Ask the Expert: NGWC (3850/5760): Architecture and Deployment

Similar Messages

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• Ask the Expert: Cisco Prime Infrastructure - Implementation and Deployment

  Welcome to the Cisco Support Community Ask the Expert conversation.
  This Ask The expert Session will cover questions spanning Cisco Prime Infrastructure on Implementation and Deployment on Wired and Wireless. This will be more specific to Customer’s and Partners questions product covering PI on configuration, Features and Menu, Network Monitoring, Maps, Implementation, High Availability and Maintenance and t/s parts.
  Monday, February 2nd, 2015 to Friday, February 13th, 2015
  Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Prime Infrastructure and Cisco Wireless products. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC) certifications.
  Afroz Ahmad is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco NMS products like Prime Infrastructure, LMS, IP SLA and SNMP etc. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS),CCIE (DC), and SCJP (Sun Certified Java Professional )
  Vinod Kumar Arya is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco NMS products like Prime Infrastructure, LMS, IP SLA and SNMP etc. He has over 8 years of industry experience working with large enterprise and service provider networks. He also holds VCP 5 and RHCE certifications.
  ** Remember to use the rating system to let the experts know you have received an adequate response.**
  Because of the volume expected during this event, the experts might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure community, > Network Management, shortly after the event. This event lasts through February 13th 2015. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

  Hello Wilson,
  Thanks for joining us.
  1841 should just work fine for net flow . Hope you have a valid "PI Assurance license" installed on the server.
  "PI Assurance license" is required for "net-flow"  feature
  Devices supporting Netflow in PI ::
  1400, 1600, 1700 & 1800
  2500, 2600 & 2800
  3600, 3700, 3750 & 3800
  4500 & 4700
  AS5300 & 5800
  7200, 7300, 7400 & 7500
  Catalyst 4500 ASCI
  Catalyst 5000, 6500, & 7600 ASCI
  ESR 10000 ASCI
  GSR 12000 ASCI
  Cisco IOS Software Release Version
  Supported Cisco Hardware Platforms
  11.1CA, 11.1CC
  Cisco 7200 and 7500 series, RSP 7200 series
  12.0
  Cisco 1720, 2600, 3600, 4500, 4700, AS5800 
  RSP 7000 and 7200 series
  uBR 7200 and 7500 series
  RSM series
  12.0T, 12.0S
  Cisco 1720, 2600, 3600, 4500, 4700, AS5800 
  RSP 7000 and 7200 series
  uBR 7200 and 7500 series
  RSM series, MGX8800RPM series, and BPx8600 series
  12.0(3)T, 12.0(3)S
  Cisco 1720, 2600, 3600, 4500, 4700, AS5300, AS5800
  RSP 7000 and 7200 series
  uBR 7200 and 7500 series
  RSM series, MGX8800RPM series, and BPx8650 series
  12.0(4)T
  Cisco 1400, 1600, 1720, 2500, 2600, 3600, 4500,
  4700, AS5300, AS5800
  RSP 7000 and 7200 series
  uBR 7200 and 7500 series
  RSM series, MGX8800RPM series, and BPx8650 series
  12.0(4)XE
  Cisco 7100 series
  12.0(6)S
  Cisco 12000 series
  NetFlow is also supported by these devices Cisco 800, 1700, 1800, 2800, 3800, 6500, 7300, 7600, 10000, CRS-1 and these Catalyst series switches: 45xx, 55xx, 6xxx.
  NetFlow export is also supported on other Cisco switches when using a NetFlow Feature Card (NFFC) or NFFC II and the Route Switch Module (RSM), or Route Switch Feature Card (RSFC). However, check whether version 5 is supported, as most switches export version 7 by default.
  You can check the below steps to diagnose the issue::
   To verify that NetFlow is exported from a device to PI, follow the steps below:
  1)    Browse to Administration > Data Sources page. Check the value in column ‘Last Active Time’  for the ‘Device Data Sources’ table. If the table is empty or  the value does not represent recent time, then
  it is possible that the device is not exporting NetFlow or PI Assurance license is not applied / expired.
  2)    Login to PI console ( via SSH) as root user and run the command:
                  netstat –an | grep 9991 – Output of this should be like :  udp        0      0 :::9991         :::*
                  Check the firewall settings on PI server using the command: firewall -L
  1)    Check the configuration on an IOS / IOS –XE device. Run the commands
  a)    sh running-config | inc destination
  1)    This should list the IP address of the PI SERVER ( along with other outputs if any)
  b)    sh running-config | inc 9991
  1)    This should list at least one entry.
  c)    If the above are fine, then verify that the flow monitor, flow exporter and the flow records are correctly configured on the device.
  Refer to the URLs below to configure NetFlow export.
  http://preview.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/2.0/user/guide/setup_monitor.html#wp1056427
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****

• ASK THE EXPERTS : High Density Wireless Deployments and CleanAir Technology

  with
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to get an update on High Density Wireless Deployments and CleanAir technology with Cisco expert Fred Niehaus. Fred is a technical marketing engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco wireless LAN products. In addition to his participation in major deployments, Fred has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Fred was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."
  Remember to use the rating system to let Fred know if you have received an adequate response.
  Fred might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through June 3, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

