Ask the Experts: IOS-XR Fundamentals and Architecture

Similar Messages

• Ask the Expert : Initial Set Up and LAN Connectivity for Cisco UCS Servers

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about related to the initial setup of UCS C & B Series which include LAN connectivity from the UCS perspective with Cisco subject matter expert Kenny Perez.
  In particularly, Kenny will cover topics such as: ESXi/Windows  installations, RAID configurations (best practices for good performance and configuration), VLAN/Jumbo Frames configuration for B series and C series servers, Pools/Policies/Upgrades/Templates/Troubleshooting Tips for blade and rack servers, Fabric Interconnects configuration, general compatibility of Hardware/Software/drivers amongst other topics
  Kenny Perez is a technical leader in Cisco Technical Assistance Center, where he works in Server Virtualization support team. His main job consists of supporting customers to implement and manage Cisco UCS B series and C series. He has background in computing, networking, and Vmware ESXi and has 3+ years of experience support UCS servers and is VCP certified.
  Remember to use the rating system to let Kenny know if he has given you an adequate response. 
  This event lasts through October 10th, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi,
  Actually  we have UCS 6248 fabric interconnect - first twelve ports are enabled  and same in Cisco UCS Manager.
  But when more port will be active by expansion module  then UCSM can manage that too or need any other licence  for UCSM too?

• Reminder: Ask the Experts Session on WSIT and Project Tango, April 30-May 4

  This is a reminder about the Ask the Experts session on Web Services Interoperability Technology, WSIT (http://java.sun.com/webservices/interop/) and Project Tango (https://wsit.dev.java.net/).
  If you've got a question about about these initiatives for interoperability between Java EE and .NET, post it on the Ask the Experts page (http://java.sun.com/developer/community/askxprt/) from April 30 to May 4 and get answers from Sun experts, Arun Gupta, Harold Carr, and Marek Potociar.

  Thanks for the info!

• Ask the Experts Session on Mobile Service Architecture (MSA), August 20-24

  Got a question about MSA, JSR 248, a Java ME optional package that defines the next generation Java ME platform? Post it during the week of August 20 on the Ask the Experts page (http://java.sun.com/developer/community/askxprt/) and get answers from Mickhail Gorshenev, Sun's lead for the JSR 248 Technology Conformance Kit (TCK), E-Ming Saung, Product Line Manager in the Java ME Marketing group, and Hinkmond Wong, one of the current project owners of the phoneME open source project and past specification lead for various mobility-related technologies such as the Java ME Connected Device Configuration (CDC) and Foundation Profile.

  i am working in struts with netbeans....can you please guide me in suggesting how to retrieve database in one table when it is already stored in another table in the same database?

• Ask the Experts Session on WSIT and Project Tango: April 30-May 4

  Web Services Interoperability Technology, WSIT, (http://java.sun.com/webservices/interop/) is an open-source implementation of next-generation web services technologies that deliver interoperability between Java EE and .Net. Project Tango (https://wsit.dev.java.net/) is a Sun initiative that develops and evolves the codebase for WSIT.
  Got a question about WSIT or Project Tango? Post it on the Ask the Experts page (http://java.sun.com/developer/community/askxprt/) from April 30 to May 4 and get answers from Sun experts, Arun Gupta, Harold Carr, and Marek Potociar.

  !

• How to manage the ATE_SEARCH_IDX-index in Ask the expert-application?

