Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

Similar Messages

• Ask the Expert: Configuration, Design, and Troubleshooting of Cisco Nexus 1000

  With Louis Watta
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about design, configuration, and troubleshooting of Cisco Nexus 1000V Series Switches operating inside VMware ESXi and Hyper-V with Cisco expert Louis Watta. Cisco Nexus 1000V Series Switches deliver highly secure, multitenant services by adding virtualization intelligence to the data center network. With Cisco Nexus 1000V Series Switches, you can have a consistent networking feature set and provisioning process all the way from the virtual machine access layer to the core of the data center network infrastructure.
  This is a continuation of the live Webcast.
  Louis Watta is a technical leader in the services organization for Cisco. Watta's primary background is in data center technologies: servers (UNIX, Windows, Linux), switches (MDS, Brocade), storage arrays (EMC, NetApp, HP), network switches (Cisco Catalyst and Cisco Nexus), and enterprise service hypervisors (VMware ESX, Hyper-V, KVM, XEN). As a Technical Leader in Technical Services, Louis currently supports beta and early field trials (EFTs) on new Cisco software and hardware. He has more than 15 years of experience in a wide variety of data center applications and is interested in data center technologies oriented toward data center virtualization and orchestration. Prior to Cisco, Louis was a system administrator for GTE Government Systems. He has a bachelor of science degree in computer science from North Carolina State University. .
  Remember to use the rating system to let Louis know if you have received an adequate response.
  Louis might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Data Center community Unified Computing shortly after the event.
  This event lasts through Friday, JUne 14, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides
  FAQ
  Webcast Video Recording

  Right now there is only a few features that are not supported on N1Kv on Hyper-V
  They are VXLAN and QOS Fair Weighted Queuing. We are currently demoing VXLAN functionality at Microsoft TechEd Conference this week in New Orleans. So VXLAN support should be coming soon. I can't give you a specific timeline.
  For Fair Weighted Queuing I'm not sure. In the VMware world we take advantage of NETIOC infrastructure. In the MS world they do not have a NETIOC infrastructure that we can use to create a similar feature.
  Code base parity (as in VMware and Hyper-V VSMs running NXOS 5.x) will happen with the next major N1KV release for ESX.
  Let me know if that doesn't answer your question.
  thanks
  louis

• Ask the Expert: Configuration and Troubleshooting the Cisco Application Control Engine (ACE) load balancer

  With Ajay Kumar and Telmo Pereira 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
  Ajay Kumar  is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications. 
  Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
  Remember to use the rating system to let Ajay know if you have received an adequate response.
  Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
  This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello Krzysztof,
  Another set of good/interesting questions posted. Thanks! 
  I will try to clarify your doubts.
  In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
  ACE/Context# show resource usage
                                                       Allocation
          Resource         Current       Peak        Min        Max       Denied
  -- outputs omitted for brevity --
    proxy-connections             0      16358      16358      16358      17872
    ssl-connections rate          0        626        626        626      23204
  Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
  On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
  So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
  ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource. 
  For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
  If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
  This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
  We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
  1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE  should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
  To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
  For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users. 
  2)  ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
  As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
  To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
  As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
  3)  If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
  The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
  I hope this makes things clearer! Uff...
  Regards,
  Telmo

