Ask the Expert: Hierarchical Network Design, Includes Core, Distribution, and Access

Similar Messages

• Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

  With Rahul Rammanohar 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
  In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
  •       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
  •       ASR9k: network processor capture
  •       7200/ISRs: embedded packet capture
  •       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
  •       Cisco Nexus 7K: ELAM
  •       CRS: show captured packets
  •       ASR1K: embedded packet capture
  More Information
  Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
  Watch the Video:  https://supportforums.cisco.com/videos/6226
  Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service. 
  Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
  Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.  
  Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Erick
      Thanks for the topology. The trigger will be different for labelled  packet as you would need to mention the values of labels too in the  trigger.
       Below are two examples of one or two labels being  used, it depends on where you are capturing the packet in mplsvpn  scenario which will decide teh number of labels being imposed on the  packet.
  Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
  Trigger for two labels. (for other core routers)
  IGP label - 1234
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
      You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
       I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
       Please let me know if this helps.
  Thanks & Regards
  Hitesh & Rahul

• Ask the Expert: Overview of Cisco Prime Service Catalog and Process Orchestrator Solutions

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Cisco Prime Service Catalog and Process Orchestrator solutions.
  Cisco expert Jason Davis will discuss Cisco’s network management products offered under the Cisco Prime framework. If you have questions about Cisco Prime infrastructure or data center automation with our Cisco Prime Service Catalog and Process Orchestrator solutions, join us on the Cisco Support Community.
  Jason Davis is a distinguished services engineer in the Intelligent Infrastructure Practice team of Cisco Advanced Services. His role is to provide strategic and tactical consulting for hundreds of Advanced Services customers, lead service innovation, and assess new services and technologies. Jason's primary expertise areas are in network management systems, intelligent automation, virtualization, data center operations, software-defined networking, and network programmability.
  Based out of the Research Triangle Park (RTP) campus, Jason is also responsible for administering the Research Triangle Park Network Management Lab, Cisco's largest network management lab.
  Since joining Cisco in 1998, Jason has been a frequent speaker at Cisco's Networkers and CiscoLive conferences in the United States and Europe. In the past five years he has also been involved in the conference network setup and monitoring. He is a much sought-after resource by the field sales teams to assist with presales solutions and executive briefings. He has provided strategic and tactical network management consulting for several hundred customers.
  Jason is a subject matter expert with the following products and features:
  Cisco Prime LAN management solution
  Cisco Prime infrastructure
  CiscoSecure ACS
  Cisco Prime Network Registrar
  Cisco Process Orchestrator
  Cisco Prime Service Catalog
  Cisco IP SLA
  Embedded Event Manager
  SNMPv3
  onePK and OpenFlow
  Cisco UCS
  Device instrumentation
  VMware ESX, ESXi, and vCenter
  ITIL
  Jason received his bachelor of science degree in electrical engineering from the University of Miami (FL). He has been married for 20 years and has 4 children. His interests include providing audiovisual technical support for churches and conference venues, camping and biking with his family, remote-control helicopter piloting, paintball, and recreational shooting.
  Remember to use the rating system to let Jason know if you have received an adequate response.
  Because of the volume expected during this event, Jason might not be able to answer every question. Remember that you can continue the conversation in Data Center > Intelligent Automation under the subcommunity Cisco Prime Service Catalog shortly after the event. This event lasts through September 12, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Jason,
  Thank you very much for welcoming me to your expert discussion :) I feel to be in the right place, at the right time. Thank you also for answering question beyond your scope here, much appreciated. The information received will help me to go further as such I have submitted a 5 start rating for your first reply.
  That sounds promising about the LMS part so yes, I stay tuned and wait patiently.
  Ok, now let’s revert to the actual topic discussed here. Cisco Prime Service Catalog and Process Orchestrator solutions I have briefly read up on this on CCO (where elseJ) and picked out the following quote
  ---- Quote from the Cisco Prime Service Catalog Data Sheet
   Today’s end users want self-service and easy access to IT tools and services.
  Simultaneously, organizations are seeking ways to extend their cloud management
  platforms beyond self-service delivery of virtual machines and infrastructure resources
  while increasing their use of cloud-based solutions to enhance business agility and effectiveness.
  Cisco Prime™ Service Catalog offers tremendous benefits to organizations that want to unify the ways in
  which all types of IT services are ordered and fulfilled, not just infrastructure requests
  ---- un quote ---
  I try to understand what (at high level of course) happens in the back ground when an order is raised and which vendor solution your product can interact with.
  As mentioned in the quoted text, this service catalogue goes beyond the standard infrastructure.
  Let’s say, a user wants to deploy a new email services, or in your example,  extends or create a new web-portal (i.e. for HR to view and manage holiday, staff absence and benefits).
  Your solution will need to interact somehow with the 3rd party vendor application that is capable building such portal I believe.
  Without disclosing to many information, I assume the portal is linked to backend VM,s that spin up requested resources (and more magic of course). Perhaps I am mixing this up with another cisco product where a user can go on the portal and spin up virtual Firewalls, virtual Routers can be provisioned in now time.
  Out if interest; Is this product also known as Mozart? (project code within Cisco?)
  I hope query is ok.
  Best wishes
  Markus

