Ask the Expert: FlexVPN and Internet Key Exchange Version 2 (IKEv2)

Similar Messages

• Ask the Expert: Configuration and Troubleshooting the Cisco Application Control Engine (ACE) load balancer

  With Ajay Kumar and Telmo Pereira 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
  Ajay Kumar  is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications. 
  Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
  Remember to use the rating system to let Ajay know if you have received an adequate response.
  Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
  This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello Krzysztof,
  Another set of good/interesting questions posted. Thanks! 
  I will try to clarify your doubts.
  In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
  ACE/Context# show resource usage
                                                       Allocation
          Resource         Current       Peak        Min        Max       Denied
  -- outputs omitted for brevity --
    proxy-connections             0      16358      16358      16358      17872
    ssl-connections rate          0        626        626        626      23204
  Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
  On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
  So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
  ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource. 
  For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
  If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
  This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
  We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
  1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE  should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
  To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
  For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users. 
  2)  ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
  As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
  To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
  As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
  3)  If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
  The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
  I hope this makes things clearer! Uff...
  Regards,
  Telmo

• Ask the Expert: Deployment and Troubleshooting Cisco Unified Contact Center Express (UCCX) Deployments

  With Anirudh Ramachandran  and Abhiram Kramadhati 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the latest advancements in Cisco UCCX (such as the integration of Cisco Social Miner to provide agent chat and better reporting using the Cisco Unified Intelligence Center), as well as the existing features of Historical Reporting, custom reporting using the historical database, Agent Email services, JTAPI integration with CUCM, and the HA over WAN cluster mechanism.
  Anirudh Ramachandran is a customer support engineer at the Cisco Backbone Technical Assistance Center in Bangalore, India. Working in the Asia-Pacific time zone for the last two years, he focuses on Cisco Unified Contact Center Express issues and specializes in Linux, JTAPI/CTI integration, and UCCX system and database issues. He holds the CCNP Voice and UCCX Specialist certifications, and is also a Red Hat Certified Engineer. Anirudh writes tools and automates bug workarounds for UCCX in addition to working on TAC service requests, and currently has authored and co-authored seven such tools. Anirudh graduated from the National Institute of Technology Karnataka with a Bachelor of Technology in Computer Engineering.
  Abhiram Kramadhati is an engineer with the Contact Center Backbone team in the Asia Pacific timezone. He has been working with UCCX since he started with Cisco 2 years ago. During his time at Cisco, he has built his expertise around UCCX Telephony applications, JTAPI integration, UCCX system behaviour, LDAP components and also UCCX as IPIVR in UCCE environments. He also works on other technologies including Unified Communications Manager and UCCE. He has been involved in many technical escalations in the region. Abhiram is a Telecommunications engineer from Bangalore, India.
  Remember to use the rating system to let Anirudh and Abhiram know if you have received an adequate response. 
  They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice and Video Contact Center subcommunity discussion forum shortly after the event. This event lasts through May 3, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Anthony,
  Thanks for the question.
  This is an interesting requirement, since the UCCX trigger's configuration is translated only to the Call Forward Busy External setting on the CUCM.