  I'm currently looking at the Ask the expert(=Tom Kyte) application and I cannot figure out how to manage the Oracle Text-index "ATE_SEARCH_IDX" ON "ATE_SUBMITTED_QUESTIONS" ("ANSWER")
  INDEXTYPE IS "CTXSYS"."CONTEXT".
  In the Readme-file can be read:
  "To customize search functionality, view the Oracle Text Index installation
  script. You can change the interval that the index is synched and change
  the fields that are used in the search."
  I don't see the Oracle Text Index installation-script.
  Can anyone give me the contents of the script or come up with an alternative?
  Thanks,
  Jan Willem

  Thank you, Marco. I found it.
  Still, the reason why I was looking for it was the fact that I asked myself a question, answered it and then tried to Search for it. I couldn't find my own question (and answer).
  The only way I found to make it work was to manually rebuild the index on the answer-column in ATE_SUBMITTED_QUESTIONS. But I'm sure there's another way, because these are not the kind of things you'd like a customer (or myself) to do on a regular basis.
  Can you give me another way to synchronize this index preferably managed from inside the database?

• Ask the Experts: Understanding Cisco ASR 9000 Series Aggregation Services Routers Platform Architecture and Packet Forwarding Troubleshooting

  With Xander Thuijs
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to Cisco ASR 9000 Series Aggregation Services Routers with Cisco expert Xander Thuijs. The Cisco ASR 9000 Series Aggregation Services Routers product family offers a significant added value compared to the prior generations of carrier Ethernet routing offerings. The Cisco ASR 9000 Series is an operationally simple, future-optimized platform using next-generation hardware and software. The ASR 9000 platform family is composed of the Cisco ASR 9010 Router, the Cisco ASR 9006 Router, the Cisco ASR 9922 Router, Cisco ASR 9001 Router and the Cisco ASR 9000v Router.
  This is a continuation of the live Webcast.
  Xander Thuijs is a principal engineer for the Cisco ASR 9000 Series and Cisco IOS-XR product family at Cisco. He is an expert and advisor in many technology areas, including IP routing, WAN, WAN switching, MPLS, multicast, BNG, ISDN, VoIP, Carrier Ethernet, System Architecture, network design and many others. He has more than 20 years of industry experience in carrier Ethernet, carrier routing, and network access technologies. Xander  holds a dual CCIE certification (number 6775) in service provider and voice technologies. He has a master of science degree in electrical engineering from Hogeschool van University in Amsterdam.
  Remember to use the rating system to let Xander know if you have received an adequate response.
  Xander might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Service Providers community XR OS And Platforms  shortly after the event. This event lasts through Friday, May 24, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast  related links:
  Slides
  Webcast  Video Recording
  FAQ

  Is there a Cisco lab available for ASR 9000
  we have "XR4U" stations coming available soon when XR 511 comes alive. The plan is for a downloadable play image like that. In the interim we have 2 demo systems available, and they can be booked via your account manager representative.
  How will MOD160 perform with multiple 9000NVS?
  very well. the mod 160 has 4 NPU's, 2 per bay. So if you have a 4x10 MPA to serve a satellite, you effectively have a single NPU per 20 1Gigs from the satellite. The pps performance will be stellar. However it might be price technically more ideal to connect satellite with a 36x10. Since the MOD-x has native MPA's with 1G also.
       2. Is there a shortcut for a Bundle-EthernetX interface, such as port-channel interface (poX), in Cisco IOS® ?.
  usability enhancement is there, we are trying to push this into a new reasonable release. follow CSCuh04526
       3. What  is the revolutions per minute (RPM) on these hard disk drives (HDDs)  compared to the solid state drives (SDDs)? Will the spinning drives be  slow?
  depends on the type we had avaialble at time of production, you will see different sizes and disks on the RSP2. the rpm of the HD is not so much an issue as much as the buffered writing we used to do in XR. This is fixed up with XR43 where the disk writing performance is much better. the HD/SDD is used for logging storage only (and maybe your pictures) but other then that we're not that concerned with write perf of the HD.
  regards
  xander

• Ask the Expert: Plan, Design, and Implement Mobile Remote Access, the Cisco Collaboration Edge Architecture

  Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
  Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
  For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide. 
  Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
  Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
  Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Marcelo,
     Yes, there are some requirements for certificates in Expressway.
  Expressway Core (Exp-C)
  - Can be signed by either External or Internal CA
  - Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
  - Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
  - If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
  - The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
  - For TLS b/w CUCM, IM-P & Exp-C
    + If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
    + If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
    + Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
    + Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
  Expressway Edge (Exp-E)
  - Signed by External CA
  - Configured Unified Communications domain as Subject Alternate Name
  - If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
  - If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
  For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
  http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
  - Aashish

• Ask the Expert: NGWC (3850/5760): Architecture and Deployment

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about NGWC (3850/5760): Architecture and Deployment.
  Ask questions from Monday, April 13th, 2015 to Friday, April 24th, 2015
  This Ask the Expert Session will cover questions spanning NGWC products (3850/5760) on Implementation and Deployment from the Wired and Wireless perspective. This will be more specific to Customer’s and Partners questions covering 3850/5760 configuration, Implementation and deployment.
  Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Wireless CUWN and NGWC Product line. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC-Written) and CCIE Wireless certification.
  Naveen Venkateshaiah is working as a Customer support engineer in High-Touch Technical Services (HTTS) handling  and supporting Lan-switching and Data center Products. His areas of expertise include Catalyst 3k,4k , 6500 , Nexus 7k Platform  He has over 7 years of industry experience working with large Enterprise and Service Provider networks. He also holds CCNA, CCNP (RS) and  CCDP-ARCH,CCIE-R&S Written, AWLANFE, LCSAWLAN Certification.
  Find other  https://supportforums.cisco.com/expert-corner/events.
  **Ratings Encourage Participation! **
  Please be sure to rate the Answers to Questions

  Hi Dhiyadav,
  thank you for your reply it cleared some doubts that were in my mind but i need your more support to guide me a converged access deployment which i am going to deploy within few days.
  i have 
  2x5508 in HA as MC
  30x3850 switches, and all will be used as MA(s) with multiple SPGs
  2X5508  1:1 as an anchor controller
  1xISE 1.3 for guest access
  1xCPI for wireless mgmt and monitoring purpose
  1xMSE3355 with wips and context aware licenses
  200x cisco 3702i WAP
  50x WSSI module for monitoring the channels
  can you please put a light on the design and guide me that which are the best possible solutions to get this job done very smoothly.
  i will also let you know about my proposed design scenario but for sure i need your recommendations as well :)
  so,
  i will use 2x5508 wlcs in HA as a MC which are AP-Count and HA licensed..
  3850 switches will be MA and i ll configure SPGs per floor switches stacks 
  WAPs will join on these 3850 MAs base on each floor
  i would have 2 ssid like employee and guest
  i will configure them on each 3850 stack MA along with their SVIs for users access like (empolyee and guest ssid)
  here my question is for guest ssid and its vlan... do i configure it here or on anchor controller???
  i want ISE to be integrated with wireless for employee 802.1x and for guest web Auth. so, how i will integrate ISE with wireless. i mean weather i will integrate it anchor controller or with each 3850 MA???
  between foreign and anchor controller i will use new mobility instead of old EOIP!!!
  where shall place ISE in my network, in DMZ or with Core switch?
  my target for guest users to do not have access to any corporate network sources ?
  MSE:
  can i use both wips and context aware on the single MSE box?
  if yes, than what is the best practice for configuring them?
  are each 3850 MA will be added in MSE?
  WSSI module . will be used for monitoring purpose for wips and context aware profiles.
  all access point will be worked in local mode for serving users access.
  thank you

• Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

  With Rahul Rammanohar 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
  In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
  •       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
  •       ASR9k: network processor capture
  •       7200/ISRs: embedded packet capture
  •       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
  •       Cisco Nexus 7K: ELAM
  •       CRS: show captured packets
  •       ASR1K: embedded packet capture
  More Information
  Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
  Watch the Video:  https://supportforums.cisco.com/videos/6226
  Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service. 
  Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
  Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.  
  Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Erick
      Thanks for the topology. The trigger will be different for labelled  packet as you would need to mention the values of labels too in the  trigger.
       Below are two examples of one or two labels being  used, it depends on where you are capturing the packet in mplsvpn  scenario which will decide teh number of labels being imposed on the  packet.
  Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
  Trigger for two labels. (for other core routers)
  IGP label - 1234
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
      You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
       I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
       Please let me know if this helps.
  Thanks & Regards
  Hitesh & Rahul