• Ask the Expert: Architecting your Collaboration Solution with Social and Video

  With Gebran Chahrouri
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about ways that Enterprise Social and Video are woven into traditional Voice solutions and Architectures  with Cisco expert Gebran Chahrouri. Extend your Cisco collaboration architecture to reach into Cloud and/or on premise Cisco WebEx Social and TelePresence offerings. Gebran will be answering any questions about architecting a current solution or devising a roadmap to take your collaboration deployment to the next level.
  Gebran Chahrouri is a principal engineer and architect for the WebEx Social product with a focus on scalability. Since joining Cisco in 1998 he has held engineering leadership and software management positions on products including Customer Contact, Cisco IPICS, and the Cisco TelePresence Exchange service. Chahrouri has nearly 30 years of experience in architecting, managing, and developing software products at Cisco, ROLM, IBM, Siemens, and Aspect. He holds a master's degree in electrical and computer engineering from the University of Michigan and has over 20 patents filed by the U.S. Patent Office.
  Remember to use the rating system to let Gebran  know if you have received an adequate response. 
  Gebran might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice and Video sub-community discussion forum shortly after the event.This event lasts through February 22, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Jason,
  Thanks for your question.
  WebEx Social combines the power of social networking, content creation, and real-time communications. Employees can quickly connect with people, communities and information they need to get work done.
  The product tour video (http://www.cisco.com/en/US/prod/collateral/ps10680/vds_cQuad_prodTour.html) featured at http://www.cisco.com/web/products/quad/index.html gives a really good overview of the product.
  If you prefer a document to read I recommend http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps556/case_study_c36-706800_ps10668_Products_Case_Study.html
  I would be happy to answer any further questions.
  - Gebran

• ORA-06502 - Error when running "Ask The Expert 0.9"

  Hi ,
  I successfully installed "Ask the Expert" package with Apex 3.0 on Oracle 10g Database 10.2.0.1.0. No error ocurred during the import in my Apex environment.
  Besides that, i'm having problems when i tried to run the "Aks the Expert". It always shows the following message errors:
  ORA-06502: PL/SQL: numeric or value error: character string buffer too small
  Error Unable to write activity log.
  I think it was a problem with APEX instalation, but i could run the Sample Application of Apex without any problem.
  I opened an SR in Metalink, but to my surprise, the analist of support don't know what's wrong with the demo "Ask de Expert".
  The debug function of the application show the following commands before the error ocurrs:
  0.01:
  0.01: S H O W: application="103" page="1" workspace="" request="" session="6648566035252817"
  0.01: Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
  0.01: alter session set nls_language="AMERICAN"
  0.01: alter session set nls_territory="AMERICA"
  0.01: NLS: CSV charset=WE8MSWIN1252
  0.01: ...NLS: Set Decimal separator="."
  0.01: ...NLS: Set NLS Group separator=","
  0.02: ...NLS: Set date format="DD-MON-RR"
  0.02: ...Setting session time_zone to -03:00
  0.02: NLS: Language=en-us
  0.02: Application 103, Authentication: CUSTOM2, Page Template: 667896385843019243
  0.02: ...Determine if user "N3COUTINHO" workspace "951808960237899" can develop application "103" in workspace "951808960237899"
  0.02: ...ok to reuse builder session for user:nobody
  0.03: ...Application session: 6648566035252817, user=nobody
  0.03: ...Determine if user "N3COUTINHO" workspace "951808960237899" can develop application "103" in workspace "951808960237899"
  0.03: Session: Fetch session header information
  0.03: ...Metadata: Fetch page attributes for application 103, page 1
  0.03: Fetch session state from database
  0.03: Branch point: BEFORE_HEADER
  0.03: Fetch application meta data
  0.04: Computation point: BEFORE_HEADER
  0.04: ...Perform computation of item: P1_CLEAN_CRITERIA, type=FUNCTION_BODY
  0.04: ...Performing function body computation
  0.06: ...Session State: Save "P1_CLEAN_CRITERIA" - saving same value: ""
  0.06: Processing point: BEFORE_HEADER
  0.06: ...Process "Read and Write Activity Cookie": PLSQL (BEFORE_HEADER) declare l_cookie_id number; begin owa_util.mime_header('text/html', FALSE); -- ate_api.read_activity_cookie; l_cookie_id := ate_api.fetch_activity_cookie_val( 'COOKIE_ID' ); -- if l_cookie_id is null then l_cookie_id :=
  Content-type: text/html; charset=ISO-8859-1 Set-Cookie: activity_ask_expert=1|2400346189796; expires=Wed, 01-Jan-2020 08:00:00 GMT; path=/;
  0.06: Encountered unhandled exception in process type PLSQL
  0.06: Show ERROR page...
  0.06: Performing rollback...
  Please, could any one help me to solve this problem ? Metalink couldn't help me diagnosing what's wrong.
  Thanks,
  Sergio Coutinho