  You are correct, between the higher numbers of users with multiple devices the bandwidth requirements keep increasing.
  The limitation of three non-overlapping channels in the 2.4 GHz space is driving more customers to 5 GHz, it is important to have both bands when high density deployments are needed.  While many older devices only support 2.4 GHz, we are now seeing far more devices with 5 GHz as well.
  The recomendation of 20-25 clients and 8 voice calls on a given 2.4 GHz channel is still a good "rule of thumb" with actual customer data requirements driving those numbers higher or lower. You are right when you say "throwing Access Points" at the problem can degrade the wireless quality as co-channel interference and overall noise floor can rise with multiple Access Points that can all hear each other.
  A better approach to the problem is to throw more spectrum at this issue (using 5 GHz channels) and elements of 802.11n (20 MHz) bandwidth on 2.4 GHz.
  What we have been doing in high density deployments is to try to minimize the propagation of a cell and focus it in a given direction.  This can be done by
  1. Managing the RF power of the radios (Access Points) and in some cases the client's power (using elements of CCX).
  2. Using the right antennas to shape both Tx and Rx cell size to help isolate, we have recently introduced a new high gain antenna for stadiums that does this well.
  3. Limit supported rates, obviously the higher the data rate the less sensitive the receiver is and the smaller the cell size becomes.
  4. Enable 5 GHz (that adds far more channels for data throughput)
  5. Limit the number of SSIDs in use as each requires a separate beacon (adding to RF utilization)
  6. Co-locating access points with non-overlapping channels
  There are some challenges, for example; many dual -band clients prefer to connect to 2.4 GHz, and 2.4 GHz is more likely to be busier and subject to interference, so we also enable Cisco "Band-Select" which basically "nudges" those clients off 2.4 GHz and pushes them to 5 GHz so as to free up the 2.4 GHz band when we can determine the client has 5 GHz capability.
  So how is this done? well, we do this by listening to the clients and if we detect that the client is sending out probe requests on both bands we know the client can use 5 GHz so we essentially make the 5 GHz band "appear more attractive" to that client.
  Note: Client load balancing and Band select are features in the Cisco Unified controller menu.
  Also enabling client link (intelligent beam forming) helps direct the signal directly at the client and reduces same channel interference.

• Ask the Expert: Cisco Nexus 2000, 5000, and 6000 Series Switches

  with Cisco Expert Vinayak Sudame
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions how to configure and troubleshoot the Cisco Nexus 2000, 5000 and 6000 Series Switches with Cisco subject matter expert Vinayak Sudame. You can ask any question on configuration, troubleshooting, features, design and Fiber Channel over Ethernet (FCoE).
  Vinayak Sudame is a Technical Lead in Data Center Switching Support Team within Cisco's Technical Services in RTP, North Carolina. His current responsibilities include but are not limited to Troubleshooting Technical support problems and Escalations in the areas of Nexus 5000, Nexus 2000, FCoE. Vinayak is also involved in developing technical content for Cisco Internal as well as external. eg, Nexus 5000 Troubleshooting Guide (CCO), Nexus 5000 portal (partners), etc. This involves cross team collaboration and working with multiple different teams within Cisco. Vinayak has also contributed to training account teams and partners in CAE (Customer Assurance Engineering) bootcamp dealing with Nexus 5000 technologies. In the past, Vinayak's responsibilities included supporting MDS platform (Fiber Channel Technologies) and work with EMC support on Escalated MDS cases. Vinayak was the Subject Matter Expert for Santap Technologies before moving to Nexus 5000 support. Vinayak holds a Masters in Electrical Engineering with Specialization in Networking from Wichita State University, Kansas. He also holds Cisco Certification CCIE (#20672) in Routing and Switching.
  Remember to use the rating system to let Vinayak know if you have received an adequate response.
  Vinayak might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community, Other Data Center Topics discussion forum shortly after the event.
  This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

  Hi Vinayak,
  Output of "show cfs internal ethernet-peer database"
  Switch 1
  ETH Fabric
  Switch WWN              logical-if_index
  20:00:54:7f:ee:b7:c2:80 [Local]
  20:00:54:7f:ee:b6:3f:80 16000005
  Total number of entries = 2
  Switch 2
  ETH Fabric
  Switch WWN              logical-if_index
  20:00:54:7f:ee:b6:3f:80 [Local]
  20:00:54:7f:ee:b7:c2:80 16000005
  Total number of entries = 2
  Output of "show system internal csm info trace"
  Switch 1 in which "show cfs peers" show proper output
  Mon Jul  1 05:46:19.145339  (CSM_T) csm_sp_buf_cmd_tbl_expand_range(8604): No range command in buf_cmd_tbl.
  Mon Jul  1 05:46:19.145280  (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
  Mon Jul  1 05:46:19.145188  (CSM_T) csm_sp_handle_local_verify_commit(4291):
  Mon Jul  1 05:46:19.145131  csm_continue_verify_ac[597]: peer is not reachable over CFS so continuing with local verify/commit
  Mon Jul  1 05:46:19.145071  csm_tl_lock(766): Peer information not found for IP address: '172.16.1.54'
  Mon Jul  1 05:46:19.145011  csm_tl_lock(737):
  Mon Jul  1 05:46:19.144955  (CSM_EV) csm_sp_build_tl_lock_req_n_send(941): sending lock-request for CONF_SYNC_TL_SESSION_TYPE_VERIFY subtype 0 to Peer ip = (172.16.1.54)
  Mon Jul  1 05:46:19.143819  (CSM_T) csm_copy_image_and_internal_versions(788): sw_img_ver: 5.2(1)N1(2a), int_rev: 1
  Mon Jul  1 05:46:19.143761  (CSM_T) csm_sp_get_peer_sync_rev(329): found the peer with address=172.16.1.54 and sync_rev=78
  Mon Jul  1 05:46:19.143699  (CSM_T) csm_sp_get_peer_sync_rev(315):
  Mon Jul  1 05:46:19.143641  (CSM_EV) csm_sp_build_tl_lock_req_n_send(838): Entered fn
  Mon Jul  1 05:46:19.143582  (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
  Switch 2 in which "show cfs peers" does not show proper output
  Mon Jul  1 06:13:11.885354  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 77 seq 482
  Mon Jul  1 06:13:11.884992  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 357 seq 369
  Mon Jul  1 06:13:11.884932  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 357 seq 368
  Mon Jul  1 06:13:11.884872  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 357 seq 367
  Mon Jul  1 06:13:11.884811  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 357 seq 366
  Mon Jul  1 06:13:11.884750  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 352 seq 365
  Mon Jul  1 06:13:11.884690  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 352 seq 364
  Mon Jul  1 06:13:11.884630  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 352 seq 363
  Mon Jul  1 06:13:11.884568  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 352 seq 362
  Mon Jul  1 06:13:11.884207  (CSM_EV) csm_sp_acfg_gen_handler(3011):  Preparing config into /tmp/csm_sp_acfg_1733916569.txt
  Mon Jul  1 06:13:11.878695  csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
  Mon Jul  1 06:13:11.878638  (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
  Mon Jul  1 06:12:29.527840  (CSM_T) csm_pss_del_seq_tbl(1989): Freeing seq tbl data
  Mon Jul  1 06:12:29.513255  (CSM_T) csm_sp_acfg_gen_handler(3106): Done acfg file write
  Mon Jul  1 06:12:29.513179  (CSM_EV) csm_sp_acfg_gen_handler(3011):  Preparing config into /tmp/csm_sp_acfg_1733911262.txt
  Mon Jul  1 06:12:29.508859  csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
  Mon Jul  1 06:12:29.508803  (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
  Mon Jul  1 05:53:17.651236  Collecting peer info
  Mon Jul  1 05:53:17.651181  Failed to get the argumentvalue for 'ip-address'
  Mon Jul  1 05:40:59.262736  DB Unlocked Successfully
  Mon Jul  1 05:40:59.262654  Unlocking DB, Lock Owner Details:Client:1 ID:1
  Mon Jul  1 05:40:59.262570  (CSM_T) csm_sp_del_buf_cmd(1713): Deleting comand with Id = 1
  Mon Jul  1 05:40:59.262513  DB Lock Successful by Client:1 ID:1
  Mon Jul  1 05:40:59.262435  Recieved lock request by Client:1 ID:1
  Mon Jul  1 05:40:41.741224  ssnmgr_ssn_handle_create_get: Session FSM already present, ID:1
  Mon Jul  1 05:40:41.741167  ssnmgr_handle_mgmt_request: Create/Get request received for session[process_n5kprof]
  show cfs lock gives no output.
  Just to further clarify, we have 4 5548UP switches in the same management vlan. 2 switches are in one location lets say location A and they are CFS peers and are working fine.
  These two switches which are having problem are in location B. All the switches are in the same vlan. Essentially the all CFS multicast messages will be seen by all 5548 switches as they are in the same vlan. I am assuming that this might not create any problems as we specify the peers in the respective configurations. Or do we have to change the CFSoIPv4 multicast addresses in location B or may be configure a different region.
  Regards.