  Trigger creation:
  144768: Apr 22 21:54:23.789 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet.updateNewTrigger() - Creating a new Trigger :1234
  144876: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet routePoint = 1234
  144877: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet description = testt
  144878: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet deviceName = testt
  144879: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet devicePool = {1B1B9EB6-7803-11D3-BDF0-00108302EAD1}
  144880: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet devicePoolName = Default
  144881: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet callingSearchSpace =
  144882: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet callingSearchSpaceName = None
  144883: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet redirectCSS = default
  144884: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet location = {29C5C1C4-8871-4D1E-8394-0B9181E8C54D}
  144885: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet locationName = Hub_None
  144886: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet partition =
  144887: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet partitionName = None
  144888: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet voiceMailProfile =
  144889: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet voiceMailProfileName = None
  144890: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet forwardBusyVM =
  144891: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet forwardBusyDestination =
  144892: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet forwardBusyCSS =
  144893: Apr 22 21:54:23.884 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerServlet forwardBusyCSSName = None
  144953: Apr 22 21:54:23.913 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-569.CCMLineSOAPAdmin: try makeRequest() on AXL: 10.106.113.142, AXLUser: axl, AXLPassword: XXXXXX
  144954: Apr 22 21:54:23.913 IST %MADM-LIB_AXL-7-UNK:CCMVersionSOAPAdmin.getAXLVersion():7.1
  144955: Apr 22 21:54:23.913 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-569.CCMLineSOAPAdmin: makeRequest() - Start REQUEST ====================
  144956: Apr 22 21:54:23.913 IST %MADM-LIB_AXL-7-UNK:POST /axl/ HTTP/1.1
  Connection: keep-alive
  Host: 10.106.113.142:8443
  Authorization: Basic YXhsOmF4bA==
  SOAPAction: "CUCM:DB ver=7.1"
  Accept: text/*
  Content-type: text/xml; charset="utf-8"
  Cache-Control: no-cache
  Pragma: no-cache
  Content-length: 440
  http://schemas.xmlsoap.org/soap/envelope/">MADM_5691234CRS Line descriptionCallPark
  144957: Apr 22 21:54:23.913 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-569.CCMLineSOAPAdmin: makeRequest() - End REQUEST ==================
  144958: Apr 22 21:54:23.914 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-569.CCMLineSOAPAdmin: getSocket: MADM_LIB_AXL_AXL_SOCKET_POOL-0-79[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=10.106.113.142,port=8443,localport=44913]]
  144987: Apr 22 21:54:24.195 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-570.CCMCTIRoutePointSOAPAdmin: makeRequest() - Start REQUEST ====================
  144988: Apr 22 21:54:24.195 IST %MADM-LIB_AXL-7-UNK:POST /axl/ HTTP/1.1
  Connection: keep-alive
  Host: 10.106.113.142:8443
  Authorization: Basic YXhsOmF4bA==
  SOAPAction: "CUCM:DB ver=7.1"
  Accept: text/*
  Content-type: text/xml; charset="utf-8"
  Cache-Control: no-cache
  Pragma: no-cache
  Content-length: 839
  http://schemas.xmlsoap.org/soap/envelope/">MADM_570testttesttCTI Route PointCTI Route PointCTI Route PointSCCPUserRing1000010000
  144989: Apr 22 21:54:24.195 IST %MADM-LIB_AXL-7-UNK:AXL-ExecutionCmd-570.CCMCTIRoutePointSOAPAdmin: makeRequest() - End REQUEST ==================
  145014: Apr 22 21:54:24.647 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerUtil.createRPAndLineOnCCM() - CTI RP created.
  145015: Apr 22 21:54:24.647 IST %MADM-ADM_CFG-7-UNK:JTAPITriggerUtil.createRPAndLineOnCCM() - Created a Route Point = 1234
  As you would aready know, the UCCX will send an AXL request (within the SOAP envelope) to the CUCM to create this RP. Looking at the existing code, there does not seem to be a method where we are differentiating between CFB_internal and CFB_external while sending this request.
  We have taken this as an enhancement request and also spoken to the business unit about the same. It has been added to the roadmap, we will reach out to you offline to understand the business case so that the process can be expedited if needed.
  Keep the questions coming
  Cheers,
  Abhiram Kramadhati

