be used for monitoring purpose for wips and context aware profiles.
  all access point will be worked in local mode for serving users access.
  thank you

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• Ask the Expert: Cisco Unified Contact Center Express (UCCX) Version 10.0 - Upgrade, Migration, and New Features Overview

              With Abhiram Kramadhati 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the upgrade, migration methods, and new features of the latest released Version 10.0 of Cisco Unified Contact Center Express (UCCX) with Cisco expert Abhiram Kramadhati.
  Abhiram will address the following on the latest release of Cisco UCCX Version 10.0:
  Installation
  Upgrade from previous versions - both Linux and Windows   
  Migration from MCS to Cisco UCS environment - Different methods and best practices
  New features - Overview and limitations
  This discussion will center on install and upgrade best practices, changes in hardware support, and migration methods from MCS to Cisco UCS. He can also briefly discuss the new features introduced in 10.0. The discussion focuses the latest versions, but queries about general Cisco UCCX topics can be addressed too if time allows.
  Abhiram Kramadhati is an engineer with the Contact Center Backbone group. He has been working with Cisco UCCX since he joined Cisco. During two years at Cisco, he has built his expertise around Cisco UCCX telephony applications, Java Telephony API (JTAPI) integration, Cisco UCCX system behavior, LDAP components, and Cisco UCCX as IP interactive voice response in Unified Contact Center Enterprise (UCCE) environments. He also works on other technologies, including Unified Communications Manager and UCCE. He has been involved in many technical escalations in the Asia Pacific region. Abhiram also holds a CCIE in voice (40065).
  For more details about this topic, refer to the recently published Tech-Talk Video and Blog.
  Remember to use the rating system to let Abhiram know if you have received an adequate response. 
  Abhiram might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in the Voice, Video, and Collaboration  community,  sub-community, Contact Center discussion forum shortly after the event. This event lasts through January 31, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Anurag,
  Thanks for your questions.
  1:Is there change in DB architecture as CUIC is the only option as compared to previous linux version UCCX ?
  I assume this is from the tables regarding historical data. The database schema essentially remains the same since UCCX 9.0 had CUIC too and we had a seperate DB Space for CUIC and we still continue with that. The traditional historical tables remain and the replication process remains the same too.
  2:Is there any version change for Linux OS used as VOS,
  The Linux version is Red Hat Linux 5. To be precise:
  [root@uccx10pub /]# cat etc/redhat-release
  Red Hat Enterprise Linux Server release 5.7 (Tikanga)
  3:Is there any API architecture change in UCCX 10 from previous releases ?
  I can answer this more of an overview. The only enhancement in the API side is the introduction of REST API step in the script editor. You can now make REST calls from the script and this ofcourse opens up a whole new world of possiblities.
  4:Since from UCCX 10 , we can only use either CAD or Finnesse at one  time, whats the impact of changing this after some time in production,  let say , i used CAD for 2 months and then i decided to move to Finesse,  whats the impact ? or is it a smooth change as switching CUIC and HRC  in previoius release ?
  For the scenario you mentioned, there is absolutely no problem. The point to note is that the Finesse services are activated/deactivated but the CAD desktop services are ALWAYS running. The only condition to keep in mind is that you can use ONLY ONE type of agent desktop at any time.  Also if Finesse is not used and CAD operations are used extensively, it is advisable to shutdown the Finesse service.
  5:Is 3rd Party UCS hardware supported by UCCX 10 instead of using Cisco manufactured UCS , can i use HP hardware for Virtualisation ?
  Yes, it can be used. This is something called as "Third party specs based specification". The most important things seen for compatibility are:
  Inter CPU Model
  It it is on thVMWare Hardware Compatibilty List
  You can get more information about this on the "Can I use this server?" section of UC Virtualized Hardware page:
  http://docwiki.cisco.com/wiki/UC_Virtualization_Supported_Hardware#.22Can_I_use_this_server.3F.22
  6:Is Host name change supported?
  Yes, the hostname change is supported. The prcocedure is documented in the UCCX 10.0 Administration Guide:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_10_0/configuration/guide/UCCX_BK_W1AF9DDD_00_uccx-admin-guide-10.0.pdf (Pg 168)
  Cheers,
  Abhiram Kramadhati