• Ask the Expert: Global Site Selector Configuration and Troubleshooting

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuring and troubleshooting the Global Site Selector (GSS) with expert Swati Chopra.
  GSS devices represent the next generation of application switches and global server load balancing (GSLB) appliances. Working together with the Cisco ACE Module and Cisco ACE 4710 appliance, these devices form an application-fluent networking solution that improves availability, acceleration, and security for data center applications.
  The primary role of Cisco GSS is to implement the business continuance and disaster recovery policies of a business by optimizing and securing the Domain Name System (DNS) infrastructure of the data center. It does this by integrating with the DNS infrastructure and responding to the client DNS requests, thereby directing the client to the site that is best able to serve its needs.
  Swati Chopra is a CCNA, CCNP, and VCP certified customer support engineer for content switching, covering technologies such as Cisco Application Control Engine, Cisco Wide Area Application Services, Global Site Selector, Cisco Content Services Switches, and Digital Media Suite. She has been with Cisco for more than three years and has worked with most of the high-end customers on content-related complex cases. She completed her master’s degree in finance, was heading an online education project in collaboration with e-Sylvan, and later moved to technical services because of her love for technology. She is actively involved with diverse Cisco initiatives such as Connected Women, WISE, and Cisco Career Connections and recently hosted a “Birds of Feather” table at Cisco’s Women of Impact conference.
  Remember to use the rating system to let Swati know if you have received an adequate response. 
  Because of the volume expected during this event, Swati might not be able to answer every question. Remember that you can continue the conversation in the Data Center community under subcommunity Application Networking shortly after the event. This event lasts through April 25, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Sarah,
  The load balancing mechanism for GSS requests is done via different methods. We can use these methods to define how the load is shared for different balance clauses within the same rule. The 6 methods we use are:
  –round-robin—The GSS cycles through the list of answers that are available as requests are received. Each resource within an answer group is tried in turn. The GSS cycles through the list of answers, selecting the next answer in line for each request. This is the default.
  eg: if we have 2 answers in answer group then GSS will provide them alternatively.
  –least-loaded—The GSS selects an answer based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.The least-loaded option is available only for VIP-type answer groups that use a KAL-AP or Scripted keepalive, as they provide the GSS with detailed information on the SLB load and availability.
  eg: if one answer has higher load than the other, than first answer will not be provided until its load goes down the other answers
  –ordered—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request.
  for eg: answer with ordered number 1 will be provided first till it becomes unavailable. Once it is unavailable then answer with ordered list number 2 will be provided
  –weighted-round-robin—The GSS cycles through the list of answers that are available as the requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.
  eg: if one answer has more weight(80%) than the other answer(20%), then it will be used 8 times out of 10.
  –hashed— When the GSS uses the hashed balance method, elements of the client's DNS proxy IP address and the requesting client's domain are extracted to create a unique value, referred to as a hash value. The unique hash value is attached to and used to identify a VIP that is chosen to serve the DNS query.
  The use of hash values makes it possible to "stick" traffic from a particular requesting client to a specific VIP, ensuring that future requests from that client are routed to the same VIP. This type of continuity can be used to facilitate features, such as online shopping baskets, in which client-specific data is expected to persist even when client connectivity to a site is terminated or interrupted.
  The GSS supports the following two hashed balance methods. You can apply one or both hashed balance methods to the specified answer group.
  • By Source Address—The GSS selects the answer based on a hash value created from the source address of the request.
  • By Domain Name—The GSS selects the answer based on a hash value created from the requested domain name.
  for eg: a user using same source ip will get the same answer from GSS if we do source address hashing.
  -DNS Race (Boomerang) Method-The GSS supports the DNS race (boomerang) method of proximity routing, which is a type of DNS resolution initiated by the GSS to load balance 2 to 20 sites.
  The boomerang method is based on the concept that instantaneous proximity can be determined if a CRA within each data center sends an A-record (IP address) at the exact same time to the client's D-proxy. The DNS race method of DNS resolution gives all CRAs (Cisco content engines or content services switches) a chance at resolving a client request and allows for proximity to be determined without probing the client's D-proxy. The first A-record received by the D-proxy is, by default, considered to be the most proximate.
  Use case is mainly with CRA's.
  Hope this helps. Please feel free to revert if you have follow-up questions.
  Thanks,
  Swati

• Ask the Expert: Installing, Configuring, and Troubleshooting Cisco Unified MeetingPlace