• Ask the Expert: Data Center Integrated Systems and Solutions

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about utilizing Cisco data center technology and solutions with subject matter expert Ramses Smeyers. Additionally, Ramses will answer questions about FlexPOD, vBlock, Unified Computing Systems, Nexus 2000/5000, SAP HANA, and VDI.
  Ramses Smeyers is a technical leader in Cisco Technical Services, where he works in the Datacenter Solutions support team. His main job consists of supporting customers to implement and manage Cisco UCS, FlexPod, vBlock, VDI, and VXI infrastructures. He has a very strong background in computing, networking, and storage and has 10+ years of experience deploying enterprise and service provider data center solutions. Relevant certifications include VMware VCDX, Cisco CCIE Voice, CCIE Data Center, and RHCE.
  Remember to use the rating system to let Ramses know if you have received an adequate response.
  Because of the volume expected during this event, Ramses might not be able to answer every question. Remember that you can continue the conversation in the Data Center Community, under the subcommunity Unified Computing, shortly after the event. This event lasts through August 1, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Ramses,
  I have dozen questions but will try to restrain myself and start with the most important ones :)
  1. Can cables between IOM and FI be configured in a port-channel? Let me clarify what I"m trying to achieve: if I have only one chassis with only one B200M3 blade inside, will the 2208 IOM and FI6296 allow me to achieve more than 10Gbps throughput between the blade and the Nexus 5k? Of course, we are talking here about clean ethernet environment.
       B200M3 --- IOM2208 --- 4 links --- FI6296 --- port-channel (4 links) --- Nexus5548
  2. Is it possible to view/measure throughput for Fibre Channel interfaces?
  3. Here is one about FlexPod: I know that in case of vBlock there is the company that delivers fully preconfigured system and offers one universal support point so customer don't have to call Cisco or VMware or storage supports separately. What I don't know is how it works for FlexPod. Before you answer that you are not sales guy, let me ask you more technical questions: Is FlexPod Cisco product or is NetApp product or this is just a concept developed by two companies that should be embraced by various Cisco/NetApp partners? As you obviously support Datacenter solutions, if customer/partner calls you with are FlexPod related problem, does it matter for you, from support side, if you are troubleshooting fully compliant FlexPod system or you'll provide same level of support even is the system is customized (not 100% FlexPod environment)?
  4. When talking about vCenter, can you share your opinion about following: what is the most important reason to create the cluster and what will be the most important limitation?
  5. I know that NetApp has feature called Rapid Clones that allows faster cloning than what vCenter offers. Any chance you can compare the two? I remember that NetApp option should be much faster but didn't understand what is actually happening during the cloning process and I'm hoping you can clarify this? Maybe a quick hint here: seems to me it will be helpful if I could understand the traffic path that is used in each case. Also, it will be nice to know if Vblock (i.e. EMC) offers similar feature and how it is called.
  6. Can I connect Nexus 2000 to the FI6xxx?
  7. Is vBlock utilizing Fabric Failover? Seems to me not and would like to hear your opinion why.
  Thanks for providing us this opportunity to talk about this great topic.
  Regards,
  Tenaro