• Ask the Expert: Cisco UCS B-Series Latest Version New Features

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Cisco UCS Manager 2.2(1) release, which delivers several important features and major enhancements in the fabric, compute, and operational areas. Some of these features include fabric scaling, VLANs, VIFs, IGMP groups, network endpoints, unidirectional link detection (UDLD) support, support for virtual machine queue (VMQ), direct connect C-Series to FI without FEX, direct KVM access, and several other features.
  Teclus Dsouza is a customer support engineer from the Server Virtualization team at the Cisco Technical Assistance Center in Bangalore, India. He has over 15 years of total IT experience. He has worked across different technologies and a wide range of data center products. He is an expert in Cisco Nexus 1000V and Cisco UCS products. He has more than 6 years of experience on VMware virtualization products.  
  Chetan Parik is a customer support engineer from the Server Virtualization team at the Cisco Technical Assistance Center in Bangalore, India. He has seven years of total experience. He has worked on a wide range of Cisco data center products such as Cisco UCS and Cisco Nexus 1000V. He also has five years of experience on VMware virtualization products.
  Remember to use the rating system to let Teclus and Chetan know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation in the Data Center community, under subcommunity Unified Computing, shortly after the event. This event lasts through May 9, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Jackson,
  Yes its is possible.    Connect the storage array to the fabric interconnects using two 10GB links per storage processor.  Connect each SP to both fabric interconnects and configure the ports on the fabric interconnect as “Appliance” ports from UCSM
  For more information on how to connect Netapp storage using other protocols like iSCSI or FCOE  please check the url below.
  http://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-6100-series-fabric-interconnects/whitepaper_c11-702584.html
  Regards
  Teclus Dsouza

• Thanks for the HP "ASK THE EXPERTS"

  I have to say it was wonderful to have the opportunity to ask the experts questions and to have them promptly addressed. My question, for example, received not one helpful response, not two, or even three, but absolutely NOT AT ALL. It was so wonderful to get such attention and help.

  Welcome to the HP Consumer Support Community. This is a peer-to-peer community for customers to connect and share solutions regarding their HP products. If you have additional or direct feedback for HP about their products or services, please use the link below.
  http://welcome.hp.com/country/us/en/wwcontact_us.html
  Or, you may have a better response at the forums for business support, if you'd like to give them a try:
  http://h30499.www3.hp.com/t5/Business-Support-Forums/ct-p/business-support
  If you have other questions and concerns, please feel free to send me a private message.
  Thank you.
  Clicking the "Kudos star" to the left is a great way to say thanks!
  When your problem has been solved, accept the solution by clicking the "Accept as Solution" button to help other members in the future!
  Rules of Participation

• Ask the Experts: Single Sign-On with Cisco WebEx Meetings Server, Internet Reverse Proxy, and Enterprise License Manager Solutions

  With Arun Kumar
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single Sign-On (SSO) with Cisco WebEx Meetings Server (Cisco WMS), Internet Reverse Proxy (IRP), and Enterprise License Manager (ELM) solutions.
  SSO standards such as Security Assertion Markup Language (SAML) 2.0 provide secure mechanisms for passing credentials and related information between different websites that have their own authorization and authentication systems. SSO enables simplified user authentication and management.
  IRP provides public access, enabling users to host or attend meetings from the Internet and mobile devices. Although IRP is optional, Cisco encourages its use because it provides a better user experience for your mobile workforce.
  Example question topics include:
  SSO profiles and SAML 2.0 Identity providers (IdPs) supported in Cisco WMS
  Basic configuration of IdPs
  Interaction between IdPs and Cisco WMS
  Difference between the cloud client implementation and Cisco WMS
  Meeting access behavior in a split-horizon network topology with SSO
  How to enable public access to Cisco WMS
  Cisco WMS ELM operations
  Cisco WMS ELM compared to other unified communications ELM or standalone ELM and compatibility/inoperability between them
  Arun Kumar is a team lead in the San Jose Conferencing Technical Assistance Center. He has over eight years of experience in conferencing technology and specializes in Cisco Unified Meeting Place Express and Cisco WebEx Meeting Server. He joined Cisco in 2010 as an escalation engineer for the Cisco Telepresence group. Before joining Cisco he worked for the UK's third-largest internet service provider Supanet on VoIP technology and the *Nix domain. Kumar holds a master of science degree in computer science from Sikkim Manipal University in India, and he holds CCIE (Voice) and VMware Certified Professional certifications.
  Remember to use the rating system to let Arun know if you have received an adequate response.
  Arun might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice, and Video community Other Subjects subcommunity shortly after the event. This event lasts through Monday May 17, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Mobile Service,
  CWMS and Jabber integrations:
  http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
  In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
  then move to section: Add Cisco WebEx Meetings Server to a Profile
  Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
  Attached CWMS - AFDS integration doc.
  Please let me know if any furhter question.
  Thanks, Arun