• Ask the Expert: Cisco UCS Troubleshooting Boot from SAN with FC and iSCSI

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco UCS Troubleshooting Boot from SAN with FC and iSCSI with Vishal Mehta and Manuel Velasco.
  The current industry trend is to use SAN (FC/FCoE/iSCSI) for booting operating systems instead of using local storage.
  Boot from SAN offers many benefits, including:
  Server without local storage can run cooler and use the extra space for other components.
  Redeployment of servers caused by hardware failures becomes easier with boot from SAN servers.
  SAN storage allows the administrator to use storage more efficiently.
  Boot from SAN offers reliability because the user can access the boot disk through multiple paths, which protects the disk from being a single point of failure.
  Cisco UCS takes away much of the complexity with its service profiles and associated boot policies to make boot from SAN deployment an easy task.
  Vishal Mehta is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California. He has been working in the TAC for the past three years with a primary focus on data center technologies such as Cisco Nexus 5000, Cisco UCS, Cisco Nexus 1000v, and virtualization. He has presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE certification (number 37139) in routing and switching and service provider.
  Manuel Velasco is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California. He has been working in the TAC for the past three years with a primary focus on data center technologies such as Cisco UCS, Cisco Nexus 1000v, and virtualization. Manuel holds a master’s degree in electrical engineering from California Polytechnic State University (Cal Poly) and VMware VCP and CCNA certifications.
  Remember to use the rating system to let Vishal and Manuel know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation in the Data Center community, under subcommunity Unified Computing, shortly after the event. This event lasts through April 25, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Evan
  Thank you for asking this question. Most common TAC cases that we have seen on Boot-from-SAN failures are due to misconfiguration.
  So our methodology is to verify configuration and troubleshoot from server to storage switches to storage array.
  Before diving into troubleshooting, make sure there is clear understanding of this topology. This is very vital with any troubleshooting scenario. Know what devices you have and how they are connected, how many paths are connected, Switch/NPV mode and so on.
  Always try to troubleshoot one path at a time and verify that the setup is in complaint with the SW/HW interop matrix tested by Cisco.
  Step 1: Check at server
  a. make sure to have uniform firmware version across all components of UCS
  b. Verify if VSAN is created and FC uplinks are configured correctly. VSANs/FCoE-vlan should be unique per fabric
  c. Verify at service profile level for configuration of vHBAs - vHBA per Fabric should have unique VSAN number
  Note down the WWPN of your vhba. This will be needed in step 2 for zoning on the SAN switch and step 3 for LUN masking on the storage array.
  d. verify if Boot Policy of the service profile is configured to Boot From SAN - the Boot Order and its parameters such as Lun ID and WWN are extremely important
  e. finally at UCS CLI - verify the flogi of vHBAs (for NPV mode, command is (from nxos) – show npv flogi-table)
  Step 2: Check at Storage Switch
  a. Verify the mode (by default UCS is in FC end-host mode, so storage switch has to be in NPIV mode; unless UCS is in FC Switch mode)
  b. Verify the switch port connecting to UCS is UP as an F-Port and is configured for correct VSAN
  c. Check if both the initiator (Server) and the target (Storage) are logged into the fabric switch (command for MDS/N5k - show flogi database vsan X)
  d. Once confirmed that initiator and target devices are logged into the fabric, query the name server to see if they have registered themselves correctly. (command - show fcns database vsan X)
  e. Most important configuration to check on Storage Switch is the zoning
  Zoning is basically access control for our initiator to  targets. Most common design is to configure one zone per initiator and target.
  Zoning will require you to configure a zone, put that zone into your current zonset, then ACTIVATE it. (command - show zoneset active vsan X)
  Step 3: Check at Storage Array
  When the Storage array logs into the SAN fabric, it queries the name server to see which devices it can communicate.
  LUN masking is crucial step on Storage Array which gives particular host (server) access to specific LUN
  Assuming that both the storage and initiator have FLOGI’d into the fabric and the zoning is correct (as per Step 1 & 2)
  Following needs to be verified at Storage Array level
  a. Are the wwpn of the initiators (vhba of the hosts) visible on the storage array?
  b. If above is yes then Is LUN Masking applied?
  c. What LUN number is presented to the host - this is the number that we see in Lun ID on the 'Boot Order' of Step 1
  Below document has details and troubleshooting outputs:
  http://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-b-series-blade-servers/115764-ucs-san-tshoot-00.html
  Hope this answers your question.
  Thanks,
  Vishal 