• ASK THE EXPERT - DIAL ON DEMAND ROUTING AND POINT TO POINT PROTOCOL

  Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn more about DDR and PPP on leased and dial line.with Cisco experts Tejal Patel. Tejal is a customer support engineer at the Technical Assistance Center (TAC) at Cisco Systems, Inc. He joined Cisco in July 1999. His current responsibilities include troubleshooting complex issues, training, and authoring documentation. His areas of expertise are Telco Signaling, Configuration and Troubleshooting of Access Servers, AAA etc. Tejal is CCIE # 6619 for ISP Dial. He continually shares his expertise by speaking at the Access Design Clinic at Networkers to discuss and resolve the design related technical issues. Tejal holds a Bachelor Degree in Electronics and Telecommunication Engineering from Poona University, India. Prior to joining Cisco, Tejal was a Test Engineer at Leemah Datacom Inc. where he was responsible for functional testing of Network Access Server and RADIUS server.
  Remember to use the rating system to let Tejal know if you have received an adequate response.
  Tejal might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 24, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

  the problem is that when I pass the test of GSM 3g to Edge on my card HWIC-3G-GSM, the card does not register any service and I lose the signal, which is to reboot the router, when in 2g edge, my question if a nurse is how they make the change manually from 3g to 2g and vice versa without rebooting the router, and if there indicam I should do, because the output of command takes place when the transition from GSM to edge show cell 0/1/0 is (this the output when entry to edge):
  routerA#show cell 0/1/0 net
  Current Service Status = No service, Service Error = None
  Current Service = Combined
  Packet Service = None
  Packet Session Status = Active
  Current Roaming Status = Home
  Network Selection Mode = Automatic
  Country = HND, Network = CELTEL
  Mobile Country Code (MCC) = 708
  Mobile Network Code (MNC) = 2
  Location Area Code (LAC) = 1001
  Routing Area Code (RAC) = 255
  Cell ID = 0
  Primary Scrambling Code = 0
  PLMN Selection = Automatic
  and this is in gsm:
  routerA#show cell 0/1/0 net
  Current Service Status = Normal, Service Error = None
  Current Service = Combined
  Packet Service = HSDPA (Attached)
  Packet Session Status = Active
  Current Roaming Status = Home
  Network Selection Mode = Automatic
  Country = HND, Network = CELTEL
  Mobile Country Code (MCC) = 708
  Mobile Network Code (MNC) = 2
  Location Area Code (LAC) = 1001
  Routing Area Code (RAC) = 1
  Cell ID = 11041
  Primary Scrambling Code = 484
  PLMN Selection = Automatic
  Registered PLMN = CELTEL , Abbreviated = CELTEL
  Service Provider = TIGO
  that I do need your help, please

• Ask the Expert: Global Site Selector Configuration and Troubleshooting

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuring and troubleshooting the Global Site Selector (GSS) with expert Swati Chopra.
  GSS devices represent the next generation of application switches and global server load balancing (GSLB) appliances. Working together with the Cisco ACE Module and Cisco ACE 4710 appliance, these devices form an application-fluent networking solution that improves availability, acceleration, and security for data center applications.
  The primary role of Cisco GSS is to implement the business continuance and disaster recovery policies of a business by optimizing and securing the Domain Name System (DNS) infrastructure of the data center. It does this by integrating with the DNS infrastructure and responding to the client DNS requests, thereby directing the client to the site that is best able to serve its needs.
  Swati Chopra is a CCNA, CCNP, and VCP certified customer support engineer for content switching, covering technologies such as Cisco Application Control Engine, Cisco Wide Area Application Services, Global Site Selector, Cisco Content Services Switches, and Digital Media Suite. She has been with Cisco for more than three years and has worked with most of the high-end customers on content-related complex cases. She completed her master’s degree in finance, was heading an online education project in collaboration with e-Sylvan, and later moved to technical services because of her love for technology. She is actively involved with diverse Cisco initiatives such as Connected Women, WISE, and Cisco Career Connections and recently hosted a “Birds of Feather” table at Cisco’s Women of Impact conference.
  Remember to use the rating system to let Swati know if you have received an adequate response. 
  Because of the volume expected during this event, Swati might not be able to answer every question. Remember that you can continue the conversation in the Data Center community under subcommunity Application Networking shortly after the event. This event lasts through April 25, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Sarah,
  The load balancing mechanism for GSS requests is done via different methods. We can use these methods to define how the load is shared for different balance clauses within the same rule. The 6 methods we use are:
  –round-robin—The GSS cycles through the list of answers that are available as requests are received. Each resource within an answer group is tried in turn. The GSS cycles through the list of answers, selecting the next answer in line for each request. This is the default.
  eg: if we have 2 answers in answer group then GSS will provide them alternatively.
  –least-loaded—The GSS selects an answer based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.The least-loaded option is available only for VIP-type answer groups that use a KAL-AP or Scripted keepalive, as they provide the GSS with detailed information on the SLB load and availability.
  eg: if one answer has higher load than the other, than first answer will not be provided until its load goes down the other answers
  –ordered—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request.
  for eg: answer with ordered number 1 will be provided first till it becomes unavailable. Once it is unavailable then answer with ordered list number 2 will be provided
  –weighted-round-robin—The GSS cycles through the list of answers that are available as the requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.
  eg: if one answer has more weight(80%) than the other answer(20%), then it will be used 8 times out of 10.
  –hashed— When the GSS uses the hashed balance method, elements of the client's DNS proxy IP address and the requesting client's domain are extracted to create a unique value, referred to as a hash value. The unique hash value is attached to and used to identify a VIP that is chosen to serve the DNS query.
  The use of hash values makes it possible to "stick" traffic from a particular requesting client to a specific VIP, ensuring that future requests from that client are routed to the same VIP. This type of continuity can be used to facilitate features, such as online shopping baskets, in which client-specific data is expected to persist even when client connectivity to a site is terminated or interrupted.
  The GSS supports the following two hashed balance methods. You can apply one or both hashed balance methods to the specified answer group.
  • By Source Address—The GSS selects the answer based on a hash value created from the source address of the request.
  • By Domain Name—The GSS selects the answer based on a hash value created from the requested domain name.
  for eg: a user using same source ip will get the same answer from GSS if we do source address hashing.
  -DNS Race (Boomerang) Method-The GSS supports the DNS race (boomerang) method of proximity routing, which is a type of DNS resolution initiated by the GSS to load balance 2 to 20 sites.
  The boomerang method is based on the concept that instantaneous proximity can be determined if a CRA within each data center sends an A-record (IP address) at the exact same time to the client's D-proxy. The DNS race method of DNS resolution gives all CRAs (Cisco content engines or content services switches) a chance at resolving a client request and allows for proximity to be determined without probing the client's D-proxy. The first A-record received by the D-proxy is, by default, considered to be the most proximate.
  Use case is mainly with CRA's.
  Hope this helps. Please feel free to revert if you have follow-up questions.
  Thanks,
  Swati