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• Ask the Experts: IOS-XR Fundamentals and Architecture

  Welcome to the Cisco Support Community Ask the Expert conversation. 
  Learn and ask questions about IOS-XR Fundamentals and Architecture.
  November 18, 2014 through November 28, 2014.
  Cisco IOS XR Software is a modular and fully distributed network operating system for service provider networks. Cisco IOS XR creates a highly available, highly secure routing platform.
  It distributes processes across the control, data, and management planes with their own access controls and delivers routing-system scalability, service isolation, and manageability.
  This is a Q&A extension of the Live expert Webcast.
  Cisco subject matter experts Sudeep, Raj, and Sudhir, will focus on IOS-XR fundamentals.
  Including:-
  High-Level Overview of Cisco IOS XR
  Cisco IOS XR Infrastructure
  Configuration Management
  Cisco IOS XR Monitoring and Operations
  Cisco IOS XR Security
  Introduction to different IOS-XR platforms
  Sudeep Valengattil is a customer support engineer in High-Touch Technical Services at Cisco specializing in service provider technologies and platforms. Sudeep has got experience on XR platform like ASR9000, CRS, NCS and GSR. Sudeep has more than 9 years of experience in the IT industry and holds CCIE certification (36098) in Service provider.
  Sudhir Kumar is a customer support engineer in High-Touch Technical Services at Cisco specializing in service provider technologies and platforms. His areas of expertise include Cisco CRS, ASR 9K and Cisco XR 12000 Series Routers. Sudhir has more than 10 years of experience in the IT industry and holds CCIE certification (35219) in Service provider and Routing and switching.
  Raj Pathak is a customer support engineer in High-Touch Technical Services at Cisco specializing in service provider technologies and platforms. He serves as a support engineer for technical issues supporting Cisco IOS XR Software customers on Cisco CRS and Cisco XR 12000 Series Routers. Raj has more than 8 years of experience in the IT industry and holds CCIE certification (38760) in routing and switching.
  For more information about this topic, visit the Expert Corner > Knowledge Sharing
  Remember to use the rating system to let the experts know if you have received an adequate response.

  Hi Charles,
  To answer your question,
  LPTS would be acting only on packet/traffic which is ingressing the router and destined for the router itself (for-us packets).  It provides an internal forwarding table to route control/management protocol packets destined to local router to the right application for further processing.  Once we have a packet entering the interface, the network processor would be performing a lookup to determine, if this packet is destined for us.  Based on which, it will forward to LPTS.  For eg, the ICMP packets coming in on an interface with destination IP of router itself, would be processed by LPTS.  It also provides policing function for this traffic transparently.
  Key facts about LPTS
  1. LPTS is an always on feature.  No user configuration needed to enable it.
  2. LPTS is only applicable for traffic entring to the router and destined to the local router. Applies for control-plane and management plane traffic.
  3. Packets originated by router and transit traffic is not processed by LPTS
  4. LPTS polices the incoming traffic based on the pre-defined policer rates.
  Here is an o/p snip to view the LPTS entries.
  RP/0/RP0/CPU0:CRS-C#sh lpts pifib hard police loc 0/0/cpu0
  Tue Nov 25 23:32:10.666 EDT
  Node 0/0/CPU0:
  Burst = 100ms for all flow types
  FlowType Policer Type Cur. Rate Def. Rate Accepted Dropped
  unconfigured-default 100 Static 500 500 0 0
  L2TPv2-fragment 185 Static 700 700 0 0
  Fragment 106 Static 1000 1000 0 0
  OSPF-mc-known 107 Static 20000 20000 44818 0
  OSPF-mc-default 111 Static 5000 5000 11366 0
  Do let us know if you have any further queries.
  Regards,
  Sudeep Valengattil

• Ask the Expert: Identity Services Engine - 802.1x, Identity Management and BYOD