  Hi,
  I don´t know if it help the analisis, but i collect some informations about my environment:
  1) HTML DB version
  3.0.1
  2) Database version
  Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
  With the Partitioning, OLAP and Data Mining options
  3) Database server operating system (as well, if 32-bit or 64-bit)
  Solaris 5.9 - 64 bits
  4) Database Parameters:
  PARAMETER VALUE
  NLS_CALENDAR GREGORIAN
  NLS_CHARACTERSET WE8ISO8859P1
  NLS_COMP BINARY
  NLS_CURRENCY $
  NLS_DATE_FORMAT DD-MON-RR
  NLS_DATE_LANGUAGE AMERICAN
  NLS_DUAL_CURRENCY $
  NLS_ISO_CURRENCY AMERICA
  NLS_LANGUAGE AMERICAN
  NLS_LENGTH_SEMANTICS BYTE
  NLS_NCHAR_CHARACTERSET AL16UTF16
  NLS_NCHAR_CONV_EXCP FALSE
  NLS_NUMERIC_CHARACTERS .,
  NLS_RDBMS_VERSION 10.2.0.1.0
  NLS_SORT BINARY
  NLS_TERRITORY AMERICA
  NLS_TIMESTAMP_FORMAT DD-MON-RR HH.MI.SSXFF AM
  NLS_TIMESTAMP_TZ_FORMAT DD-MON-RR HH.MI.SSXFF AM TZR
  NLS_TIME_FORMAT HH.MI.SSXFF AM
  NLS_TIME_TZ_FORMAT HH.MI.SSXFF AM TZR
  Could it explain why ASK THE EXPERT is running on hosted apex site and it´s
  generating error when running in my environment?
  Thanks for the help !
  Sergio

• Ask the Expert: Scaling Data Center Networks with Cisco FabricPath

  With Hatim Badr and Iqbal Syed
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Cisco FabricPath with Cisco technical support experts Hatim Badr and Iqbal Syed. Cisco FabricPath is a Cisco NX-OS Software innovation combining the plug-and-play simplicity of Ethernet with the reliability and scalability of Layer 3 routing. Cisco FabricPath uses many of the best characteristics of traditional Layer 2 and Layer 3 technologies, combining them into a new control-plane and data-plane implementation that combines the immediately operational "plug-and-play" deployment model of a bridged spanning-tree environment with the stability, re-convergence characteristics, and ability to use multiple parallel paths typical of a Layer 3 routed environment. The result is a scalable, flexible, and highly available Ethernet fabric suitable for even the most demanding data center environments. Using FabricPath, you can build highly scalable Layer 2 multipath networks without the Spanning Tree Protocol. Such networks are particularly suitable for large virtualization deployments, private clouds, and high-performance computing (HPC) environments.
  This event will focus on technical support questions related to the benefits of Cisco FabricPath over STP or VPC based architectures, design options with FabricPath, migration to FabricPath from STP/VPC based networks and FabricPath design and implementation best practices.
  Hatim Badr is a Solutions Architect for Cisco Advanced Services in Toronto, where he supports Cisco customers across Canada as a specialist in Data Center architecture, design, and optimization projects. He has more than 12 years of experience in the networking industry. He holds CCIE (#14847) in Routing & Switching, CCDP and Cisco Data Center certifications.
  Iqbal Syed is a Technical Marketing Engineer for the Cisco Nexus 7000 Series of switches. He is responsible for product road-mapping and marketing the Nexus 7000 line of products with a focus on L2 technologies such as VPC & Cisco FabricPath and also helps customers with DC design and training. He also focuses on SP customers worldwide and helps promote N7K business within different SP segments. Syed has been with Cisco for more than 10 years, which includes experience in Cisco Advanced Services and the Cisco Technical Assistance Center. His experience ranges from reactive technical support to proactive engineering, design, and optimization. He holds CCIE (#24192) in Routing & Switching, CCDP, Cisco Data Center, and TOGAF (v9) certifications.
  Remember to use the rating system to let Hatim and Iqbal know if you have received an adequate response.  
  They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community Unified Computing discussion forum shortly after the event. This event lasts through Dec 7, 2012.. Visit this support forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Sarah,
  Thank you for your question.
  Spanning Tree Protocol is used to build a loop-free topology. Although Spanning Tree Protocol serves a critical function in these Layer 2 networks, it is also frequently the cause of a variety of problems, both operational and architectural.
  One important aspect of Spanning Tree Protocol behavior is its inability to use parallel forwarding paths. Spanning Tree Protocol forms a forwarding tree, rooted at a single device, along which all data-plane traffic must flow. The addition of parallel paths serves as a redundancy mechanism, but adding more than one such path has little benefit because Spanning Tree Protocol blocks any additional paths