• Ask the Expert: Cisco's 802.11ac Solutions - Deployment, Design, and Interop

  Ask your Questions on Cisco’s 802.11ac Solutions - Deployment, Design, and Interop with Cisco Experts: Richard Hamby and Shankar Ramanathan.
  Monday, March 30th, 2015 to Friday, April 10th, 2015
   Richard Hamby is a senior technical support engineer and Team Lead of the Cisco Technical Assistance Center in Richardson, Texas.  He is an expert in Indoor and Outdoor wireless for the full line of Cisco Unified and Converged Access Wireless products, as well as TAC Engineering Engagement Engineer liaison to project engineering teams for new Cisco wireless products.  Prior to his current role, Richard was a customer support engineer with the AAA Security TAC team supporting Cisco identity management solutions and been with Cisco since 2009.
  Shankar Ramanathan is a Customer Support Engineer at the Cisco Technical Center. He is a Technical Content Engineer and Subject Matter Expert for Cisco Enterprise Unified and Converged Access wireless mobility solution including Wireless LAN Controller  2500/5500/WISM2/7500/8500, Converged access 5760/3650/3850 switches,  Access Points Lightweight and Autonomous, VoWLAN (792x/9971) , Cisco Prime Infrastructure SNMP management, Cisco Mobility Services Engine(MSE/ CMX). Prior to joining Cisco in  November 2011, he worked as a wireless network engineer at Elan Technologies, responsible for RF wireless network planning, simulation, propagation path analysis, and optimization of Wi-Fi 802.11 mesh and WiMax (802.16 d/e) networks for various system  integration and automation projects. Shankar holds a master of science degree in electrical engineering specializing in communications and signal process from the State University of New York, Buffalo. Shankar has a CCIE in Wireless(#40548) and CCNA  certified (number 410004168640IMZF) and has over six years of industry experience.
  Find other  https://supportforums.cisco.com/expert-corner/events.
  **Ratings Encourage Participation! **
  Please be sure to rate the Answers to Questions

  A common question we are asked is 'why is my device not achieving 11ac data rates?'
  One of the most common answers relates to client compatibility/capability. To get the highest possible data rates of 11ac (assuming proper distance and RF health), the AP and the client device must both be capable supporting the requirements - 5GHZ, 80MHz Channel, short guard interval, 3 spatial streams. Each spatial stream has a max of 433.3Mb/s (at 80MHz, short GI).
  The majority of 11ac-capable wireless cards on the market do not support 3 spatial streams. Most adapters in wireless-capable devices are 1SS or 2SS.  For example, the Intel 7260 11ac adapter used in many devices is a 2SS adapter - therefore it's max possible data rate is 866.7.  Another common adapter in use is the 11ac Broadcom 3SS that Apple uses in the newer Macbooks.  These devices can achieve the 1.3GBs PHY data rate.
  This guidance is the same for 11n adapters as well.  To achieve max rate, your 11n AP and adapter must both support 40MHz channels, 3SS, short GI.
  Note: The 11n and 11ac standards both define support for 4SS.  4SS-capable devices are rare, so 3SS is essentially our reality.
  One of the most useful references for questions related to this topic is the AP Data Sheet for each AP.  Here's the AP3700 for example:
  http://www.cisco.com/c/en/us/products/collateral/wireless/3700-series-access-point/data_sheet_c78-729421.html
  Table 1 lists the expected data rate per MCS Index value by #SS at each channel width and GI. Indexes 0-7 are the same for 11n and 11ac (11n limited to 40MHz channels of course).  And MCS 8 & 9 are 11ac-only 256-QAM modulations. 

• Ask the Expert: Plan, Design, and Implement Mobile Remote Access, the Cisco Collaboration Edge Architecture

  Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
  Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
  For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide. 
  Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
  Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
  Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Marcelo,
     Yes, there are some requirements for certificates in Expressway.
  Expressway Core (Exp-C)
  - Can be signed by either External or Internal CA
  - Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
  - Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
  - If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
  - The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
  - For TLS b/w CUCM, IM-P & Exp-C
    + If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
    + If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
    + Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
    + Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
  Expressway Edge (Exp-E)
  - Signed by External CA
  - Configured Unified Communications domain as Subject Alternate Name
  - If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
  - If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
  For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
  http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
  - Aashish

• Ask the Experts: Understanding Cisco ASR 9000 Series Aggregation Services Routers Platform Architecture and Packet Forwarding Troubleshooting