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• Ask the Expert: Hierarchical Network Design, Includes Core, Distribution, and Access

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about hierarchical network design. 
  Recommending a network topology is required for meeting a customer's corporate network design  needs in their business and technical goals and often consists of many interrelated components. The hierarchical design made this easier like "divide and conquer" the job and develop the design in layers.
  Network design experts have developed the hierarchical network design model to help to develop a topology in discrete layers. Each layer can be focused on specific functions, to select the right systems and features for the layer.
  A typical hierarchical topology is
  A core layer of high-end routers and switches that are optimized for availability and performance.
  A distribution layer of routers and switches that implement policies.
  An access layer that connects users via lower-end switches and wireless access points.
  Ahmad Manzoor is a Senior Pre-Sales Engineer at AGCN, Pakistan. He has more than 10 years of experience in first-rate management, commercial and technical skills in the field of data communication and services lifecycle—from solution design through sales pitch, designing RFPs, architecture, and solution—all with the goal toward winning projects (creating win/win situations) of obsolete solutions.  Ahmad also has vast experience in designing end-to-end data centers, from building infrastructure design to data communication and network Infrastructure design. He has worked for several large companies in Pakistan and United Arab Emirates markets; for example, National Engineer, WATEEN Telecom, Emircom, Infotech, Global Solutions, NETS International, Al-Aberah, and AGCN, also known as Getronics, Pakistan.
  Remember to use the rating system to let Ahmad know if he has given you an adequate response. 
  Because of the volume expected during this event, Ahmad might not be able to answer every question. Remember that you can continue the conversation in the  Solutions and Architectures under the sub-community Data Center & Virtualization, shortly after the event. This event lasts through August 15, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Dear Leo,
  We are discussing the following without any product line, discussing the concept of hierarchical design, which will help you to take decision which model is better for you Two Layer or Three Layer hierarchical model.  
  Two-Layer Hierarchy
  In many networks, you need only two layers to fulfill all of the layer functions—core and aggregation
  Only one zone exists within the core, and many zones are in the aggregation layer. Examine each of the layer functions to see where it occurs in a two-layer design:
  Traffic forwarding—Ideally, all interzone traffic forwarding occurs in the core. Traffic flows from each zone within the aggregation layer up the hierarchy into the network core and then back down the hierarchy into other aggregation zones.
  Aggregation—Aggregation occurs along the core/aggregation layer border, allowing only interzone traffic to pass between the aggregation and core layers. This also provides an edge for traffic engineering services to be deployed along.
  Routing policy—Routing policy is deployed along the edge of the core and the aggregation layers, generally as routes are advertised from the aggregation layer into the core.
  User attachment—User devices and servers are attached to zones within the aggregation layer. This separation of end devices into the aggregation permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, it is best not to mix transit and destination traffic in the same area of the network.
  Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the aggregation layer. You can also place traffic admittance controls at the aggregation points exiting from the aggregation layer into the core of the network, but this is not common.
  You can see, then, how dividing the network into layers enables you to make each layer specialized and to hide information between the layers. For instance, the traffic admittance policy implemented along the edge of the aggregation layer is entirely hidden from the network core.