  In addition, rooting the forwarding path at a single device results in suboptimal forwarding paths, as shown below, Although a direct connection may exist, it cannot be used because only one active forwarding path is allowed.
  Virtual PortChannel (vPC) technology partially mitigates the limitations of Spanning Tree Protocol. vPC allows a single Ethernet device to connect simultaneously to two discrete Cisco Nexus switches while treating these parallel connections as a single logical PortChannel interface. The result is active-active forwarding paths and the removal of Spanning Tree Protocol blocked links, delivering an effective way to use two parallel paths in the typical Layer 2 topologies used with Spanning Tree Protocol.
  vPC provides several benefits over a standard Spanning Tree Protocol such as elimination of blocker ports and both vPC switches can behave as active default gateway for first-hop redundancy protocols such as Hot Standby Router Protocol (HSRP): that is, traffic can be routed by either vPC peer switch.
  At the same time, however, many of the overall design constraints of a Spanning Tree Protocol network remain even when you deploy vPC such as
  1.     Although vPC provides active-active forwarding, only two active parallel paths are possible.
  2.     vPC offers no means by which VLANs can be extended, a critical limitation of traditional Spanning Tree Protocol designs.
  With Cisco FabricPath, you can create a flexible Ethernet fabric that eliminates many of the constraints of Spanning Tree Protocol. At the control plane, Cisco FabricPath uses a Shortest-Path First (SPF) routing protocol to determine reachability and selects the best path or paths to any given destination in the Cisco FabricPath domain. In addition, the Cisco FabricPath data plane introduces capabilities that help ensure that the network remains stable, and it provides scalable, hardware-based learning and forwarding capabilities not bound by software or CPU capacity.
  Benefits of deploying an Ethernet fabric based on Cisco FabricPath include:
  • Simplicity, reducing operating expenses
  – Cisco FabricPath is extremely simple to configure. In fact, the only necessary configuration consists of distinguishing the core ports, which link the switches, from the edge ports, where end devices are attached. There is no need to tune any parameter to get an optimal configuration, and switch addresses are assigned automatically.
  – A single control protocol is used for unicast forwarding, multicast forwarding, and VLAN pruning. The Cisco FabricPath solution requires less combined configuration than an equivalent Spanning Tree Protocol-based network, further reducing the overall management cost.
  – A device that does not support Cisco FabricPath can be attached redundantly to two separate Cisco FabricPath bridges with enhanced virtual PortChannel (vPC+) technology, providing an easy migration path. Just like vPC, vPC+ relies on PortChannel technology to provide multipathing and redundancy without resorting to Spanning Tree Protocol.
  Scalability based on proven technology
  – Cisco FabricPath uses a control protocol built on top of the powerful Intermediate System-to-Intermediate System (IS-IS) routing protocol, an industry standard that provides fast convergence and that has been proven to scale up to the largest service provider environments. Nevertheless, no specific knowledge of IS-IS is required in order to operate a Cisco FabricPath network.
  – Loop prevention and mitigation is available in the data plane, helping ensure safe forwarding that cannot be matched by any transparent bridging technology. The Cisco FabricPath frames include a time-to-live (TTL) field similar to the one used in IP, and a Reverse Path Forwarding (RPF) check is also applied.
  • Efficiency and high performance
  – Because equal-cost multipath (ECMP) can be used the data plane, the network can use all the links available between any two devices. The first-generation hardware supporting Cisco FabricPath can perform 16-way ECMP, which, when combined with 16-port 10-Gbps port channels, represents a potential bandwidth of 2.56 terabits per second (Tbps) between switches.
  – Frames are forwarded along the shortest path to their destination, reducing the latency of the exchanges between end stations compared to a spanning tree-based solution.
      – MAC addresses are learned selectively at the edge, allowing to scale the network beyond the limits of the MAC addr