  With Dejan Petrovic
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about different MeetingPlace deployment types, what they include and require, and what they are capable of with Cisco expert Dejan Petrovic.  Cisco Unified MeetingPlace is a conferencing solution providing audio and video conferencing, and data sharing experience. It can be fully on premise solution or a hybrid solution integrated with WebEx for data sharing capability. Dejan  will be answering any questions about installation, upgrade, migration and troubleshooting processes.
  Dejan Petrovic is a Cisco customer support engineer and team lead in the Conferencing Technical Assistance Center team based in Boxborough. He has been providing support to customers and partners for Cisco Unified MeetingPlace solutions since 2009. He has more than eight years of experience working in the IT industry as system administrator, business manager, and networking consultant. Petrovic holds a bachelor’s degree in computer network and information systems as well as several Cisco certifications, including CCNA, Cisco IPCC Express Specialist,  and MeetingPlace Support Specialist.
  Remember to use the rating system to let Dejan know if you have received an adequate response. 
  Dejan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice and Video sub-community discussion forum shortly after the event.  This event lasts through February 8, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello Nick,
  I appreciate your questions, and will try to answer them below.
  When you are installing a fresh new MeetingPlace 8.5 that you plan to integrate with WebEx, the only available option is WebEx Managed user profiles. With this option, you can either create profiles manually on WebEx side, and then sync them to MeetingPlace, or you can use Federated SSO for import of profiles from LDAP server in your network to WebEx, and then sync the profiles from WebEx to MeetingPlace (you choose one of these two options when provisioning WebEx site).
  These are the only two available options for a NEW install of MP8.5 for WebEx integration, and as you can see both options are WebEx Managed profiles, the only difference is if you are going to use Federated SSO, or create profiles on WebEx manually.
  During the install, you can select to install MeetingPlace managed users option, but you would choose this option only if you plan to do a migration from an earlier MP release (7.x/8.0) with WebEx integration and Directory Integration.
  For example, MeetingPlace managed profiles option is available if you had MeetingPlace 8.0 integrated with WebEx Type II (WebEx scheduling) with Directory Integration, where you had your MP8.0 integrated with CUCM via AXL for user profile management (CUCM integrated with LDAP), and your WebEx Site provisioned for Directory Integration, and then migrate from that system to MeetingPlace 8.5 that you installed selecting MeetingPlace managed user profiles.
  The same goes for MeetingPlace Scheduling (Type I) integration with WebEx. Possible only with migration, and not with a fresh new installation.
  Now, to focus on your questions.
  1. As you can see, you don't have many options. If you have MS Active Directory that you would like to use for SSO in MP8.5 WebEx Scheduling, you will have to go with Federated SSO. So far, I haven't heard of any issues with that as it seems to be pretty straight forward to configure, and also WebEx Support team provides direct support for that setup as it is a direct integration between WebEx Site and the LDAP server (nothing to do with MeetingPlace side of the equation).
  2. In general, if you have Federated SSO enabled, you would go to WebEx site home page, click on Host Log In button which will then ask you to enter your network/windows credentials and place you to WebEx scheduling interface.
  If you have Directory Integration (like on MP8.0 WebEx Type II with CUCM/AXL integration), when you go to WebEx site home page and click Host Log In button, you are being redirected to the MeetingPlace log-in page where you would enter your Windows credentials (assuming your CUCM is integrated with LDAP), and then if log in is successful, you get redirected back to WebEx scheduling interface. With this type of deployment, you can log in to WebEx scheduling interface ONLY if you are connecting from your company network or have a VPN connection to your company network. This is a major limitation that most customers complained about, but the reason for this was that we didn't want to make MP Application server hostname/IP publicly available and hence cause a security issue.
  I am sure I answered your questions, but opened some new questions. So, please, let me know if I need to clarify anything.
  Thank you.
  -Dejan

• Ask the Expert:Concepts, Configuration and Troubleshooting Layer 2 MPLS VPN – Any Transport over MPLS (AToM)

  With Vignesh R. P.
  Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions about  concept, configuration and troubleshooting Layer 2 MPLS VPN - Any Transport over MPLS (AToM) with Vignesh R. P.
  Cisco Any Transport over MPLS (AToM) is a solution for transporting Layer 2 packets over an MPLS backbone. It enables Service Providers to supply connectivity between customer sites with existing data link layer (Layer 2) networks via a single, integrated, packet-based network infrastructure: a Cisco MPLS network. Instead of using separate networks with network management environments, service providers can deliver Layer 2 connections over an MPLS backbone. AToM provides a common framework to encapsulate and transport supported Layer 2 traffic types over an MPLS network core.
  Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
  Remember to use the rating system to let Vignesh know if you have received an adequate response. 
  Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Service Provider sub-community discussion forum shortly after the event. This event lasts through through September 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Tenaro,
  AToM stands for Any Transport over MPLS and it is Cisco's terminology used for Layer 2 MPLS VPN or Virtual Private Wire Service. It is basically a Layer 2 Point-to-Point Service. AToM basically supports various Layer 2 protocols like Ethernet, HDLC, PPP, ATM and Frame Relay.
  The customer routers interconnect with the service provider routers at Layer 2. AToM eliminates the need for the legacy network from the service provider carrying these kinds of traffic and integrates this service into the MPLS network that already transports the MPLS VPN traffic.
  AToM is an open standards-based architecture that uses the label switching architecture of MPLS and can be integrated into any network that is running MPLS. The advantage to the customer is that they do not need to change anything. Their routers that are connecting to the service provider routers can still use the same Layer 2 encapsulation type as before and do not need to run an IP routing protocol to the provider edge routers as in the MPLS VPN solution.
  The service provider does not need to change anything on the provider (P) routers in the core of the MPLS network. The intelligence to support AToM sits entirely on the PE routers. The core label switching routers (LSRs) only switch labeled packets, whereas the edge LSRs impose and dispose of labels on the Layer 2 frames.
  Whereas pseudowire is a connection between the PE routers and emulates a wire that is carrying Layer 2 frames. Pseudowires use tunneling. The Layer 2 frames are encapsulated into a labeled (MPLS) packet. The result is that the specific Layer 2 service—its operation and characteristics—is emulated across a Packet Switched Network.
  Another technology that more or less achieves the result of AToM is L2TPV3. In the case of L2TPV3 Layer 2 frames are encapsulated into an IP packet instead of a labelled MPLS packet.
  Hope the above explanation helps you. Kindly revert incase of further clarification required.
  Thanks & Regards,
  Vignesh R P