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Identity Service Engine (ISE) with subject matter expert Nicolas Darchis.
  Cisco Identity Service Engine is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. It is primarily used to provide secure access and guest access, support BYOD initiatives, and enforce usage policies in conjunction with Cisco TrustSec. 
  Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, since 2007. He also focuses on filing technical and documentation bugs. Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification (no. 25344).
  Remember to use the rating system to let Nicolas know if you have received an adequate response.
  Because of the volume expected during this event, our expert might not be able to answer every question. Remember that you can continue the conversation in the Security community under subcommunity AAA, Identity, and NAC shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi.
  1) It is not "ISE loses the credentials and asks for web portal again". Once a user is authenticated, it is authenticated as long as it stays connected. Possibilities are :
  -You are returning a session timeout (attribute radius 27) in the authz profile of the user. Therefore user has to reauthenticate after X seconds. But you would see a pattern, then.
  -Over wireless, many clients are not capable of doing fast roaming (smartphones is the biggest example) and will therefore reauthenticate with dot1x everytime they roam. A small coverage hole would be enough for the cached credentials to disappear and web portal to show up again
  -Over wired, this cannot really occur but the idea is that it's probably the switch resetting the connection and contacting ISE again. The idea to troubleshoot this is to monitor the access device (WLC/switch) and check if the port goes up/down, if the MAB session gets reset or something and why.
  2) The captive bypass issue is that Apple devices will probe apple.com website to check if there is internet connectivity. If they can reach it, then fine, if they sense that they are redirected, they open a small window pop up with the login portal. The problem (and I still cannot understand why) is that this is not Safari, it's some nameless feature-less browser that doesn't work properly.
  By enabling the captive bypass feature, the WLC intercepts the requests to the Apple testpage and replies with HTTP OK. The apple device then thinks "ok I have internet connectivity" and it's up to the user to bring up a real browser to login to the portal page.
  It therefore does not affect non-Apple device to have the feature enabled.
  The problem is that in IOS 7.x, Apple decided to not just use Apple.com anymore but a whole list of testpages on different websites.
  3) "whether it would solve the issue if I added certificate authentication as a secondary option, with eap-tls as the primary"
  => This is disturbing because EAP-TLS is a certificate authentication method. But ISE message seems to imply that the user is hitting an authnetication rule that only provides PEAP or EAP-FAST with mschap or something similar ...
  If you have the windows default supplicant you have close to no control on what the client will submit. I can imagine that moving from wired to wireless, the laptop would sometimes try to send password instead of certificate and/or vice-versa. Anyconnect with fixed network profiles would solve the problem elegantly.
  I cannot comment on your auth policies as I do not know them :-)
  Regards,
  Nicolas

• Ask the Expert: Installation, Operation, and Troubleshooting of RF Gateway 1 (RFGW1)

  With Ron Hanson
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions from Cisco expert Ron Hanson about the RF Gateway 1 (RFGW1) including installation, operation, configuration, and troubleshooting.
  Ron Hanson is a customer support engineer in the Technical Assistance Center, where he supports major RF Gateway 1 customers as part of the Service Providers Video team. He started working with the RF Gateway before its general release in 2008, and worked in the field on large Gateway deployments before joining product support. Hanson has been in the cable TV industry for 38 years. He previously spent 22 years at Scientific-Atlanta, which was acquired by Cisco in 2007. He holds two joint patents and is certified as a Cisco Optical Specialist. 
  Remember to use the rating system to let Ron know if you have received an adequate response. 
  Ron might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Service Provider sub-community discussion forum shortly after the event. This event lasts through Sept 7, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi John,
  Thanks for your reply.  The process of moving a license to another gateway can be done by the customer on the web site named HESULE  https://online.sciatl.com/license-it/.  You will need the HOST ID which can be found on the SYSTEM/License management tab. The HOST ID is essentially the 7 digit serial number with all leading zeros removed.
  Be sure to use Firefox when logging in.  Entering your email is important because the new license will be sent back to this address.
  In the License management tab, on the gateway you wish to remove the license from, record the 32 digit validation key number to the right of the license you wish to transfer.
  Go to HESULE and start the transfer process.  Hesule is very secure - therfore you must "prove" to Hesule the license has been removed from the first chassis.  Hesule will issue you a new license with the license you wish to transfer removed.  When you load this new license and new validation key will come up on the screen.  Go back to Hesule and enter this key to prove the license has been removed.  Hesule will then email you another new license containing the license you are transfering. Load this license on the new RFGW1 and the process is complete.
  Yes I understand I said a lot.  However, the process is described step by step on the Hesule site.
  If you have any problems do not hesitate to contact me.
  Thank you   RON HANSON