  You also use the core/aggregation layer edge to hide information about the topology of routing zones from each other, through summarization. Each zone within the aggregation layer should have minimal routing information, possibly just how to make it to the network core through a default route, and no information about the topology of the network core. At the same time, the zones within the aggregation layer should summarize their reachability information into as few routing advertisements as possible at their edge with the core and hide their topology information from the network core.
  Three-Layer Hierarchy
  A three-layer hierarchy divides these same responsibilities through zones in three vertical network layers,
  Traffic Forwarding—As with a two-layer hierarchy, all interzone traffic within a three- layer hierarchy should flow up the hierarchy, through the layers, and back down the hierarchy.
  Aggregation—A three-layer hierarchy has two aggregation points:
  At the edge of the access layer going into the distribution layer
  At the edge of the distribution layer going into the core
  At the edge of the access layer, you aggregate traffic in two places: within each access zone and flowing into the distribution layer. In the same way, you aggregate interzone traffic at the distribution layer and traffic leaving the distribution layer toward the network core. The distribution layer and core are ideal places to deploy traffic engineering within a network.
  Routing policy—The routing policy is deployed within the distribution layer in a three- layer design and along the distribution/core edge. You can also deploy routing policies along the access/distribution edge, particularly route and topology summarization, to hide information from other zones that are attached to the same distribution layer zone.
  User attachment—User devices and servers are attached to zones within the access layer. This separation of end devices into the access layer permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, you do not want to mix transit and destination traffic in the same area of the network.
  Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the access layer. You can also place traffic admittance controls at the aggregation points along the aggregation/core edge.
  As you can see, the concepts that are applied to two- and three-layer designs are similar, but you have more application points in a three-layer design.
  Now the confusion takes place in our minds where do we use Two Layer and where the Three layer hierarchical model.
  Now we are discussing that How Many Layers to Use in Network Design?
  Which network design is better: two layers or three layers? As with almost all things in network design, it all depends. Examine some of the following factors involved in deciding whether to build a two- or three-layer network:
  Network geography—Networks that cover a smaller geographic space, such as a single campus or a small number of interconnected campuses, tend to work well as two-layer designs. Networks spanning large geographic areas, such as a country, continent, or even the entire globe, often work better as three layer designs.
  Network topology depth—Networks with a compressed, or flattened, topology tend to work better as two-layer hierarchies. For instance, service provider networks cover large geographic areas, but reducing number of hops through the network is critical in providing the services they sell; therefore, they are often built on a two-layer design. Networks with substantial depth in their topologies, however, tend to work better as three-layer designs.
  Network topology design—Highly meshed networks, with many requirements for interzone traffic flows, tend to work better as two-layer designs. Simplifying the hierarchy to two levels tends to focus the design elements into meshier zones. Networks that focus traffic flows on well-placed distributed resources, or centralized resources, such as a network with a large number of remote sites connecting to a number of centralized Data Centers, tend to work better as three-layer designs.
  Policy implementation—If policies of a network tend to focus on traffic engineering, two-layer designs tend to work better. Networks that attempt to limit access to resources attached to the network and other types of policies tend to work better as three-layer designs.
  Again, however, these are simple rules of thumb. No definitive way exists to decide whether a network should have two or three layers. Likewise, you cannot point to a single factor and say, “Because of this, the network we are working on should have three layers instead of two.”
  I hope that this helps you to understand the purposes of Two Layer & Three layer Hierarchical Model.
  Best regards,
  Ahmad Manzoor