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• Ask the Expert: Installation, Operation, and Troubleshooting of RF Gateway 1 (RFGW1)

  With Ron Hanson
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions from Cisco expert Ron Hanson about the RF Gateway 1 (RFGW1) including installation, operation, configuration, and troubleshooting.
  Ron Hanson is a customer support engineer in the Technical Assistance Center, where he supports major RF Gateway 1 customers as part of the Service Providers Video team. He started working with the RF Gateway before its general release in 2008, and worked in the field on large Gateway deployments before joining product support. Hanson has been in the cable TV industry for 38 years. He previously spent 22 years at Scientific-Atlanta, which was acquired by Cisco in 2007. He holds two joint patents and is certified as a Cisco Optical Specialist. 
  Remember to use the rating system to let Ron know if you have received an adequate response. 
  Ron might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Service Provider sub-community discussion forum shortly after the event. This event lasts through Sept 7, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi John,
  Thanks for your reply.  The process of moving a license to another gateway can be done by the customer on the web site named HESULE  https://online.sciatl.com/license-it/.  You will need the HOST ID which can be found on the SYSTEM/License management tab. The HOST ID is essentially the 7 digit serial number with all leading zeros removed.
  Be sure to use Firefox when logging in.  Entering your email is important because the new license will be sent back to this address.
  In the License management tab, on the gateway you wish to remove the license from, record the 32 digit validation key number to the right of the license you wish to transfer.
  Go to HESULE and start the transfer process.  Hesule is very secure - therfore you must "prove" to Hesule the license has been removed from the first chassis.  Hesule will issue you a new license with the license you wish to transfer removed.  When you load this new license and new validation key will come up on the screen.  Go back to Hesule and enter this key to prove the license has been removed.  Hesule will then email you another new license containing the license you are transfering. Load this license on the new RFGW1 and the process is complete.
  Yes I understand I said a lot.  However, the process is described step by step on the Hesule site.
  If you have any problems do not hesitate to contact me.
  Thank you   RON HANSON