• Ask the Expert: Cisco TelePresence for the Enterprise

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about Cisco Telepresence® for the enterprise. 
  Cisco experts Jaret, Fernando, and Fred will be covering all Cisco TelePresence products.  Topics include Cisco TelePresence endpoints and TelePresence infrastructure such as the Cisco TelePresence Video Communication Server (VCS), Cisco Expressway Series, Cisco Unified Communication Manager (CallManager), Cisco TelePresence Servers (MSE 8710, on Virtual Machine, etc.), MCU (MSE 8510, etc.), Cisco TelePresence Management Suite (TMS), and all other Cisco TelePresence related devices.
  Jaret Osborne is an 8-year Cisco Advanced Services veteran.  In his Advanced Services tour, Jaret has covered all aspects of Cisco Unified Communications and TelePresence products, including both enterprise and service provider verticals. Most recently Jaret has been working with global service providers supporting their Cisco TelePresence as a Service offerings while also incubating new cloud services at Cisco.
  Fernando Rivas is a Cisco Advanced Services NCE, starting in the Cisco Technical Assistance Center (TAC), 2007, on the Collaboration Technology Team mastering the Cisco Unified Communication  technologies and specialized in call control CUCM,VCS) and  conferencing (MeetingPlace, Telepresence). In 2011, he joined Cisco Advanced Services as a member of the Cisco Collaboration team and participated in several Cisco TelePresence and video-related technologies deployments. Currently he is a member of the Video Cloud Technology Team, supporting video exchanges in several and architecting new private video cloud solutions for large enterprises. Fernando holds a routing and switching CCIE® certification (22975).
  Fred Mollenkopf  is a Cisco Advanced Services Network consulting engineer working at Cisco for the last 7 years. Fred has led some of the largest Cisco Unified Communication and Collaboration deployments done for Cisco customers and partners. Over 15 years’ experience in data networking with a specialization in Cisco Unified Communications in 2004. Currently he is a member of the SP Video Advanced Services Team, supporting SP video exchanges and the Cisco Telepresence solutions.  Fred maintains an active CCIE® in Voice (17521).
  Remember to use the rating system to let Jaret, Fernando, and Fred know if you have received an adequate response. 
  Because of the volume expected during this event, Jaret, Fred, and Fernando might not be able to answer every question. Remember that you can continue the conversation in the Collaboration, Voice and Video Community, under the sub-community TelePresence, shortly after the event. This event lasts through August 15, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Tenaro,
  Additionally here are the most common login issues.  Unfortunately this includes items related to Presence implementation but I commented where we did not use these in our lab setup for CUCM Phone Capabilities only.  
  Login Issues
  Problem:
  Jabber Unable to Sign-in Through MRA
  Solution
  This can be caused by a number of things, a few of which are outlined below.
   1.  Collaboration Edge SRV record not created and/or port 8443 unreachable
  For a jabber client to be able to login successfully using MRA, a specific collaboration edge SRV record must be created and accessible externally. When a jabber client is initially started it will make server DNS SRV queries:
  _cisco-uds : this SRV record is used to determine if a CUCM server is available.
  _cuplogin : this SRV record is used to determine if an IM&P server is available.
  _collab-edge : this SRV record is used to determine if MRA is available.
  If the jabber client is started and does not receive an SRV answer for _cisco-uds and _cuplogin, and does receive an answer for _collab-edge then it will use this answer to try to contact the Expressway-E listed in the SRV answer.
  The _collab-edge SRV record should point to the FQDN of the Expressway-E using port 8443. If the _collab-edge SRV is not created, or is not externally available,  or if it is available, but port 8443 is not reachable, then the jabber client will fail to login.
   2.  Unacceptable or No Available Certificate on VCS Expressway
  After the jabber client has received an answer for _collab-edge, it will then contact the expressway using TLS over port 8443 to try to retrieve the certificate from the expressway to setup TLS for communication between the jabber client and the expressway.
  If the Expressway does not have a valid signed certificate that contains either the FQDN or domain of the Expressway, then this will fail and the jabber client will fail to login.