• Ask the Expert: Cisco Unified Contact Center Express (UCCX) Version 10.0 - Upgrade, Migration, and New Features Overview

              With Abhiram Kramadhati 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the upgrade, migration methods, and new features of the latest released Version 10.0 of Cisco Unified Contact Center Express (UCCX) with Cisco expert Abhiram Kramadhati.
  Abhiram will address the following on the latest release of Cisco UCCX Version 10.0:
  Installation
  Upgrade from previous versions - both Linux and Windows   
  Migration from MCS to Cisco UCS environment - Different methods and best practices
  New features - Overview and limitations
  This discussion will center on install and upgrade best practices, changes in hardware support, and migration methods from MCS to Cisco UCS. He can also briefly discuss the new features introduced in 10.0. The discussion focuses the latest versions, but queries about general Cisco UCCX topics can be addressed too if time allows.
  Abhiram Kramadhati is an engineer with the Contact Center Backbone group. He has been working with Cisco UCCX since he joined Cisco. During two years at Cisco, he has built his expertise around Cisco UCCX telephony applications, Java Telephony API (JTAPI) integration, Cisco UCCX system behavior, LDAP components, and Cisco UCCX as IP interactive voice response in Unified Contact Center Enterprise (UCCE) environments. He also works on other technologies, including Unified Communications Manager and UCCE. He has been involved in many technical escalations in the Asia Pacific region. Abhiram also holds a CCIE in voice (40065).
  For more details about this topic, refer to the recently published Tech-Talk Video and Blog.
  Remember to use the rating system to let Abhiram know if you have received an adequate response. 
  Abhiram might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in the Voice, Video, and Collaboration  community,  sub-community, Contact Center discussion forum shortly after the event. This event lasts through January 31, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Anurag,
  Thanks for your questions.
  1:Is there change in DB architecture as CUIC is the only option as compared to previous linux version UCCX ?
  I assume this is from the tables regarding historical data. The database schema essentially remains the same since UCCX 9.0 had CUIC too and we had a seperate DB Space for CUIC and we still continue with that. The traditional historical tables remain and the replication process remains the same too.
  2:Is there any version change for Linux OS used as VOS,
  The Linux version is Red Hat Linux 5. To be precise:
  [root@uccx10pub /]# cat etc/redhat-release
  Red Hat Enterprise Linux Server release 5.7 (Tikanga)
  3:Is there any API architecture change in UCCX 10 from previous releases ?
  I can answer this more of an overview. The only enhancement in the API side is the introduction of REST API step in the script editor. You can now make REST calls from the script and this ofcourse opens up a whole new world of possiblities.
  4:Since from UCCX 10 , we can only use either CAD or Finnesse at one  time, whats the impact of changing this after some time in production,  let say , i used CAD for 2 months and then i decided to move to Finesse,  whats the impact ? or is it a smooth change as switching CUIC and HRC  in previoius release ?
  For the scenario you mentioned, there is absolutely no problem. The point to note is that the Finesse services are activated/deactivated but the CAD desktop services are ALWAYS running. The only condition to keep in mind is that you can use ONLY ONE type of agent desktop at any time.  Also if Finesse is not used and CAD operations are used extensively, it is advisable to shutdown the Finesse service.
  5:Is 3rd Party UCS hardware supported by UCCX 10 instead of using Cisco manufactured UCS , can i use HP hardware for Virtualisation ?
  Yes, it can be used. This is something called as "Third party specs based specification". The most important things seen for compatibility are:
  Inter CPU Model
  It it is on thVMWare Hardware Compatibilty List
  You can get more information about this on the "Can I use this server?" section of UC Virtualized Hardware page:
  http://docwiki.cisco.com/wiki/UC_Virtualization_Supported_Hardware#.22Can_I_use_this_server.3F.22
  6:Is Host name change supported?
  Yes, the hostname change is supported. The prcocedure is documented in the UCCX 10.0 Administration Guide:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_10_0/configuration/guide/UCCX_BK_W1AF9DDD_00_uccx-admin-guide-10.0.pdf (Pg 168)
  Cheers,
  Abhiram Kramadhati

• Ask the Expert: Identity Services Engine - 802.1x, Identity Management and BYOD