• Ask the Expert: Architecting your Collaboration Solution with Social and Video

  With Gebran Chahrouri
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about ways that Enterprise Social and Video are woven into traditional Voice solutions and Architectures  with Cisco expert Gebran Chahrouri. Extend your Cisco collaboration architecture to reach into Cloud and/or on premise Cisco WebEx Social and TelePresence offerings. Gebran will be answering any questions about architecting a current solution or devising a roadmap to take your collaboration deployment to the next level.
  Gebran Chahrouri is a principal engineer and architect for the WebEx Social product with a focus on scalability. Since joining Cisco in 1998 he has held engineering leadership and software management positions on products including Customer Contact, Cisco IPICS, and the Cisco TelePresence Exchange service. Chahrouri has nearly 30 years of experience in architecting, managing, and developing software products at Cisco, ROLM, IBM, Siemens, and Aspect. He holds a master's degree in electrical and computer engineering from the University of Michigan and has over 20 patents filed by the U.S. Patent Office.
  Remember to use the rating system to let Gebran  know if you have received an adequate response. 
  Gebran might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice and Video sub-community discussion forum shortly after the event.This event lasts through February 22, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Jason,
  Thanks for your question.
  WebEx Social combines the power of social networking, content creation, and real-time communications. Employees can quickly connect with people, communities and information they need to get work done.
  The product tour video (http://www.cisco.com/en/US/prod/collateral/ps10680/vds_cQuad_prodTour.html) featured at http://www.cisco.com/web/products/quad/index.html gives a really good overview of the product.
  If you prefer a document to read I recommend http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps556/case_study_c36-706800_ps10668_Products_Case_Study.html
  I would be happy to answer any further questions.
  - Gebran

• Ask the Expert: Different Flavors and Design with vPC on Cisco Nexus 5000 Series Switches