  If this is occurring, the you should use the CSR tool on the Expressway, which will automatically include the FQDN of the expressway as a Subject Alternative Name.
  MRA requires secure communication between the Expressway-C and Expressway-E, and between the Expressway-E and external endpoints.
  Expressway-C Server Certificate Requirements:
  The Chat Node Aliases configured on the IM&P servers. This is required if you are doing XMPP federation.  The Expressway-C should automatically include these in the CSR provided that an IM&P server has already been discovered on the Expressway-C.
  The names in FQDN format of all Phone Security Profiles in CUCM configured for TLS and used on devices configured for MRA. This allows for secure communication between the CUCM and Expressway-C  for the devices using those Phone Security Profiles.
  Expressway-E Server Certificate Requirements:
  All domains configured for Unified Communications. This includes the domain of the Expressway-E and C, e-mail address domain configured for Jabber, and any presence domains.
  The Chat Node Aliases configured on the IM&P servers. This is required if you are doing XMPP federation. 
  The MRA Deployment guide describes this in greater detail on pages 17-18. (http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Mobile-Remote-Ac...
  Note: In our lab for testing Phone Capabilities only, we did not include the Chat Node Aliases in the certificate as we were not using IM&P.
   3.  No UDS Servers Found in Edge Config
  After the Jabber client successfully establishes a secure connection with the Expressway-E, it will ask for its edge config. This edge config will contain the SRV records for _cuplogin and _cisco-uds. If these SRV records are not returned in the edge config, then the jabber client will not be able to proceed with trying to login.
  To fix this, make sure that _cisco-uds and _cuplogin SRV records are created internally and resolvable by the Expressway-C
  More information on the DNS SRV records can be found on page 10 of the MRA deployment guide for X8.1.1 (http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-1-1.pdf)
  Note: In our lab for testing Phone Capabilities only, we did not include the DNS SRV for _cuplogin.
   4.  The Expressway-C logs will indicate the following error: XCP_JABBERD  Detail="Unable to connect to host '%IP%', port 7400:(111) Connection  refused"
  If Expressway-E NIC is incorrectly configured, this can cause the XCP server to not be updated. If the Expressway-E meets the following criteria, then you will likely have this issue:
  Using a single NIC
  Advanced Networking Option Key is installed
  Use Dual Network Interfaces option is set to “Yes”
  To correct this problem, change the “Use Dual Network Interfaces” option to “No”
  The reason this is a problem is because the Expressway-E will be listening for the XCP session on the wrong network interface, which will cause the connection to fail/timeout. The Expressway-E listens on TCP port 7400 for the XCP session. You can verify this by using the netstat command from the VCS as root.
  Note: We used a Dual Network Interface Expressway for testing but were not using XCP, so this was not applicable to us.
   5.  VCE-E Server hostname/domain name does not match what is configured in the _collab-edge SRV.
  If the Expressway-E Server hostname/domain name does not match what was received in the _collab-edge SRV answer, the jabber client will not be able to communicate to the Expressway-E. The Jabber client uses the xmppEdgeServer/Address element in the get_edge_config response to establish the XMPP connection to the Expressway-E.
  This is an example of what the xmppEdgeServer/Address would look like in the get_edge_config response from the Expressway-E to the Jabber client:
  <xmppEdgeServer>
  <server>
  <address>ott-vcse1.vcx.cisco.com</address>
  <tlsPort>5222</tlsPort>
  </server>
  </xmppEdgeServer>
  To avoid this, make sure that the _collab-edge SRV record matches the Expressway-E hostname/domain name. Enhancement CSCuo83458 has been filed for this. 
  Note: This was one of our issues when we first setup.  We adjusted our Expressway-E to insure the below:
  System > Administration > System Name this was the FQDN
  System > DNS > System Host Name was the host portion of the FQDN
  System > DNS > Domain Name was the domain portion of the FQDN
  System > Clustering > Cluster Name (FQDN for Provisioning) was the FQDN
   6. Unable to log into certain IM&P servers. VCS logs say "No realm found for host cups-example.domain.com, check connect auth configuration"
  From the Expressway-E, go to Configuration -> Unified Communications -> IM&P Servers. Open each server and click "Save" again. Not sure exactly why this happens.
  Note:  This was N/A to our test and can be ignored with Phone Capabilities only.
  Thanks
  Fred