• Ask the Expert: Plan, Design, and Implement Mobile Remote Access, the Cisco Collaboration Edge Architecture

  Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
  Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
  For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide. 
  Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
  Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
  Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Marcelo,
     Yes, there are some requirements for certificates in Expressway.
  Expressway Core (Exp-C)
  - Can be signed by either External or Internal CA
  - Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
  - Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
  - If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
  - The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
  - For TLS b/w CUCM, IM-P & Exp-C
    + If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
    + If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
    + Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
    + Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
  Expressway Edge (Exp-E)
  - Signed by External CA
  - Configured Unified Communications domain as Subject Alternate Name
  - If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
  - If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
  For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
  http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
  - Aashish

• ASK THE EXPERTS - WI-FI NETWORKS

  Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on different aspects of wireless network design and installation with Fred Niehaus.  Fred is a Technical Marketing Engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco Aironet and Airespace wireless LAN products. In addition to his participation in major deployments, Niehaus has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Niehaus was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."
  Remember to use the rating system to let Fred know if you have received an adequate response.
  Fred might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 16, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Expert,
                   Before all, thank you for your great advice and helps. I've decided to implement a few of them. However, during preliminary test , i run into some issues. Hopefully, you will be able to help one last time.
  During my test, I implemented a few SSID wich worked fine in my lab with WEP encryption. And i decided to change the encryption, some of the SSID did work with wpa2. However, two remains my attention, the guess SSID which uses wpa with tkip and one of the test SSID. The guess SSID worked fine untill I decided to reload the AP. When the AP came back it could not grabs an ip, but sho commands shows that it is associate with the AP. See below. I am 100% certain that the config is correct as it was working fine before the reload.
  a) Show commands
  #sh dot11 associations
  802.11 Client Stations on Dot11Radio0:
  SSID [SAVY_GUESS] :
  MAC Address    IP address      Device        Name            Parent         State
  000e.9b6e.XXXX 169.254.97.66   ccx-client    -               self           Assoc
  Address           : 000e.9b6e.XXX     Name             : NONE
  IP Address        : 169.254.97.66      Interface        : Dot11Radio 0
  Device            : ccx-client         Software Version : NONE
  CCX Version       : 2
  State             : Assoc              Parent           : self
  SSID              : SAVY_GUESS
  VLAN              : 9
  Hops to Infra     : 1                  Association Id   : 13
  Clients Associated: 0                  Repeaters associated: 0
  Tunnel Address    : 0.0.0.0
  Key Mgmt type     : WPA PSK            Encryption       : TKIP
  Current Rate      : 54.0               Capability       : ShortHdr ShortSlot
  Supported Rates   : 1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
  Voice Rates       : disabled
  Signal Strength   : -31  dBm           Connected for    : 11592 seconds
  Signal to Noise   : 61  dBm            Activity Timeout : 57 seconds
  Power-save        : Off                Last Activity    : 3 seconds ago
  Apsd DE AC(s)     : NONE
  Packets Input     : 8830               Packets Output   : 9
  Bytes Input       : 435094             Bytes Output     : 1154
  Duplicates Rcvd   : 15                 Data Retries     : 0
  Decrypt Failed    : 0                  RTS Retries      : 0
  MIC Failed        : 0                  MIC Missing      : 0
  Packets Redirected: 0                  Redirect Filtered: 0
  Session timeout   : 0 seconds
  Reauthenticate in : never
  b) SSID config
     dot11 ssid SAVY_GUESS
     vlan 9
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 1240321A241F5B367B29281F6200133524422D325C
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 9 mode ciphers tkip
  encryption vlan 16 mode ciphers aes-ccm
  ssid SAVY_GUESS
  ssid Wireless-Test
  interface Dot11Radio0.9
  encapsulation dot1Q 164
  no ip route-cache
  bridge-group 9
  bridge-group 9 subscriber-loop-control
  bridge-group 164 block-unknown-source
  no bridge-group 9 source-learning
  no bridge-group 9 unicast-flooding
  bridge-group 9 spanning-disabled
  interface FastEthernet0.9
  encapsulation dot1Q 9
  ip helper-address 10.XXX.ZZZ.254
  no ip route-cache
  bridge-group 255
  no bridge-group 255 source-learning
  bridge-group 255 spanning-disabled
  ps. Wired Device connected on the vlan did grab an IP.
  2. Wireless_Test
  This SSID was working fine until I change the vlan associate to it.
  SSID [Wireless-Test] :
  MAC Address    IP address      Device        Name            Parent         State
  001f.3b51.XXXX 169.254.90.253  ccx-client    00C00070        self           EAP-Assoc
  Address           : 001f.3b51.XXXX     Name             : I00000070
  IP Address        : 169.254.90.253     Interface        : Dot11Radio 0
  Device            : ccx-client         Software Version : NONE
  CCX Version       : 4
  State             : EAP-Assoc          Parent           : self
  SSID              : Wireless-Test
  VLAN              : 16
  Hops to Infra     : 1                  Association Id   : 12
  Clients Associated: 0                  Repeaters associated: 0
  Tunnel Address    : 0.0.0.0
  Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
  Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
  Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
  Voice Rates       : disabled
  Signal Strength   : -43  dBm           Connected for    : 14298 seconds
  Signal to Noise   : 52  dBm            Activity Timeout : 14 seconds
  Power-save        : On                 Last Activity    : 6 seconds ago
  Apsd DE AC(s)     : NONE
  Packets Input     : 15322              Packets Output   : 256
  Bytes Input       : 913707             Bytes Output     : 19866
  Duplicates Rcvd   : 249                Data Retries     : 14
  Decrypt Failed    : 0                  RTS Retries      : 0
  MIC Failed        : 0                  MIC Missing      : 0
  Packets Redirected: 0                  Redirect Filtered: 0
  Session timeout   : 0 seconds
  Reauthenticate in : never
  b) config
  dot11 ssid Wireless-Test
     vlan 16
     authentication open eap eap_methods2
     authentication network-eap eap_methods2
     authentication key-management wpa
     accounting acct_methods3
     mbssid guest-mode
  interface Dot11Radio0.16
  encapsulation dot1Q 16
  no ip route-cache
  bridge-group 16
  bridge-group 16 subscriber-loop-control
  bridge-group 16 block-unknown-source
  no bridge-group 16 source-learning
  no bridge-group 16 unicast-flooding
  bridge-group 16 spanning-disabled
  interface FastEthernet0.16
  encapsulation dot1Q 16
  ip helper-address 10.zzz.xxx.254
  no ip route-cache
  bridge-group 16
  no bridge-group 16 source-learning
  bridge-group 16 spanning-disabled
  Can the radio interface get mess by the reload? How can I verify theradio? Debug did not show Client asking for IP...
  3. My last question, my ACLs to limit guess access. Should i implement them in my firewall or in my distribution router? The distribution router has a sub_interface for each SSID. Would it be better  to block traffic right from the distribution router rather let unecessary traffic flow to the network?
  Thanks a lot for great advice and guidance,
  ---Jean Paul.