• Ask the Expert: Cisco UCS Troubleshooting Boot from SAN with FC and iSCSI

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco UCS Troubleshooting Boot from SAN with FC and iSCSI with Vishal Mehta and Manuel Velasco.
  The current industry trend is to use SAN (FC/FCoE/iSCSI) for booting operating systems instead of using local storage.
  Boot from SAN offers many benefits, including:
  Server without local storage can run cooler and use the extra space for other components.
  Redeployment of servers caused by hardware failures becomes easier with boot from SAN servers.
  SAN storage allows the administrator to use storage more efficiently.
  Boot from SAN offers reliability because the user can access the boot disk through multiple paths, which protects the disk from being a single point of failure.
  Cisco UCS takes away much of the complexity with its service profiles and associated boot policies to make boot from SAN deployment an easy task.
  Vishal Mehta is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California. He has been working in the TAC for the past three years with a primary focus on data center technologies such as Cisco Nexus 5000, Cisco UCS, Cisco Nexus 1000v, and virtualization. He has presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE certification (number 37139) in routing and switching and service provider.
  Manuel Velasco is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California. He has been working in the TAC for the past three years with a primary focus on data center technologies such as Cisco UCS, Cisco Nexus 1000v, and virtualization. Manuel holds a master’s degree in electrical engineering from California Polytechnic State University (Cal Poly) and VMware VCP and CCNA certifications.
  Remember to use the rating system to let Vishal and Manuel know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation in the Data Center community, under subcommunity Unified Computing, shortly after the event. This event lasts through April 25, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Evan
  Thank you for asking this question. Most common TAC cases that we have seen on Boot-from-SAN failures are due to misconfiguration.
  So our methodology is to verify configuration and troubleshoot from server to storage switches to storage array.
  Before diving into troubleshooting, make sure there is clear understanding of this topology. This is very vital with any troubleshooting scenario. Know what devices you have and how they are connected, how many paths are connected, Switch/NPV mode and so on.
  Always try to troubleshoot one path at a time and verify that the setup is in complaint with the SW/HW interop matrix tested by Cisco.
  Step 1: Check at server
  a. make sure to have uniform firmware version across all components of UCS
  b. Verify if VSAN is created and FC uplinks are configured correctly. VSANs/FCoE-vlan should be unique per fabric
  c. Verify at service profile level for configuration of vHBAs - vHBA per Fabric should have unique VSAN number
  Note down the WWPN of your vhba. This will be needed in step 2 for zoning on the SAN switch and step 3 for LUN masking on the storage array.
  d. verify if Boot Policy of the service profile is configured to Boot From SAN - the Boot Order and its parameters such as Lun ID and WWN are extremely important
  e. finally at UCS CLI - verify the flogi of vHBAs (for NPV mode, command is (from nxos) – show npv flogi-table)
  Step 2: Check at Storage Switch
  a. Verify the mode (by default UCS is in FC end-host mode, so storage switch has to be in NPIV mode; unless UCS is in FC Switch mode)
  b. Verify the switch port connecting to UCS is UP as an F-Port and is configured for correct VSAN
  c. Check if both the initiator (Server) and the target (Storage) are logged into the fabric switch (command for MDS/N5k - show flogi database vsan X)
  d. Once confirmed that initiator and target devices are logged into the fabric, query the name server to see if they have registered themselves correctly. (command - show fcns database vsan X)
  e. Most important configuration to check on Storage Switch is the zoning
  Zoning is basically access control for our initiator to  targets. Most common design is to configure one zone per initiator and target.
  Zoning will require you to configure a zone, put that zone into your current zonset, then ACTIVATE it. (command - show zoneset active vsan X)
  Step 3: Check at Storage Array
  When the Storage array logs into the SAN fabric, it queries the name server to see which devices it can communicate.
  LUN masking is crucial step on Storage Array which gives particular host (server) access to specific LUN
  Assuming that both the storage and initiator have FLOGI’d into the fabric and the zoning is correct (as per Step 1 & 2)
  Following needs to be verified at Storage Array level
  a. Are the wwpn of the initiators (vhba of the hosts) visible on the storage array?
  b. If above is yes then Is LUN Masking applied?
  c. What LUN number is presented to the host - this is the number that we see in Lun ID on the 'Boot Order' of Step 1
  Below document has details and troubleshooting outputs:
  http://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-b-series-blade-servers/115764-ucs-san-tshoot-00.html
  Hope this answers your question.
  Thanks,
  Vishal 

• Ask the Expert: Basic Introduction and Troubleshooting on Cisco Nexus 7000 NX-OS Virtual Device Context

  With Vignesh R. P.
  Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions of Cisco expert Vignesh R. P. about the Cisco® Nexus 7000 Series Switches and support for the Cisco NX-OS Software platform .
  The Cisco® Nexus 7000 Series Switches introduce support for the Cisco NX-OS Software platform, a new class of operating system designed for data centers. Based on the Cisco MDS 9000 SAN-OS platform, Cisco NX-OS introduces support for virtual device contexts (VDCs), which allows the switches to be virtualized at the device level. Each configured VDC presents itself as a unique device to connected users within the framework of that physical switch. The VDC runs as a separate logical entity within the switch, maintaining its own unique set of running software processes, having its own configuration, and being managed by a separate administrator.
  Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
  Remember to use the rating system to let Vignesh know if you have received an adequate response. 
  Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community discussion forum shortly after the event. This event lasts through through January 18, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Vignesh
  Is there is any limitation to connect a N2K directly to the N7K?
  if i have a an F2 card 10G and another F2 card 1G and i want to creat 3 VDC'S
  VDC1=DC-Core
  VDC2=Aggregation
  VDC3=Campus core
  do we need to add a link between the different VDC's
  thanks