• Ask the Expert: Data Center Integrated Systems and Solutions

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about utilizing Cisco data center technology and solutions with subject matter expert Ramses Smeyers. Additionally, Ramses will answer questions about FlexPOD, vBlock, Unified Computing Systems, Nexus 2000/5000, SAP HANA, and VDI.
  Ramses Smeyers is a technical leader in Cisco Technical Services, where he works in the Datacenter Solutions support team. His main job consists of supporting customers to implement and manage Cisco UCS, FlexPod, vBlock, VDI, and VXI infrastructures. He has a very strong background in computing, networking, and storage and has 10+ years of experience deploying enterprise and service provider data center solutions. Relevant certifications include VMware VCDX, Cisco CCIE Voice, CCIE Data Center, and RHCE.
  Remember to use the rating system to let Ramses know if you have received an adequate response.
  Because of the volume expected during this event, Ramses might not be able to answer every question. Remember that you can continue the conversation in the Data Center Community, under the subcommunity Unified Computing, shortly after the event. This event lasts through August 1, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Ramses,
  I have dozen questions but will try to restrain myself and start with the most important ones :)
  1. Can cables between IOM and FI be configured in a port-channel? Let me clarify what I"m trying to achieve: if I have only one chassis with only one B200M3 blade inside, will the 2208 IOM and FI6296 allow me to achieve more than 10Gbps throughput between the blade and the Nexus 5k? Of course, we are talking here about clean ethernet environment.
       B200M3 --- IOM2208 --- 4 links --- FI6296 --- port-channel (4 links) --- Nexus5548
  2. Is it possible to view/measure throughput for Fibre Channel interfaces?
  3. Here is one about FlexPod: I know that in case of vBlock there is the company that delivers fully preconfigured system and offers one universal support point so customer don't have to call Cisco or VMware or storage supports separately. What I don't know is how it works for FlexPod. Before you answer that you are not sales guy, let me ask you more technical questions: Is FlexPod Cisco product or is NetApp product or this is just a concept developed by two companies that should be embraced by various Cisco/NetApp partners? As you obviously support Datacenter solutions, if customer/partner calls you with are FlexPod related problem, does it matter for you, from support side, if you are troubleshooting fully compliant FlexPod system or you'll provide same level of support even is the system is customized (not 100% FlexPod environment)?
  4. When talking about vCenter, can you share your opinion about following: what is the most important reason to create the cluster and what will be the most important limitation?
  5. I know that NetApp has feature called Rapid Clones that allows faster cloning than what vCenter offers. Any chance you can compare the two? I remember that NetApp option should be much faster but didn't understand what is actually happening during the cloning process and I'm hoping you can clarify this? Maybe a quick hint here: seems to me it will be helpful if I could understand the traffic path that is used in each case. Also, it will be nice to know if Vblock (i.e. EMC) offers similar feature and how it is called.
  6. Can I connect Nexus 2000 to the FI6xxx?
  7. Is vBlock utilizing Fabric Failover? Seems to me not and would like to hear your opinion why.
  Thanks for providing us this opportunity to talk about this great topic.
  Regards,
  Tenaro