• Ask the Expert: Configuration, Design, and Troubleshooting of Cisco Nexus 1000

  With Louis Watta
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about design, configuration, and troubleshooting of Cisco Nexus 1000V Series Switches operating inside VMware ESXi and Hyper-V with Cisco expert Louis Watta. Cisco Nexus 1000V Series Switches deliver highly secure, multitenant services by adding virtualization intelligence to the data center network. With Cisco Nexus 1000V Series Switches, you can have a consistent networking feature set and provisioning process all the way from the virtual machine access layer to the core of the data center network infrastructure.
  This is a continuation of the live Webcast.
  Louis Watta is a technical leader in the services organization for Cisco. Watta's primary background is in data center technologies: servers (UNIX, Windows, Linux), switches (MDS, Brocade), storage arrays (EMC, NetApp, HP), network switches (Cisco Catalyst and Cisco Nexus), and enterprise service hypervisors (VMware ESX, Hyper-V, KVM, XEN). As a Technical Leader in Technical Services, Louis currently supports beta and early field trials (EFTs) on new Cisco software and hardware. He has more than 15 years of experience in a wide variety of data center applications and is interested in data center technologies oriented toward data center virtualization and orchestration. Prior to Cisco, Louis was a system administrator for GTE Government Systems. He has a bachelor of science degree in computer science from North Carolina State University. .
  Remember to use the rating system to let Louis know if you have received an adequate response.
  Louis might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Data Center community Unified Computing shortly after the event.
  This event lasts through Friday, JUne 14, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides
  FAQ
  Webcast Video Recording

  Right now there is only a few features that are not supported on N1Kv on Hyper-V
  They are VXLAN and QOS Fair Weighted Queuing. We are currently demoing VXLAN functionality at Microsoft TechEd Conference this week in New Orleans. So VXLAN support should be coming soon. I can't give you a specific timeline.
  For Fair Weighted Queuing I'm not sure. In the VMware world we take advantage of NETIOC infrastructure. In the MS world they do not have a NETIOC infrastructure that we can use to create a similar feature.
  Code base parity (as in VMware and Hyper-V VSMs running NXOS 5.x) will happen with the next major N1KV release for ESX.
  Let me know if that doesn't answer your question.
  thanks
  louis

• Ask the Expert:Cisco Prime Network Registrar

  With Pete Newcomb & Jim Brown 
  Welcome to the Cisco Support Community Ask the Expert conversation. Learn from experts Peter Newcomb and Jim Brown about  Cisco Prime Network Registrar, Cisco's industry leading solution for integrated DNS, DHCP and  IP address management (IPAM) services  for both IPv4 and IPv6. 
  Pete Newcomb is a technical marketing engineer in Cisco's Network Management and Technology Group and has over 30 years of experience in the voice and data communications industry, including sales support and product engineering support with several companies. His design and development background includes wireless services, switching, routing, TCP/IP, Frame Relay, X.25, telephony services, risk management, and network security. 
  Jim Brown is a customer support  engineer in Cisco's Network Management and Technology Group. He has over 35 years of experience in development engineering and customer service, real-time and fault tolerant operating systems, and network management for the telecommunications and software industries. For the last 14 years he has been with the Network Registrar Development Team, interfacing with Customer Service and directly with customers in problem solving.
  Remember to use the rating system to let Pete and Jim know if you have received an adequate response.  
  Pete and Jim might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infrastructure sub-community   forum shortly after the event. This event lasts through January 18, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Jorge,
     Absolutely, Prime CNR supports IPv6 since CNR 6.x versions...
     For IPv6 configuration instructions on latest versions of CPNR you should start here;
        http://www.cisco.com/en/US/partner/docs/net_mgmt/prime/network_registrar/8.1/user/guide/UG25_IP6.html
                                                      Best Regards
                                                      Jim Brown

• Ask the Expert: Enterprise Design and Deployment of Multicast

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco enterprise design and deployment of multicast solutions.
  The enterprise world is evolving to be overcome with large throughput capacity and record numbers of users connecting to the network. Mechanisms such as multicast, which allows for a minimization of throughput for multiple users subscribing to the same stream, are a welcome addition. Applications such as enterprise all-hands video streaming, trading applications, mass operating system deployment, and custom implementations can put a strain on the network if done via unicast. Multicast can minimize this strain by replicating a single stream for subscription by multiple parties who would like to receive the same information. For this Ask the Expert event, Patrick Lloyd, CCIE R&S no. 39750 and a network consulting engineer with Cisco’s Enterprise Advanced Services Delivery Team, will answer questions about multicast design and implementation based on best practices and prior experience with large enterprise deployments.
  Patrick Lloyd is a network consulting engineer for Cisco’s Enterprise East Advanced Services team, working to support and lend his expertise to a number of financial, insurance, healthcare, and consulting customers. In his four years of experience, he has lent design expertise to multicast networks ranging from 500 Cisco devices and 20K users to upward of 4500 Cisco devices and 50K users. Patrick is certified with his Cisco Certified Internetworking Expert no. 39750 in the Routing and Switching track and also has achieved certification in CCNA Security and Securing Cisco Routers and Switches as part of the CCNP Security track. Patrick received his MS degree in networking and systems administration from Rochester Institute of Technology in Rochester, NY, and his BS degree in computer science from Eastern Connecticut State University. He frequently gives customer-based knowledge transfers.
  Remember to use the rating system to let Patrick know if you have received an adequate response.
  Because of the volume expected during this event, Patrick might not be able to answer every question. Remember that you can continue the conversation in Network Infrastructure under the subcommunity WAN, Routing & Switching shortly after the event. This event lasts through September 12, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Thanks for the question!  This is actually a good one that I've encountered with a couple customers in the past, the tradeoff between a flood and prune type design, as opposed to the shared tree -> shortest path tree sequence.  As per Cisco best practice, we are actively trying to get customers to implement sparse mode, going so far as to not support PIM dense mode in our data center products.  And for good reason!  The last thing you want is a chatty protocol within the data center which is flooding traffic out to receivers who may or may not be interested in it every 3 minutes.  Instead, you're much better off having interested receivers join a stream, have your RP connect the interested senders and receivers, and then transition to the shortest path between source and destination.
  That being said, if you're studying for CCIE or looking to get experience in how multicast works, dense mode should at least be a lab exercise!
  Links for reference as to the difference in PIM modes:
  Dense Mode Operation:
  http://www.cisco.com/en/US/docs/ios/ipmulti/configuration/guide/imc_pim_dense_rfrsh.pdf
  Pim Modes and explanation of each:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swmcast.html#wp1077051
  A great slide deck to learn the operation of multicast:
  https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=6633&backBtn=true
  Troubleshooting Multicast:
  https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78578&backBtn=true
  Let me know if this is the answer you're looking for!