• Ask the Expert: FSPF Concepts and Troubleshooting in Cisco SAN Environments

              With Upinder Sujlana
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about FSPF, VSAN interaction, load balancing, and troubleshooting with Upinder Sujlana.
  According to the FC-SW-2 standard, Fabric Shortest Path First (FSPF) is a link state path selection protocol. FSPF keeps track of the links on all switches in the fabric and associates a cost with each link. FSPF tracks the state of links on all switches in the fabric, associates a cost with each link in its database, and then chooses the path with a minimal cost. The cost associated with an interface can be administratively changed to implement the FSPF route selection. Upinder will discuss Cisco's implementation of FSPF.
  Upinder Sujlana is a customer support engineer for Cisco's SAN TAC team based in San Jose, CA. He has worked in the TAC for the past five years with a focus on WAN technologies (L2TP, T1, T3, SCE 2K, 8K) and data center technologies such as MDS; Cisco Nexus 7000, 5000, and 2000; FCoE; and FC. Prior to joining the TAC, Upinder was a Java client-side programmer for an NMS startup company and then transitioned to network testing for a cloud company. He holds a master's degree in electrical engineering from Santa Clara University and has CCIE certification (no. 37318) in routing and switching. These days he is enthusiastic about Python programming. 
  Remember to use the rating system to let Upinder know if you have received an adequate response. 
  Upinder might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Data Center community,  sub-community, Storage Networking   discussion forum shortly after the event. This event lasts through March 14, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Evan,
  You can use my favorite command as below to find out the cost and check what path traffic will take. Here is a example :
  switch1# show fspf internal route vsan 2
  FSPF Unicast Routes
  VSAN     Number          Dest Domain          Route Cost          Next hops
  1                   0x01(1)                    1000                  fc1/2
  1                   0xEF(239)                  1000                  fc1/1
  1                   0xED(238)                  2000                  fc1/1
                                                                       fc1/2
  This shows the total cost of all links.
  The next hop (238) has two interfaces. This indicates that both paths will be used during load sharing. Up to sixteen paths can be used by FSPF with a Cisco MDS 9000 Family switch.
  http://www.cisco.com/en/US/products/ps5989/prod_troubleshooting_guide_chapter09186a008067a306.html#wp126591
  HTH,
  ~upinder

• Ask the Expert: Deployment and Troubleshooting Cisco Unified Contact Center Express (UCCX) Deployments

  With Anirudh Ramachandran  and Abhiram Kramadhati 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the latest advancements in Cisco UCCX (such as the integration of Cisco Social Miner to provide agent chat and better reporting using the Cisco Unified Intelligence Center), as well as the existing features of Historical Reporting, custom reporting using the historical database, Agent Email services, JTAPI integration with CUCM, and the HA over WAN cluster mechanism.
  Anirudh Ramachandran is a customer support engineer at the Cisco Backbone Technical Assistance Center in Bangalore, India. Working in the Asia-Pacific time zone for the last two years, he focuses on Cisco Unified Contact Center Express issues and specializes in Linux, JTAPI/CTI integration, and UCCX system and database issues. He holds the CCNP Voice and UCCX Specialist certifications, and is also a Red Hat Certified Engineer. Anirudh writes tools and automates bug workarounds for UCCX in addition to working on TAC service requests, and currently has authored and co-authored seven such tools. Anirudh graduated from the National Institute of Technology Karnataka with a Bachelor of Technology in Computer Engineering.
  Abhiram Kramadhati is an engineer with the Contact Center Backbone team in the Asia Pacific timezone. He has been working with UCCX since he started with Cisco 2 years ago. During his time at Cisco, he has built his expertise around UCCX Telephony applications, JTAPI integration, UCCX system behaviour, LDAP components and also UCCX as IPIVR in UCCE environments. He also works on other technologies including Unified Communications Manager and UCCE. He has been involved in many technical escalations in the region. Abhiram is a Telecommunications engineer from Bangalore, India.
  Remember to use the rating system to let Anirudh and Abhiram know if you have received an adequate response. 
  They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice and Video Contact Center subcommunity discussion forum shortly after the event. This event lasts through May 3, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Anthony,
  Thanks for the question.
  This is an interesting requirement, since the UCCX trigger's configuration is translated only to the Call Forward Busy External setting on the CUCM.
  Trigger creation:
  144768: Apr 22 21:54:23.789 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet.updateNewTrigger() - Creating a new Trigger :1234
  144876: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet routePoint = 1234
  144877: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet description = testt
  144878: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet deviceName = testt
  144879: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet devicePool = {1B1B9EB6-7803-11D3-BDF0-00108302EAD1}
  144880: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet devicePoolName = Default
  144881: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet callingSearchSpace =
  144882: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet callingSearchSpaceName = None
  144883: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet redirectCSS = default
  144884: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet location = {29C5C1C4-8871-4D1E-8394-0B9181E8C54D}
  144885: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet locationName = Hub_None
  144886: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet partition =
  144887: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet partitionName = None
  144888: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet voiceMailProfile =
  144889: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet voiceMailProfileName = None
  144890: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet forwardBusyVM =
  144891: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet forwardBusyDestination =
  144892: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet forwardBusyCSS =
  144893: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet forwardBusyCSSName = None
  144953: Apr 22 21:54:23.913 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-569.CCMLineSOAPAdmin: try makeRequest() on AXL: 10.106.113.142, AXLUser: axl, AXLPassword: XXXXXX
  144954: Apr 22 21:54:23.913 IST %MADM-LIB_AXL-7-UNK:CCMVersionSOAPAdmin.getAXLVersion():7.1
  144955: Apr 22 21:54:23.913 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-569.CCMLineSOAPAdmin: makeRequest() - Start REQUEST ====================
  144956: Apr 22 21:54:23.913 IST %MADM-LIB_AXL-7-UNK:POST /axl/ HTTP/1.1
  Connection: keep-alive
  Host: 10.106.113.142:8443
  Authorization: Basic YXhsOmF4bA==
  SOAPAction: "CUCM:DB ver=7.1"
  Accept: text/*
  Content-type: text/xml; charset="utf-8"
  Cache-Control: no-cache
  Pragma: no-cache
  Content-length: 440
  http://schemas.xmlsoap.org/soap/envelope/">MADM_5691234CRS Line descriptionCallPark
  144957: Apr 22 21:54:23.913 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-569.CCMLineSOAPAdmin: makeRequest() - End REQUEST ==================
  144958: Apr 22 21:54:23.914 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-569.CCMLineSOAPAdmin: getSocket: MADM_LIB_AXL_AXL_SOCKET_POOL-0-79[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=10.106.113.142,port=8443,localport=44913]]
  144987: Apr 22 21:54:24.195 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-570.CCMCTIRoutePointSOAPAdmin: makeRequest() - Start REQUEST ====================
  144988: Apr 22 21:54:24.195 IST %MADM-LIB_AXL-7-UNK:POST /axl/ HTTP/1.1
  Connection: keep-alive
  Host: 10.106.113.142:8443
  Authorization: Basic YXhsOmF4bA==
  SOAPAction: "CUCM:DB ver=7.1"
  Accept: text/*
  Content-type: text/xml; charset="utf-8"
  Cache-Control: no-cache
  Pragma: no-cache
  Content-length: 839
  http://schemas.xmlsoap.org/soap/envelope/">MADM_570testttesttCTI Route PointCTI Route PointCTI Route PointSCCPUserRing1000010000
  144989: Apr 22 21:54:24.195 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-570.CCMCTIRoutePointSOAPAdmin: makeRequest() - End REQUEST ==================
  145014: Apr 22 21:54:24.647 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerUtil.createRPAndLineOnCCM() - CTI RP created.
  145015: Apr 22 21:54:24.647 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerUtil.createRPAndLineOnCCM() - Created a Route Point = 1234
  As you would aready know, the UCCX will send an AXL request (within the SOAP envelope) to the CUCM to create this RP. Looking at the existing code, there does not seem to be a method where we are differentiating between CFB_internal and CFB_external while sending this request.
  We have taken this as an enhancement request and also spoken to the business unit about the same. It has been added to the roadmap, we will reach out to you offline to understand the business case so that the process can be expedited if needed.
  Keep the questions coming
  Cheers,
  Abhiram Kramadhati