• Ask the Expert: Global Site Selector Configuration and Troubleshooting

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuring and troubleshooting the Global Site Selector (GSS) with expert Swati Chopra.
  GSS devices represent the next generation of application switches and global server load balancing (GSLB) appliances. Working together with the Cisco ACE Module and Cisco ACE 4710 appliance, these devices form an application-fluent networking solution that improves availability, acceleration, and security for data center applications.
  The primary role of Cisco GSS is to implement the business continuance and disaster recovery policies of a business by optimizing and securing the Domain Name System (DNS) infrastructure of the data center. It does this by integrating with the DNS infrastructure and responding to the client DNS requests, thereby directing the client to the site that is best able to serve its needs.
  Swati Chopra is a CCNA, CCNP, and VCP certified customer support engineer for content switching, covering technologies such as Cisco Application Control Engine, Cisco Wide Area Application Services, Global Site Selector, Cisco Content Services Switches, and Digital Media Suite. She has been with Cisco for more than three years and has worked with most of the high-end customers on content-related complex cases. She completed her master’s degree in finance, was heading an online education project in collaboration with e-Sylvan, and later moved to technical services because of her love for technology. She is actively involved with diverse Cisco initiatives such as Connected Women, WISE, and Cisco Career Connections and recently hosted a “Birds of Feather” table at Cisco’s Women of Impact conference.
  Remember to use the rating system to let Swati know if you have received an adequate response. 
  Because of the volume expected during this event, Swati might not be able to answer every question. Remember that you can continue the conversation in the Data Center community under subcommunity Application Networking shortly after the event. This event lasts through April 25, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Sarah,
  The load balancing mechanism for GSS requests is done via different methods. We can use these methods to define how the load is shared for different balance clauses within the same rule. The 6 methods we use are:
  –round-robin—The GSS cycles through the list of answers that are available as requests are received. Each resource within an answer group is tried in turn. The GSS cycles through the list of answers, selecting the next answer in line for each request. This is the default.
  eg: if we have 2 answers in answer group then GSS will provide them alternatively.
  –least-loaded—The GSS selects an answer based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.The least-loaded option is available only for VIP-type answer groups that use a KAL-AP or Scripted keepalive, as they provide the GSS with detailed information on the SLB load and availability.
  eg: if one answer has higher load than the other, than first answer will not be provided until its load goes down the other answers
  –ordered—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request.
  for eg: answer with ordered number 1 will be provided first till it becomes unavailable. Once it is unavailable then answer with ordered list number 2 will be provided
  –weighted-round-robin—The GSS cycles through the list of answers that are available as the requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.
  eg: if one answer has more weight(80%) than the other answer(20%), then it will be used 8 times out of 10.
  –hashed— When the GSS uses the hashed balance method, elements of the client's DNS proxy IP address and the requesting client's domain are extracted to create a unique value, referred to as a hash value. The unique hash value is attached to and used to identify a VIP that is chosen to serve the DNS query.
  The use of hash values makes it possible to "stick" traffic from a particular requesting client to a specific VIP, ensuring that future requests from that client are routed to the same VIP. This type of continuity can be used to facilitate features, such as online shopping baskets, in which client-specific data is expected to persist even when client connectivity to a site is terminated or interrupted.
  The GSS supports the following two hashed balance methods. You can apply one or both hashed balance methods to the specified answer group.
  • By Source Address—The GSS selects the answer based on a hash value created from the source address of the request.
  • By Domain Name—The GSS selects the answer based on a hash value created from the requested domain name.
  for eg: a user using same source ip will get the same answer from GSS if we do source address hashing.
  -DNS Race (Boomerang) Method-The GSS supports the DNS race (boomerang) method of proximity routing, which is a type of DNS resolution initiated by the GSS to load balance 2 to 20 sites.
  The boomerang method is based on the concept that instantaneous proximity can be determined if a CRA within each data center sends an A-record (IP address) at the exact same time to the client's D-proxy. The DNS race method of DNS resolution gives all CRAs (Cisco content engines or content services switches) a chance at resolving a client request and allows for proximity to be determined without probing the client's D-proxy. The first A-record received by the D-proxy is, by default, considered to be the most proximate.
  Use case is mainly with CRA's.
  Hope this helps. Please feel free to revert if you have follow-up questions.
  Thanks,
  Swati

• ASK THE EXPERTS : High Density Wireless Deployments and CleanAir Technology

  with
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to get an update on High Density Wireless Deployments and CleanAir technology with Cisco expert Fred Niehaus. Fred is a technical marketing engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco wireless LAN products. In addition to his participation in major deployments, Fred has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Fred was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."
  Remember to use the rating system to let Fred know if you have received an adequate response.
  Fred might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through June 3, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

  You are correct, between the higher numbers of users with multiple devices the bandwidth requirements keep increasing.
  The limitation of three non-overlapping channels in the 2.4 GHz space is driving more customers to 5 GHz, it is important to have both bands when high density deployments are needed.  While many older devices only support 2.4 GHz, we are now seeing far more devices with 5 GHz as well.
  The recomendation of 20-25 clients and 8 voice calls on a given 2.4 GHz channel is still a good "rule of thumb" with actual customer data requirements driving those numbers higher or lower. You are right when you say "throwing Access Points" at the problem can degrade the wireless quality as co-channel interference and overall noise floor can rise with multiple Access Points that can all hear each other.
  A better approach to the problem is to throw more spectrum at this issue (using 5 GHz channels) and elements of 802.11n (20 MHz) bandwidth on 2.4 GHz.
  What we have been doing in high density deployments is to try to minimize the propagation of a cell and focus it in a given direction.  This can be done by
  1. Managing the RF power of the radios (Access Points) and in some cases the client's power (using elements of CCX).
  2. Using the right antennas to shape both Tx and Rx cell size to help isolate, we have recently introduced a new high gain antenna for stadiums that does this well.
  3. Limit supported rates, obviously the higher the data rate the less sensitive the receiver is and the smaller the cell size becomes.
  4. Enable 5 GHz (that adds far more channels for data throughput)
  5. Limit the number of SSIDs in use as each requires a separate beacon (adding to RF utilization)
  6. Co-locating access points with non-overlapping channels
  There are some challenges, for example; many dual -band clients prefer to connect to 2.4 GHz, and 2.4 GHz is more likely to be busier and subject to interference, so we also enable Cisco "Band-Select" which basically "nudges" those clients off 2.4 GHz and pushes them to 5 GHz so as to free up the 2.4 GHz band when we can determine the client has 5 GHz capability.
  So how is this done? well, we do this by listening to the clients and if we detect that the client is sending out probe requests on both bands we know the client can use 5 GHz so we essentially make the 5 GHz band "appear more attractive" to that client.
  Note: Client load balancing and Band select are features in the Cisco Unified controller menu.
  Also enabling client link (intelligent beam forming) helps direct the signal directly at the client and reduces same channel interference.