• Ask the Expert: Different Flavors and Design with vPC on Cisco Nexus 5000 Series Switches

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about Cisco® NX-OS.
  The biggest limitation to a classic port channel communication is that the port channel operates only between two devices. To overcome this limitation, Cisco NX-OS has a technology called virtual port channel (vPC). A pair of switches acting as a vPC peer endpoint looks like a single logical entity to port channel attached devices. The two devices that act as the logical port channel endpoint are actually two separate devices. This setup has the benefits of hardware redundancy combined with the benefits offered by a port channel, for example, loop management.
  vPC technology is the main factor for success of Cisco Nexus® data center switches such as the Cisco Nexus 5000 Series, Nexus 7000 Series, and Nexus 2000 Series Switches.
  This event is focused on discussing all possible types of vPC along-with best practices, failure scenarios, Cisco Technical Assistance Center (TAC) recommendations and troubleshooting
  Vishal Mehta is a customer support engineer for the Cisco Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in TAC for the past 3 years with a primary focus on data center technologies, such as the Cisco Nexus 5000 Series Switches, Cisco Unified Computing System™ (Cisco UCS®), Cisco Nexus 1000V Switch, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching, and service provider.
  Nimit Pathak is a customer support engineer for the Cisco Data Center Server Virtualization TAC team based in San Jose, California, with primary focus on data center technologies, such as Cisco UCS, the Cisco Nexus 1000v Switch, and virtualization. Nimit holds a master's degree in electrical engineering from Bridgeport University, has CCNA® and CCNP® Nimit is also working on a Cisco data center CCIE® certification While also pursuing an MBA degree from Santa Clara University.
  Remember to use the rating system to let Vishal and Nimit know if you have received an adequate response. 
  Because of the volume expected during this event, Vishal and Nimit might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure Community, under the subcommunity LAN, Switching & Routing, shortly after the event. This event lasts through August 29, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Gustavo
  Please see my responses to your questions:
  Yes almost all routing protocols use Multicast to establish adjacencies. We are dealing with two different type of traffic –Control Plane and Data Plane.
  Control Plane: To establish Routing adjacency, the first packet (hello) is punted to CPU. So in the case of triangle routed VPC topology as specified on the Operations Guide Link, multicast for routing adjacencies will work. The hellos packets will be exchanged across all 3 routers and adjacency will be formed over VPC links
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_L3_w_vpc_5500platform.html#wp999181
  Now for Data Plane we have two types of traffic – Unicast and Multicast.
  The Unicast traffic will not have any forwarding issues, but because the Layer 3 ECMP and port channel run independent hash calculations there is a possibility that when the Layer 3 ECMP chooses N5k-1 as the Layer 3 next hop for a destination address while the port channel hashing chooses the physical link toward N5k-2. In this scenario,N5k-2 receives packets from R with the N5k-1 MAC as the destination MAC.
  Sending traffic over the peer-link to the correct gateway is acceptable for data forwarding, but it is suboptimal because it makes traffic cross the peer link when the traffic could be routed directly.
  For that topology, Multicast Traffic might have complete traffic loss due to the fact that when a PIM router is connected to Cisco Nexus 5500 Platform switches in a vPC topology, the PIM join messages are received only by one switch. The multicast data might be received by the other switch.
  The Loop avoidance works little different across Nexus 5000 and Nexus 7000.
  Similarity: For both products, loop avoidance is possible due to VSL bit
  The VSL bit is set in the DBUS header internal to the Nexus.
  It is not something that is set in the ethernet packet that can be identified. The VSL bit is set on the port asic for the port used for the vPC peer link, so if you have Nexus A and Nexus B configured for vPC and a packet leaves Nexus A towards Nexus B, Nexus B will set the VSL bit on the ingress port ASIC. This is not something that would traverse the peer link.
  This mechanism is used for loop prevention within the chassis.
  The idea being that if the port came in the peer link from the vPC peer, the system makes the assumption that the vPC peer would have forwarded this packet out the vPC-enabled port-channels towards the end device, so the egress vpc interface's port-asic will filter the packet on egress.
  Differences:  In Nexus 5000 when it has to do L3-to-L2 lookup for forwarding traffic, the VSL bit is cleared and so the traffic is not dropped as compared to Nexus 7000 and Nexus 3000.
  It still does loop prevention but the L3-to-L2 lookup is different in Nexus 5000 and Nexus 7000.
  For more details please see below presentation:
  https://supportforums.cisco.com/sites/default/files/session_14-_nexus.pdf
  DCI Scenario:  If 2 pairs are of Nexus 5000 then separation of L3/L2 links is not needed.
  But in most scenarios I have seen pair of Nexus 5000 with pair of Nexus 7000 over DCI or 2 pairs of Nexus 7000 over DCI. If Nexus 7000 are used then L3 and L2 links are required for sure as mentioned on above presentation link.
  Let us know if you have further questions.
  Thanks,
  Vishal