• Ask the Experts: Understanding Cisco ASR 9000 Series Aggregation Services Routers Platform Architecture and Packet Forwarding Troubleshooting

  With Xander Thuijs
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to Cisco ASR 9000 Series Aggregation Services Routers with Cisco expert Xander Thuijs. The Cisco ASR 9000 Series Aggregation Services Routers product family offers a significant added value compared to the prior generations of carrier Ethernet routing offerings. The Cisco ASR 9000 Series is an operationally simple, future-optimized platform using next-generation hardware and software. The ASR 9000 platform family is composed of the Cisco ASR 9010 Router, the Cisco ASR 9006 Router, the Cisco ASR 9922 Router, Cisco ASR 9001 Router and the Cisco ASR 9000v Router.
  This is a continuation of the live Webcast.
  Xander Thuijs is a principal engineer for the Cisco ASR 9000 Series and Cisco IOS-XR product family at Cisco. He is an expert and advisor in many technology areas, including IP routing, WAN, WAN switching, MPLS, multicast, BNG, ISDN, VoIP, Carrier Ethernet, System Architecture, network design and many others. He has more than 20 years of industry experience in carrier Ethernet, carrier routing, and network access technologies. Xander  holds a dual CCIE certification (number 6775) in service provider and voice technologies. He has a master of science degree in electrical engineering from Hogeschool van University in Amsterdam.
  Remember to use the rating system to let Xander know if you have received an adequate response.
  Xander might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Service Providers community XR OS And Platforms  shortly after the event. This event lasts through Friday, May 24, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast  related links:
  Slides
  Webcast  Video Recording
  FAQ