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about Cisco® NX-OS.
  The biggest limitation to a classic port channel communication is that the port channel operates only between two devices. To overcome this limitation, Cisco NX-OS has a technology called virtual port channel (vPC). A pair of switches acting as a vPC peer endpoint looks like a single logical entity to port channel attached devices. The two devices that act as the logical port channel endpoint are actually two separate devices. This setup has the benefits of hardware redundancy combined with the benefits offered by a port channel, for example, loop management.
  vPC technology is the main factor for success of Cisco Nexus® data center switches such as the Cisco Nexus 5000 Series, Nexus 7000 Series, and Nexus 2000 Series Switches.
  This event is focused on discussing all possible types of vPC along-with best practices, failure scenarios, Cisco Technical Assistance Center (TAC) recommendations and troubleshooting
  Vishal Mehta is a customer support engineer for the Cisco Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in TAC for the past 3 years with a primary focus on data center technologies, such as the Cisco Nexus 5000 Series Switches, Cisco Unified Computing System™ (Cisco UCS®), Cisco Nexus 1000V Switch, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching, and service provider.
  Nimit Pathak is a customer support engineer for the Cisco Data Center Server Virtualization TAC team based in San Jose, California, with primary focus on data center technologies, such as Cisco UCS, the Cisco Nexus 1000v Switch, and virtualization. Nimit holds a master's degree in electrical engineering from Bridgeport University, has CCNA® and CCNP® Nimit is also working on a Cisco data center CCIE® certification While also pursuing an MBA degree from Santa Clara University.
  Remember to use the rating system to let Vishal and Nimit know if you have received an adequate response. 
  Because of the volume expected during this event, Vishal and Nimit might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure Community, under the subcommunity LAN, Switching & Routing, shortly after the event. This event lasts through August 29, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Gustavo
  Please see my responses to your questions:
  Yes almost all routing protocols use Multicast to establish adjacencies. We are dealing with two different type of traffic –Control Plane and Data Plane.
  Control Plane: To establish Routing adjacency, the first packet (hello) is punted to CPU. So in the case of triangle routed VPC topology as specified on the Operations Guide Link, multicast for routing adjacencies will work. The hellos packets will be exchanged across all 3 routers and adjacency will be formed over VPC links
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_L3_w_vpc_5500platform.html#wp999181
  Now for Data Plane we have two types of traffic – Unicast and Multicast.
  The Unicast traffic will not have any forwarding issues, but because the Layer 3 ECMP and port channel run independent hash calculations there is a possibility that when the Layer 3 ECMP chooses N5k-1 as the Layer 3 next hop for a destination address while the port channel hashing chooses the physical link toward N5k-2. In this scenario,N5k-2 receives packets from R with the N5k-1 MAC as the destination MAC.
  Sending traffic over the peer-link to the correct gateway is acceptable for data forwarding, but it is suboptimal because it makes traffic cross the peer link when the traffic could be routed directly.
  For that topology, Multicast Traffic might have complete traffic loss due to the fact that when a PIM router is connected to Cisco Nexus 5500 Platform switches in a vPC topology, the PIM join messages are received only by one switch. The multicast data might be received by the other switch.
  The Loop avoidance works little different across Nexus 5000 and Nexus 7000.
  Similarity: For both products, loop avoidance is possible due to VSL bit
  The VSL bit is set in the DBUS header internal to the Nexus.
  It is not something that is set in the ethernet packet that can be identified. The VSL bit is set on the port asic for the port used for the vPC peer link, so if you have Nexus A and Nexus B configured for vPC and a packet leaves Nexus A towards Nexus B, Nexus B will set the VSL bit on the ingress port ASIC. This is not something that would traverse the peer link.
  This mechanism is used for loop prevention within the chassis.
  The idea being that if the port came in the peer link from the vPC peer, the system makes the assumption that the vPC peer would have forwarded this packet out the vPC-enabled port-channels towards the end device, so the egress vpc interface's port-asic will filter the packet on egress.
  Differences:  In Nexus 5000 when it has to do L3-to-L2 lookup for forwarding traffic, the VSL bit is cleared and so the traffic is not dropped as compared to Nexus 7000 and Nexus 3000.
  It still does loop prevention but the L3-to-L2 lookup is different in Nexus 5000 and Nexus 7000.
  For more details please see below presentation:
  https://supportforums.cisco.com/sites/default/files/session_14-_nexus.pdf
  DCI Scenario:  If 2 pairs are of Nexus 5000 then separation of L3/L2 links is not needed.
  But in most scenarios I have seen pair of Nexus 5000 with pair of Nexus 7000 over DCI or 2 pairs of Nexus 7000 over DCI. If Nexus 7000 are used then L3 and L2 links are required for sure as mentioned on above presentation link.
  Let us know if you have further questions.
  Thanks,
  Vishal

• Ask-The-Expert (ATE) Questions and Demos

  You can quickly access many of the answers and demos held during our Support Model for the Channel and Their Customers Ask the Expert (ATE) session for the Business ByDesign version of FP2.6
  You can access the demo recording here; https://sap.na.pgiconnect.com/p10867840/
  Below is a time stamp (MM:SS) of the start of a question or key topic during the session.
  05:15 u2013 what are the different ways to request support and creating incidents in the system during an implementation project ?
  8:45 u2013 How to create a support incident when the Business ByDesign system is down?
  11:20 - What is the role of a key user in ByD and to get to get access as a Key User in Business ByDesign?
  13:50 u2013 Demonstration u2013 How to log a new incident in ByD?
  15:43 u2013 who dies the user gets notified if there is any issue in the system with automatic job runs ex: if the Invoice run fails?
  21:40 u2013 How to take over an incident and forward it to support in ByD?
  33:50 u2013 what is the system provisioning process for partners and how partners can request a test, prod or data migration system?
  Edited by: Imtiyaz Mohammed on Sep 19, 2011 4:09 PM