• Ask the Expert: Cisco Unified Computing System Director

              With Andrew Nam
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Unified Computing System (UCS) Director with Cisco expert Andrew Nam.
  Cisco UCS Director was designed to operationally integrate bare-metal and virtual data center infrastructure resources to address complex, time-consuming, manual, and compartmentalized management processes. These processes burden IT organizations, preventing them from achieving business agility and efficiency.  Cisco expert Andrew Nam will provide an update on installation, configuration, and troubleshooting VM provisioning process using Cisco UCS Director.
  Andrew Nam is a data center solution engineer in the DC Solution team in Sydney, Australia, responsible for orchestrating the end-to-end solution support of Cisco Data Centre solutions, including Cisco UCS, Cisco Nexus architecture, VBlock/FlexPod, VDI/VXI, and cloud solutions. His areas of expertise include routing and switching, load balancer, WAN optimization, VPN, and firewalls. Andrew has worked for Cisco for more than 13 years and has 15 years of experience in the networking industry. He graduated from New South Wales University in Australia with a mechanical/manufacturing engineering degree and holds R&S CCIE 9586, VMware VPC5, and Citrix CCA - Xendesktop5 certifications. 
  Remember to use the rating system to let Andrew know if you have received an adequate response. 
  Andrew might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Data Center community,  sub-community, Unified Computing discussion forum shortly after the event. This event lasts through January 17, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi James
  This Ask the Expert session may not be the right place to show you all the essential steps for how the workflow can be related to task library to achieve your initial setup flow chart, and onboarding a new client.
  However, I can briefly walktthrough "Client blade Provisioning" task so it might give some idea and how you can go about.
  Assumption :  the infrastructure used in the following examples consists of:
  -  Vmware VCenter
  -  Cisco UCS
  -  NetApp ONTAP controlled storage
  To be able to provision Cisco UCS blade server in automated fashion, you need to create and define the below UCS entities beforehand.
  - Create UCS Organisation
  - Create UUID Pool
  - Create MAC Address Pool
  - Create WWNN Pool
  - Create WWPN Pool
  - Create vHBA Templates
  - Create vNIC Templates
  - Create UCS Policy vHBAs
  - Create UCS Policy vNICs
  - Create Storage Policy
  - Create Network Policy
  - Create SAN Boot Policy
  - Create LAN Boot Policy
  Once you create all the policy above, you are good to set up a workflow container for the client blade provisoining.
  1. Create UCS Service Profile
  - Add a ‘Create UCS Service Profile’ workflow task and select ‘Map to User Input’ for ‘Service Profile Name’. Select the ‘Service Profile Name’ dropdown as created when the workflow container was created.
  - ‘Create UCS Service Profile’ inputs. Ensure that Storage_Policy, Network_Policy, Boot_Policy_LAN and Boot_Policy_SAN entries are correct.
  - Once this is done , you can move to SAN zoning.
  2. Configure SAN Zoning
  - In this step, a new workflow task will be created in order to configure SAN zoning. Rather than use a specific user input for this task, output variables from the previous ‘Create UCS Service Profile’ workflow task will be used as input items for this task.
  - Open the workflow and search for the workflow task ‘configure san zoning’. Drag the storage workflow task into the work area and map the following user inputs.
  Create Flexible Volume
  - Create a ‘Create Flexible Volume’ workflow task in order to build a NetApp flexible volume and provision it for the required size.
  - Once again, reconfigure the workflow such that the success criteria from the ‘Configure SAN Zoning’ workflow task proceeds to ‘Create Flexible Volume’.
  Create LUN
  - Using the NetApp ONTAP ‘Create LUN’ workflow task, create a LUN located within the volume created during the previous step. In order to do this, map the Volume Name user input to the output from the previous ‘Create Flexible Volume’ workflow task.
  - Next, enter the LUN details, ensuring that the configured size is less than that of the volume created in the previous step.
  - As before, re-map the workflow designer flow so that the successful output of the Create Flexible Volume workflow task flows into this task.
  3. Create Initiator Group
  - Create a ‘Create Initiator Group’ workflow task in order to build a NetApp ONTAP Initiator Group. Map the ‘Filer Identity Name’ attribute to the OUTPUT_FILER_IDENTITY output variable as supplied by the ‘Create NetApp Flexible Volume’ workflow task as created earlier in this workflow.
  - Once again, modify the the workflow designer flow so that the successful output from ‘Create LUN’ flows into ‘Create Initiator Group’
  4. Add Initiator to Initiator Group
  - Create an ‘Add Initiator to Initiator Group’ workflow task and map the ‘Initiator Group Name’ entry to the OUTPUT_IGROUP_IDENTITY output variable from the ‘Create NetApp Initiator Group’ workflow task and map the ‘Initiator Name’ entry to the SP_VHBA1 output variable from the ‘Create UCS Service Profile’ workflow task created earlier in this flow.
  - Repeat this task for in order to add initiator name entry for SP_VHBA2. Once done, re-map the successful output from the two Create Initiator Group workflow tasks so that they flow into each other as follows:
  - Move onto the next step in order to map the created LUN to the initiator group.
  And the rest of steps are fairly similar to above. Create a Workflow and map the User Input Mappings".
  5. Map LUN to Initiator Group
  6. Modify UCS Boot Policy LUN ID
  7. Select UCS Server
  8. Associate UCS Service Profile
  9. Power On UCS Server
  10. Modify UCS Service Profile Boot Policy
  11. Add VLAN to Service Policy
  12. Disassociate UCS Service Profile
  13. Wait for Specified Duration
  14. Associate UCS Service Profile
  15. Power On UCS Server
  16. Register Host with VCenter
  regards
  Andrew