  With Xander Thuijs
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to Cisco ASR 9000 Series Aggregation Services Routers with Cisco expert Xander Thuijs. The Cisco ASR 9000 Series Aggregation Services Routers product family offers a significant added value compared to the prior generations of carrier Ethernet routing offerings. The Cisco ASR 9000 Series is an operationally simple, future-optimized platform using next-generation hardware and software. The ASR 9000 platform family is composed of the Cisco ASR 9010 Router, the Cisco ASR 9006 Router, the Cisco ASR 9922 Router, Cisco ASR 9001 Router and the Cisco ASR 9000v Router.
  This is a continuation of the live Webcast.
  Xander Thuijs is a principal engineer for the Cisco ASR 9000 Series and Cisco IOS-XR product family at Cisco. He is an expert and advisor in many technology areas, including IP routing, WAN, WAN switching, MPLS, multicast, BNG, ISDN, VoIP, Carrier Ethernet, System Architecture, network design and many others. He has more than 20 years of industry experience in carrier Ethernet, carrier routing, and network access technologies. Xander  holds a dual CCIE certification (number 6775) in service provider and voice technologies. He has a master of science degree in electrical engineering from Hogeschool van University in Amsterdam.
  Remember to use the rating system to let Xander know if you have received an adequate response.
  Xander might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Service Providers community XR OS And Platforms  shortly after the event. This event lasts through Friday, May 24, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast  related links:
  Slides
  Webcast  Video Recording
  FAQ

  Is there a Cisco lab available for ASR 9000
  we have "XR4U" stations coming available soon when XR 511 comes alive. The plan is for a downloadable play image like that. In the interim we have 2 demo systems available, and they can be booked via your account manager representative.
  How will MOD160 perform with multiple 9000NVS?
  very well. the mod 160 has 4 NPU's, 2 per bay. So if you have a 4x10 MPA to serve a satellite, you effectively have a single NPU per 20 1Gigs from the satellite. The pps performance will be stellar. However it might be price technically more ideal to connect satellite with a 36x10. Since the MOD-x has native MPA's with 1G also.
       2. Is there a shortcut for a Bundle-EthernetX interface, such as port-channel interface (poX), in Cisco IOS® ?.
  usability enhancement is there, we are trying to push this into a new reasonable release. follow CSCuh04526
       3. What  is the revolutions per minute (RPM) on these hard disk drives (HDDs)  compared to the solid state drives (SDDs)? Will the spinning drives be  slow?
  depends on the type we had avaialble at time of production, you will see different sizes and disks on the RSP2. the rpm of the HD is not so much an issue as much as the buffered writing we used to do in XR. This is fixed up with XR43 where the disk writing performance is much better. the HD/SDD is used for logging storage only (and maybe your pictures) but other then that we're not that concerned with write perf of the HD.
  regards
  xander

• Ask the Experts: IOS-XR Fundamentals and Architecture

  Welcome to the Cisco Support Community Ask the Expert conversation. 
  Learn and ask questions about IOS-XR Fundamentals and Architecture.
  November 18, 2014 through November 28, 2014.
  Cisco IOS XR Software is a modular and fully distributed network operating system for service provider networks. Cisco IOS XR creates a highly available, highly secure routing platform.
  It distributes processes across the control, data, and management planes with their own access controls and delivers routing-system scalability, service isolation, and manageability.
  This is a Q&A extension of the Live expert Webcast.
  Cisco subject matter experts Sudeep, Raj, and Sudhir, will focus on IOS-XR fundamentals.
  Including:-
  High-Level Overview of Cisco IOS XR
  Cisco IOS XR Infrastructure
  Configuration Management
  Cisco IOS XR Monitoring and Operations
  Cisco IOS XR Security
  Introduction to different IOS-XR platforms
  Sudeep Valengattil is a customer support engineer in High-Touch Technical Services at Cisco specializing in service provider technologies and platforms. Sudeep has got experience on XR platform like ASR9000, CRS, NCS and GSR. Sudeep has more than 9 years of experience in the IT industry and holds CCIE certification (36098) in Service provider.
  Sudhir Kumar is a customer support engineer in High-Touch Technical Services at Cisco specializing in service provider technologies and platforms. His areas of expertise include Cisco CRS, ASR 9K and Cisco XR 12000 Series Routers. Sudhir has more than 10 years of experience in the IT industry and holds CCIE certification (35219) in Service provider and Routing and switching.
  Raj Pathak is a customer support engineer in High-Touch Technical Services at Cisco specializing in service provider technologies and platforms. He serves as a support engineer for technical issues supporting Cisco IOS XR Software customers on Cisco CRS and Cisco XR 12000 Series Routers. Raj has more than 8 years of experience in the IT industry and holds CCIE certification (38760) in routing and switching.
  For more information about this topic, visit the Expert Corner > Knowledge Sharing
  Remember to use the rating system to let the experts know if you have received an adequate response.

  Hi Charles,
  To answer your question,
  LPTS would be acting only on packet/traffic which is ingressing the router and destined for the router itself (for-us packets).  It provides an internal forwarding table to route control/management protocol packets destined to local router to the right application for further processing.  Once we have a packet entering the interface, the network processor would be performing a lookup to determine, if this packet is destined for us.  Based on which, it will forward to LPTS.  For eg, the ICMP packets coming in on an interface with destination IP of router itself, would be processed by LPTS.  It also provides policing function for this traffic transparently.
  Key facts about LPTS
  1. LPTS is an always on feature.  No user configuration needed to enable it.
  2. LPTS is only applicable for traffic entring to the router and destined to the local router. Applies for control-plane and management plane traffic.
  3. Packets originated by router and transit traffic is not processed by LPTS
  4. LPTS polices the incoming traffic based on the pre-defined policer rates.
  Here is an o/p snip to view the LPTS entries.
  RP/0/RP0/CPU0:CRS-C#sh lpts pifib hard police loc 0/0/cpu0
  Tue Nov 25 23:32:10.666 EDT
  Node 0/0/CPU0:
  Burst = 100ms for all flow types
  FlowType Policer Type Cur. Rate Def. Rate Accepted Dropped
  unconfigured-default 100 Static 500 500 0 0
  L2TPv2-fragment 185 Static 700 700 0 0
  Fragment 106 Static 1000 1000 0 0
  OSPF-mc-known 107 Static 20000 20000 44818 0
  OSPF-mc-default 111 Static 5000 5000 11366 0
  Do let us know if you have any further queries.
  Regards,
  Sudeep Valengattil