  I want to Identify the Creator of RFQ in MM Module, Please Suggest.
  Thanks

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• Ask the Expert: Single-Site and Multisite FlexPod Infrastructure

  With Haseeb Niazi and Chris O'Brien 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single-Site and Multisite FlexPod Infrastructure with experts Haseeb Niazi and Chris O'Brien.
  This is a continuation of the live webcast.
  FlexPod is a predesigned and prevalidated base data center configuration built on Cisco Unified Computing System, Cisco Nexus data center switches, NetApp FAS storage components, and a number of software infrastructure options supporting a range of IT initiatives. FlexPod is the result of deep technology collaboration between Cisco and NetApp, leading to the creation of an integrated, tested, and validated data center platform that has been thoroughly documented in a best practices design guide. In many cases, the availability of Cisco Validated Design guides has reduced the time to deployment of mission-critical applications by 30 percent.
  The FlexPod portfolio includes a number of validated design options that can be deployed in a single site to support both physical and virtual workloads or across metro sites for supporting high availability and disaster avoidance. This session covers various design options available to customers and partners, including the latest MetroCluster FlexPod design to support a VMware Metro Storage Cluster (vMSC) configuration.
  Haseeb Niazi is a technical marketing engineer in the Data Center Group specializing in security and data center technologies. His areas of expertise also include VPN and security, the Cisco Nexus product line, and FlexPod. Prior to joining the Data Center Group, he worked as a technical leader in the Solution Development Unit and as a solutions architect in Advanced Services. Haseeb holds a master of science degree in computer engineering from the University of Southern California. He’s CCIE certified (number 7848) and has 14 years of industry experience.   
  Chris O'Brien is a technical marketing manager with Cisco’s Computing Systems Product Group.  He is currently focused on developing infrastructure best practices and solutions that are designed, tested, and documented to facilitate and improve customer deployments. Previously, O'Brien was an application developer and has worked in the IT industry for more than 20 years.
  Remember to use the rating system to let Haseeb and Chris know if you have received an adequate response. 
  Because of the volume expected during this event, Haseeb and Chris might not be able to answer every question. Remember that you can continue the conversation in the Data Center community, subcommunity Unified Computing shortly after the event. This event lasts through September 27, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Single-Site and Multisite FlexPod Infrastructure - Slides from live webcast
  Single-Site and Multisite FlexPod Infrastructure: FAQ from live webcast
  Single-Site and Multisite FlexPod Infrastructure - Video from live webcast

  I would suggest you read this white paper which details the pros and cons of direct connect storage. 
  http://www.cisco.com/en/US/partner/prod/collateral/ps10265/ps10276/whitepaper_c11-702584.html   This paper captures all the major design points for Ethernet and FC  protocols.
  I would only add that in FlexPod we are trying to create a highly  available solution and "flexible" solution; Nexus switching helps us  deliver on both with vPC and unified ports.
  NPV equats  to end-host mode which allows the system to present all of the servers  as N ports to the external fabric.  In this mode, the vHBAs are pinned  to the egress interfaces of the fabric interconnects.  This pinning  removes the potential of loops in the SAN fabric.  Host based multipathing of the  vHBAs account for potential uplink failures.  The NPV mode (end-host  mode) simplifies the attachment of UCS into the SAN fabric and that is  why it is in NPV mode by default.
  So for your last question, I will have to put my  Product Manager hat on so bear with me.   First off there is no drawback  to enabling the NPIV feature (none that I am aware of) the Nexus 5000  platform simply offers you a choice to design and support multiple FC  initiators (N-Ports) per F-Port via NPIV.  This allows for the  integration of the FI end-host mode described above.  I  imagine being a  unfied access layer switch, the Nexus team enabled standard Fibre  Channel switching capability and features first.  The implementatin of  NPIV is a customer choice based on their specific access layer  requirements.
  /Chris