• Ask the Expert:Cisco Web Security

  With Ryan Wager
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about design, configuration and troubleshooting of the Cisco Web Security Solutions including Cisco Ironport WSA and Cisco ScanSafe with Cisco experts Kiran Sirupa and Ryan Wager. Kiran Sirupa is a technical marketing engineer in the product marketing team for the Cisco IronPort Web Security Appliance product line. He also works on documentation, partner ,and system engineering training. Kiran has been working in the Cisco Security Technologies group for more than six years. Ryan Wager is a technical marketing engineer at Cisco in the product management team for the ScanSafe Web Security platform. He is heavily involved with the product's integration with the Cisco Integrated Services Router Generation 2 platform, along with documentation, training, and testing of all new products and features. Before joining the product management team, Wagner spent two years as an implementation engineer helping ScanSafe's largest customers implement the platform into their networks.
  Remember to use the rating system to let Kiran and Ryan know if you have received an adequate response.  
  They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, discussion forum shortly after the event. This event lasts through October 7, 2011.. Visit this forum often to view responses to your questions and the questions of other community members.

  Yes, the IronPort WSA will support all the security functions including Anti-Virus, Anti-Malware, Anti-Spyware, Web Reputation when working in conjunction with an existing proxy.
  There are two conditions:
  1. WSA acts as an upstream proxy - In this case, the authentication will be handled by your existing proxy, but the WSA is the first layer of defense. The WSA will perform a lookup in its web reputation database based on the destination. Also, The WSA can scan the http response with Anti-Virus, Anti-SpyWare and Anti-Malware software. However, since the WSA doesn't have user authentication information, you can only apply global controls for Acceptable Use.
  2. WSA has to go through an existing upstream proxy - In this case, the WSA has all the security functionality. In addition, it also handles the authentication. Hence, you can apply role based controls.
  You may refer to the following links for more information:
  WSA Product Literature: http://www.cisco.com/en/US/products/ps10164/prod_literature.html
  Cisco Security Reports: http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
  Cisco Security Intelligence Operations: http://tools.cisco.com/security/center/home.x