• Ask the Expert: Basic Introduction and Troubleshooting on Cisco Nexus 7000 NX-OS Virtual Device Context

  With Vignesh R. P.
  Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions of Cisco expert Vignesh R. P. about the Cisco® Nexus 7000 Series Switches and support for the Cisco NX-OS Software platform .
  The Cisco® Nexus 7000 Series Switches introduce support for the Cisco NX-OS Software platform, a new class of operating system designed for data centers. Based on the Cisco MDS 9000 SAN-OS platform, Cisco NX-OS introduces support for virtual device contexts (VDCs), which allows the switches to be virtualized at the device level. Each configured VDC presents itself as a unique device to connected users within the framework of that physical switch. The VDC runs as a separate logical entity within the switch, maintaining its own unique set of running software processes, having its own configuration, and being managed by a separate administrator.
  Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
  Remember to use the rating system to let Vignesh know if you have received an adequate response. 
  Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community discussion forum shortly after the event. This event lasts through through January 18, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Vignesh
  Is there is any limitation to connect a N2K directly to the N7K?
  if i have a an F2 card 10G and another F2 card 1G and i want to creat 3 VDC'S
  VDC1=DC-Core
  VDC2=Aggregation
  VDC3=Campus core
  do we need to add a link between the different VDC's
  thanks

• Ask the Expert: NGWC (3850/5760): Architecture and Deployment

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about NGWC (3850/5760): Architecture and Deployment.
  Ask questions from Monday, April 13th, 2015 to Friday, April 24th, 2015
  This Ask the Expert Session will cover questions spanning NGWC products (3850/5760) on Implementation and Deployment from the Wired and Wireless perspective. This will be more specific to Customer’s and Partners questions covering 3850/5760 configuration, Implementation and deployment.
  Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Wireless CUWN and NGWC Product line. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC-Written) and CCIE Wireless certification.
  Naveen Venkateshaiah is working as a Customer support engineer in High-Touch Technical Services (HTTS) handling  and supporting Lan-switching and Data center Products. His areas of expertise include Catalyst 3k,4k , 6500 , Nexus 7k Platform  He has over 7 years of industry experience working with large Enterprise and Service Provider networks. He also holds CCNA, CCNP (RS) and  CCDP-ARCH,CCIE-R&S Written, AWLANFE, LCSAWLAN Certification.
  Find other  https://supportforums.cisco.com/expert-corner/events.
  **Ratings Encourage Participation! **
  Please be sure to rate the Answers to Questions

  Hi Dhiyadav,
  thank you for your reply it cleared some doubts that were in my mind but i need your more support to guide me a converged access deployment which i am going to deploy within few days.
  i have 
  2x5508 in HA as MC
  30x3850 switches, and all will be used as MA(s) with multiple SPGs
  2X5508  1:1 as an anchor controller
  1xISE 1.3 for guest access
  1xCPI for wireless mgmt and monitoring purpose
  1xMSE3355 with wips and context aware licenses
  200x cisco 3702i WAP
  50x WSSI module for monitoring the channels
  can you please put a light on the design and guide me that which are the best possible solutions to get this job done very smoothly.
  i will also let you know about my proposed design scenario but for sure i need your recommendations as well :)
  so,
  i will use 2x5508 wlcs in HA as a MC which are AP-Count and HA licensed..
  3850 switches will be MA and i ll configure SPGs per floor switches stacks 
  WAPs will join on these 3850 MAs base on each floor
  i would have 2 ssid like employee and guest
  i will configure them on each 3850 stack MA along with their SVIs for users access like (empolyee and guest ssid)
  here my question is for guest ssid and its vlan... do i configure it here or on anchor controller???
  i want ISE to be integrated with wireless for employee 802.1x and for guest web Auth. so, how i will integrate ISE with wireless. i mean weather i will integrate it anchor controller or with each 3850 MA???
  between foreign and anchor controller i will use new mobility instead of old EOIP!!!
  where shall place ISE in my network, in DMZ or with Core switch?
  my target for guest users to do not have access to any corporate network sources ?
  MSE:
  can i use both wips and context aware on the single MSE box?
  if yes, than what is the best practice for configuring them?
  are each 3850 MA will be added in MSE?
  WSSI module . will be used for monitoring purpose for wips and context aware profiles.
  all access point will be worked in local mode for serving users access.
  thank you

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html