  Is there a Cisco lab available for ASR 9000
  we have "XR4U" stations coming available soon when XR 511 comes alive. The plan is for a downloadable play image like that. In the interim we have 2 demo systems available, and they can be booked via your account manager representative.
  How will MOD160 perform with multiple 9000NVS?
  very well. the mod 160 has 4 NPU's, 2 per bay. So if you have a 4x10 MPA to serve a satellite, you effectively have a single NPU per 20 1Gigs from the satellite. The pps performance will be stellar. However it might be price technically more ideal to connect satellite with a 36x10. Since the MOD-x has native MPA's with 1G also.
       2. Is there a shortcut for a Bundle-EthernetX interface, such as port-channel interface (poX), in Cisco IOS® ?.
  usability enhancement is there, we are trying to push this into a new reasonable release. follow CSCuh04526
       3. What  is the revolutions per minute (RPM) on these hard disk drives (HDDs)  compared to the solid state drives (SDDs)? Will the spinning drives be  slow?
  depends on the type we had avaialble at time of production, you will see different sizes and disks on the RSP2. the rpm of the HD is not so much an issue as much as the buffered writing we used to do in XR. This is fixed up with XR43 where the disk writing performance is much better. the HD/SDD is used for logging storage only (and maybe your pictures) but other then that we're not that concerned with write perf of the HD.
  regards
  xander

• Ask the Expert: One Management with Prime Infrastructure 1.2

  With Tejas Shah
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions from Cisco expert Tejas Shah on One Management with Prime Infrastructure 1.2 Combining the wireless functionality of Cisco Prime Network Control System (NCS) with the wired functionality of Cisco Prime LAN Management Solution (LMS),  Cisco Prime Infrastructure simplifies and automates many of the day-to-day tasks associated with maintaining and managing the end-to-end network infrastructure from a single pane of glass. The new converged solution delivers all of the existing wireless capabilities for RF management, user access visibility, reporting, and troubleshooting along with wired lifecycle functions such as discovery, inventory, configuration and image management, automated deployment, compliance reporting, integrated best practices, and reporting.
  Tejas Shah is a senior technical marketing engineer for Cisco Prime Infrastructure and Collaboration products. He has deployed Cisco Prime Collaboration Manager at various customer sites to help customers monitor and troubleshoot their video infrastructure. In addition, he is part of the Network Operations Center team at Cisco Live events for six years. Shah joined Cisco in 1995 and was in the Technical Assistance Center team supporting various network management system products for more than six years.
  Remember to use the rating system to let Tejas know if you have received an adequate response. 
  Tejas might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless Mobility sub-community discussion forum shortly after the event. This event lasts through Sept 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Raun, please see my responses inline:
  Can you go over the licensing method with Prime Infrastructure 1.2 please? 
  Raun, you can check out the following link for ordering guide at
  http://www.cisco.com/en/US/products/ps12239/products_data_sheets_list.html
  I currently have NCS and do NOT currently have LMS.  I know I can move to Prime Infrastructure through Cisco Product Upgrade Tool.  However, what I am confused about is do I still have to buy LMS to have LMS functionality in Prime Infrastructure 1.2? 
  ==> Not at all.  The converged product will give you basic management capability for routers and switches that LMS provided in this release.   Feature/Functionality will keep on growing with upcoming releases.
  If not, do the licenses I transfer into Prime Infrastructure 1.2 from NCS also work for devices to work under LMS? 
  ==> Licensing is different than NCS or LMS.  You don't have to transfer the license.  Each install of Prime Infrastructure will have a unique UID string on which the licenses are based.  A new license will be applied to the product.
  Mean, can my currently 350 licenses be used for AP's as in NCS and routers in the LMS portion of Prime Infrastructure 1.2?
  ==> I would recommend getting a total count of your wired and wireless devices and match the right SKU based on that.
  Hope this helps.. Let me know if you have any further questions,
  Tejas

• Ask the Expert: Plan, Design, and Implement Mobile Remote Access, the Cisco Collaboration Edge Architecture

  Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
  Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
  For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide. 
  Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
  Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
  Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Marcelo,
     Yes, there are some requirements for certificates in Expressway.
  Expressway Core (Exp-C)
  - Can be signed by either External or Internal CA
  - Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
  - Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
  - If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
  - The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
  - For TLS b/w CUCM, IM-P & Exp-C
    + If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
    + If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
    + Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
    + Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
  Expressway Edge (Exp-E)
  - Signed by External CA
  - Configured Unified Communications domain as Subject Alternate Name
  - If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
  - If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
  For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
  http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
  - Aashish