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Identity Service Engine (ISE) with subject matter expert Nicolas Darchis.
  Cisco Identity Service Engine is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. It is primarily used to provide secure access and guest access, support BYOD initiatives, and enforce usage policies in conjunction with Cisco TrustSec. 
  Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, since 2007. He also focuses on filing technical and documentation bugs. Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification (no. 25344).
  Remember to use the rating system to let Nicolas know if you have received an adequate response.
  Because of the volume expected during this event, our expert might not be able to answer every question. Remember that you can continue the conversation in the Security community under subcommunity AAA, Identity, and NAC shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi.
  1) It is not "ISE loses the credentials and asks for web portal again". Once a user is authenticated, it is authenticated as long as it stays connected. Possibilities are :
  -You are returning a session timeout (attribute radius 27) in the authz profile of the user. Therefore user has to reauthenticate after X seconds. But you would see a pattern, then.
  -Over wireless, many clients are not capable of doing fast roaming (smartphones is the biggest example) and will therefore reauthenticate with dot1x everytime they roam. A small coverage hole would be enough for the cached credentials to disappear and web portal to show up again
  -Over wired, this cannot really occur but the idea is that it's probably the switch resetting the connection and contacting ISE again. The idea to troubleshoot this is to monitor the access device (WLC/switch) and check if the port goes up/down, if the MAB session gets reset or something and why.
  2) The captive bypass issue is that Apple devices will probe apple.com website to check if there is internet connectivity. If they can reach it, then fine, if they sense that they are redirected, they open a small window pop up with the login portal. The problem (and I still cannot understand why) is that this is not Safari, it's some nameless feature-less browser that doesn't work properly.
  By enabling the captive bypass feature, the WLC intercepts the requests to the Apple testpage and replies with HTTP OK. The apple device then thinks "ok I have internet connectivity" and it's up to the user to bring up a real browser to login to the portal page.
  It therefore does not affect non-Apple device to have the feature enabled.
  The problem is that in IOS 7.x, Apple decided to not just use Apple.com anymore but a whole list of testpages on different websites.
  3) "whether it would solve the issue if I added certificate authentication as a secondary option, with eap-tls as the primary"
  => This is disturbing because EAP-TLS is a certificate authentication method. But ISE message seems to imply that the user is hitting an authnetication rule that only provides PEAP or EAP-FAST with mschap or something similar ...
  If you have the windows default supplicant you have close to no control on what the client will submit. I can imagine that moving from wired to wireless, the laptop would sometimes try to send password instead of certificate and/or vice-versa. Anyconnect with fixed network profiles would solve the problem elegantly.
  I cannot comment on your auth policies as I do not know them :-)
  Regards,
  Nicolas

• Ask the Expert: FlexVPN and Internet Key Exchange Version 2 (IKEv2)

  With Jay Young-Taylor
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  FlexVPN and IKEv2 with Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  FlexVPN and IKEv2 with Jay Young-Taylor.  Feel free to ask questions on comparison between IKEv1 and IKEv2, What functions does IOS and ASA support, how does DMVPN and FlexVPN interoperate, or any related questions. .  Feel free to ask questions on comparison between IKEv1 and IKEv2, What functions does IOS and ASA support, how does DMVPN and FlexVPN interoperate, or any related questions.
  Remember to use the rating system to let Jay know if you have received an adequate response. 
  Jay might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event.  This event lasts through January 25, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Maykol,
  Sorry for the delay in getting back to you here.  Currently we are building some documents that clearly describe line by line (well, paragraph by paragraph) what is occurring in the finite state machine and what information is exchanged in the protocol.  The articles have been writtne and are going through internal review before posting to cisco.com.  We should have them out shortly.
  You can enable "debug crypto ikev2", "debug crypto ikev2 packet", and/or "debug crypto ikev2 error" and follow the packet flow.  The debugs themselves have been re-written a couple of times to make the action/work flow more human readable and in plain english.  It should be easier to understand with the later 15.1 - 15.2 code versions.
  The debugs are broken up based on us sending a packet (look for "Tx Packet") and recieving a packet (loof for "Rx Packet").  In addition you can keep track of a single session by looking at the initator and responder (IKEv2) spi.  Those values will never change during the session life time.
  -Jay