• Ask the Expert: Hierarchical Network Design, Includes Core, Distribution, and Access

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about hierarchical network design. 
  Recommending a network topology is required for meeting a customer's corporate network design  needs in their business and technical goals and often consists of many interrelated components. The hierarchical design made this easier like "divide and conquer" the job and develop the design in layers.
  Network design experts have developed the hierarchical network design model to help to develop a topology in discrete layers. Each layer can be focused on specific functions, to select the right systems and features for the layer.
  A typical hierarchical topology is
  A core layer of high-end routers and switches that are optimized for availability and performance.
  A distribution layer of routers and switches that implement policies.
  An access layer that connects users via lower-end switches and wireless access points.
  Ahmad Manzoor is a Senior Pre-Sales Engineer at AGCN, Pakistan. He has more than 10 years of experience in first-rate management, commercial and technical skills in the field of data communication and services lifecycle—from solution design through sales pitch, designing RFPs, architecture, and solution—all with the goal toward winning projects (creating win/win situations) of obsolete solutions.  Ahmad also has vast experience in designing end-to-end data centers, from building infrastructure design to data communication and network Infrastructure design. He has worked for several large companies in Pakistan and United Arab Emirates markets; for example, National Engineer, WATEEN Telecom, Emircom, Infotech, Global Solutions, NETS International, Al-Aberah, and AGCN, also known as Getronics, Pakistan.
  Remember to use the rating system to let Ahmad know if he has given you an adequate response. 
  Because of the volume expected during this event, Ahmad might not be able to answer every question. Remember that you can continue the conversation in the  Solutions and Architectures under the sub-community Data Center & Virtualization, shortly after the event. This event lasts through August 15, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Dear Leo,
  We are discussing the following without any product line, discussing the concept of hierarchical design, which will help you to take decision which model is better for you Two Layer or Three Layer hierarchical model.  
  Two-Layer Hierarchy
  In many networks, you need only two layers to fulfill all of the layer functions—core and aggregation
  Only one zone exists within the core, and many zones are in the aggregation layer. Examine each of the layer functions to see where it occurs in a two-layer design:
  Traffic forwarding—Ideally, all interzone traffic forwarding occurs in the core. Traffic flows from each zone within the aggregation layer up the hierarchy into the network core and then back down the hierarchy into other aggregation zones.
  Aggregation—Aggregation occurs along the core/aggregation layer border, allowing only interzone traffic to pass between the aggregation and core layers. This also provides an edge for traffic engineering services to be deployed along.
  Routing policy—Routing policy is deployed along the edge of the core and the aggregation layers, generally as routes are advertised from the aggregation layer into the core.
  User attachment—User devices and servers are attached to zones within the aggregation layer. This separation of end devices into the aggregation permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, it is best not to mix transit and destination traffic in the same area of the network.
  Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the aggregation layer. You can also place traffic admittance controls at the aggregation points exiting from the aggregation layer into the core of the network, but this is not common.
  You can see, then, how dividing the network into layers enables you to make each layer specialized and to hide information between the layers. For instance, the traffic admittance policy implemented along the edge of the aggregation layer is entirely hidden from the network core.
  You also use the core/aggregation layer edge to hide information about the topology of routing zones from each other, through summarization. Each zone within the aggregation layer should have minimal routing information, possibly just how to make it to the network core through a default route, and no information about the topology of the network core. At the same time, the zones within the aggregation layer should summarize their reachability information into as few routing advertisements as possible at their edge with the core and hide their topology information from the network core.
  Three-Layer Hierarchy
  A three-layer hierarchy divides these same responsibilities through zones in three vertical network layers,
  Traffic Forwarding—As with a two-layer hierarchy, all interzone traffic within a three- layer hierarchy should flow up the hierarchy, through the layers, and back down the hierarchy.
  Aggregation—A three-layer hierarchy has two aggregation points:
  At the edge of the access layer going into the distribution layer
  At the edge of the distribution layer going into the core
  At the edge of the access layer, you aggregate traffic in two places: within each access zone and flowing into the distribution layer. In the same way, you aggregate interzone traffic at the distribution layer and traffic leaving the distribution layer toward the network core. The distribution layer and core are ideal places to deploy traffic engineering within a network.
  Routing policy—The routing policy is deployed within the distribution layer in a three- layer design and along the distribution/core edge. You can also deploy routing policies along the access/distribution edge, particularly route and topology summarization, to hide information from other zones that are attached to the same distribution layer zone.
  User attachment—User devices and servers are attached to zones within the access layer. This separation of end devices into the access layer permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, you do not want to mix transit and destination traffic in the same area of the network.
  Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the access layer. You can also place traffic admittance controls at the aggregation points along the aggregation/core edge.
  As you can see, the concepts that are applied to two- and three-layer designs are similar, but you have more application points in a three-layer design.
  Now the confusion takes place in our minds where do we use Two Layer and where the Three layer hierarchical model.
  Now we are discussing that How Many Layers to Use in Network Design?
  Which network design is better: two layers or three layers? As with almost all things in network design, it all depends. Examine some of the following factors involved in deciding whether to build a two- or three-layer network:
  Network geography—Networks that cover a smaller geographic space, such as a single campus or a small number of interconnected campuses, tend to work well as two-layer designs. Networks spanning large geographic areas, such as a country, continent, or even the entire globe, often work better as three layer designs.
  Network topology depth—Networks with a compressed, or flattened, topology tend to work better as two-layer hierarchies. For instance, service provider networks cover large geographic areas, but reducing number of hops through the network is critical in providing the services they sell; therefore, they are often built on a two-layer design. Networks with substantial depth in their topologies, however, tend to work better as three-layer designs.
  Network topology design—Highly meshed networks, with many requirements for interzone traffic flows, tend to work better as two-layer designs. Simplifying the hierarchy to two levels tends to focus the design elements into meshier zones. Networks that focus traffic flows on well-placed distributed resources, or centralized resources, such as a network with a large number of remote sites connecting to a number of centralized Data Centers, tend to work better as three-layer designs.
  Policy implementation—If policies of a network tend to focus on traffic engineering, two-layer designs tend to work better. Networks that attempt to limit access to resources attached to the network and other types of policies tend to work better as three-layer designs.
  Again, however, these are simple rules of thumb. No definitive way exists to decide whether a network should have two or three layers. Likewise, you cannot point to a single factor and say, “Because of this, the network we are working on should have three layers instead of two.”
  I hope that this helps you to understand the purposes of Two Layer & Three layer Hierarchical Model.
  Best regards,
  Ahmad Manzoor

• Ask the Expert: Cisco Unified Contact Center Express (UCCX) Version 10.0 - Upgrade, Migration, and New Features Overview

              With Abhiram Kramadhati 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the upgrade, migration methods, and new features of the latest released Version 10.0 of Cisco Unified Contact Center Express (UCCX) with Cisco expert Abhiram Kramadhati.
  Abhiram will address the following on the latest release of Cisco UCCX Version 10.0:
  Installation
  Upgrade from previous versions - both Linux and Windows   
  Migration from MCS to Cisco UCS environment - Different methods and best practices
  New features - Overview and limitations
  This discussion will center on install and upgrade best practices, changes in hardware support, and migration methods from MCS to Cisco UCS. He can also briefly discuss the new features introduced in 10.0. The discussion focuses the latest versions, but queries about general Cisco UCCX topics can be addressed too if time allows.
  Abhiram Kramadhati is an engineer with the Contact Center Backbone group. He has been working with Cisco UCCX since he joined Cisco. During two years at Cisco, he has built his expertise around Cisco UCCX telephony applications, Java Telephony API (JTAPI) integration, Cisco UCCX system behavior, LDAP components, and Cisco UCCX as IP interactive voice response in Unified Contact Center Enterprise (UCCE) environments. He also works on other technologies, including Unified Communications Manager and UCCE. He has been involved in many technical escalations in the Asia Pacific region. Abhiram also holds a CCIE in voice (40065).
  For more details about this topic, refer to the recently published Tech-Talk Video and Blog.
  Remember to use the rating system to let Abhiram know if you have received an adequate response. 
  Abhiram might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in the Voice, Video, and Collaboration  community,  sub-community, Contact Center discussion forum shortly after the event. This event lasts through January 31, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Anurag,
  Thanks for your questions.
  1:Is there change in DB architecture as CUIC is the only option as compared to previous linux version UCCX ?
  I assume this is from the tables regarding historical data. The database schema essentially remains the same since UCCX 9.0 had CUIC too and we had a seperate DB Space for CUIC and we still continue with that. The traditional historical tables remain and the replication process remains the same too.
  2:Is there any version change for Linux OS used as VOS,
  The Linux version is Red Hat Linux 5. To be precise:
  [root@uccx10pub /]# cat etc/redhat-release
  Red Hat Enterprise Linux Server release 5.7 (Tikanga)
  3:Is there any API architecture change in UCCX 10 from previous releases ?
  I can answer this more of an overview. The only enhancement in the API side is the introduction of REST API step in the script editor. You can now make REST calls from the script and this ofcourse opens up a whole new world of possiblities.
  4:Since from UCCX 10 , we can only use either CAD or Finnesse at one  time, whats the impact of changing this after some time in production,  let say , i used CAD for 2 months and then i decided to move to Finesse,  whats the impact ? or is it a smooth change as switching CUIC and HRC  in previoius release ?
  For the scenario you mentioned, there is absolutely no problem. The point to note is that the Finesse services are activated/deactivated but the CAD desktop services are ALWAYS running. The only condition to keep in mind is that you can use ONLY ONE type of agent desktop at any time.  Also if Finesse is not used and CAD operations are used extensively, it is advisable to shutdown the Finesse service.
  5:Is 3rd Party UCS hardware supported by UCCX 10 instead of using Cisco manufactured UCS , can i use HP hardware for Virtualisation ?
  Yes, it can be used. This is something called as "Third party specs based specification". The most important things seen for compatibility are:
  Inter CPU Model
  It it is on thVMWare Hardware Compatibilty List
  You can get more information about this on the "Can I use this server?" section of UC Virtualized Hardware page:
  http://docwiki.cisco.com/wiki/UC_Virtualization_Supported_Hardware#.22Can_I_use_this_server.3F.22
  6:Is Host name change supported?
  Yes, the hostname change is supported. The prcocedure is documented in the UCCX 10.0 Administration Guide:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_10_0/configuration/guide/UCCX_BK_W1AF9DDD_00_uccx-admin-guide-10.0.pdf (Pg 168)
  Cheers,
  Abhiram Kramadhati

• Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

  With Rahul Rammanohar 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
  In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
  •       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
  •       ASR9k: network processor capture
  •       7200/ISRs: embedded packet capture
  •       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
  •       Cisco Nexus 7K: ELAM
  •       CRS: show captured packets
  •       ASR1K: embedded packet capture
  More Information
  Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
  Watch the Video:  https://supportforums.cisco.com/videos/6226
  Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service. 
  Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
  Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.  
  Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Erick
      Thanks for the topology. The trigger will be different for labelled  packet as you would need to mention the values of labels too in the  trigger.
       Below are two examples of one or two labels being  used, it depends on where you are capturing the packet in mplsvpn  scenario which will decide teh number of labels being imposed on the  packet.
  Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
  Trigger for two labels. (for other core routers)
  IGP label - 1234
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
      You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
       I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
       Please let me know if this helps.
  Thanks & Regards
  Hitesh & Rahul