Ask the Experts :LAN Switching

Similar Messages

• Ask the Expert: Different Flavors and Design with vPC on Cisco Nexus 5000 Series Switches

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about Cisco® NX-OS.
  The biggest limitation to a classic port channel communication is that the port channel operates only between two devices. To overcome this limitation, Cisco NX-OS has a technology called virtual port channel (vPC). A pair of switches acting as a vPC peer endpoint looks like a single logical entity to port channel attached devices. The two devices that act as the logical port channel endpoint are actually two separate devices. This setup has the benefits of hardware redundancy combined with the benefits offered by a port channel, for example, loop management.
  vPC technology is the main factor for success of Cisco Nexus® data center switches such as the Cisco Nexus 5000 Series, Nexus 7000 Series, and Nexus 2000 Series Switches.
  This event is focused on discussing all possible types of vPC along-with best practices, failure scenarios, Cisco Technical Assistance Center (TAC) recommendations and troubleshooting
  Vishal Mehta is a customer support engineer for the Cisco Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in TAC for the past 3 years with a primary focus on data center technologies, such as the Cisco Nexus 5000 Series Switches, Cisco Unified Computing System™ (Cisco UCS®), Cisco Nexus 1000V Switch, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching, and service provider.
  Nimit Pathak is a customer support engineer for the Cisco Data Center Server Virtualization TAC team based in San Jose, California, with primary focus on data center technologies, such as Cisco UCS, the Cisco Nexus 1000v Switch, and virtualization. Nimit holds a master's degree in electrical engineering from Bridgeport University, has CCNA® and CCNP® Nimit is also working on a Cisco data center CCIE® certification While also pursuing an MBA degree from Santa Clara University.
  Remember to use the rating system to let Vishal and Nimit know if you have received an adequate response. 
  Because of the volume expected during this event, Vishal and Nimit might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure Community, under the subcommunity LAN, Switching & Routing, shortly after the event. This event lasts through August 29, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Gustavo
  Please see my responses to your questions:
  Yes almost all routing protocols use Multicast to establish adjacencies. We are dealing with two different type of traffic –Control Plane and Data Plane.
  Control Plane: To establish Routing adjacency, the first packet (hello) is punted to CPU. So in the case of triangle routed VPC topology as specified on the Operations Guide Link, multicast for routing adjacencies will work. The hellos packets will be exchanged across all 3 routers and adjacency will be formed over VPC links
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_L3_w_vpc_5500platform.html#wp999181
  Now for Data Plane we have two types of traffic – Unicast and Multicast.
  The Unicast traffic will not have any forwarding issues, but because the Layer 3 ECMP and port channel run independent hash calculations there is a possibility that when the Layer 3 ECMP chooses N5k-1 as the Layer 3 next hop for a destination address while the port channel hashing chooses the physical link toward N5k-2. In this scenario,N5k-2 receives packets from R with the N5k-1 MAC as the destination MAC.
  Sending traffic over the peer-link to the correct gateway is acceptable for data forwarding, but it is suboptimal because it makes traffic cross the peer link when the traffic could be routed directly.
  For that topology, Multicast Traffic might have complete traffic loss due to the fact that when a PIM router is connected to Cisco Nexus 5500 Platform switches in a vPC topology, the PIM join messages are received only by one switch. The multicast data might be received by the other switch.
  The Loop avoidance works little different across Nexus 5000 and Nexus 7000.
  Similarity: For both products, loop avoidance is possible due to VSL bit
  The VSL bit is set in the DBUS header internal to the Nexus.
  It is not something that is set in the ethernet packet that can be identified. The VSL bit is set on the port asic for the port used for the vPC peer link, so if you have Nexus A and Nexus B configured for vPC and a packet leaves Nexus A towards Nexus B, Nexus B will set the VSL bit on the ingress port ASIC. This is not something that would traverse the peer link.
  This mechanism is used for loop prevention within the chassis.
  The idea being that if the port came in the peer link from the vPC peer, the system makes the assumption that the vPC peer would have forwarded this packet out the vPC-enabled port-channels towards the end device, so the egress vpc interface's port-asic will filter the packet on egress.
  Differences:  In Nexus 5000 when it has to do L3-to-L2 lookup for forwarding traffic, the VSL bit is cleared and so the traffic is not dropped as compared to Nexus 7000 and Nexus 3000.
  It still does loop prevention but the L3-to-L2 lookup is different in Nexus 5000 and Nexus 7000.
  For more details please see below presentation:
  https://supportforums.cisco.com/sites/default/files/session_14-_nexus.pdf
  DCI Scenario:  If 2 pairs are of Nexus 5000 then separation of L3/L2 links is not needed.
  But in most scenarios I have seen pair of Nexus 5000 with pair of Nexus 7000 over DCI or 2 pairs of Nexus 7000 over DCI. If Nexus 7000 are used then L3 and L2 links are required for sure as mentioned on above presentation link.
  Let us know if you have further questions.
  Thanks,
  Vishal

• Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

  With Rahul Rammanohar 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
  In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
  •       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
  •       ASR9k: network processor capture
  •       7200/ISRs: embedded packet capture
  •       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
  •       Cisco Nexus 7K: ELAM
  •       CRS: show captured packets
  •       ASR1K: embedded packet capture
  More Information
  Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
  Watch the Video:  https://supportforums.cisco.com/videos/6226
  Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service. 
  Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
  Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.  
  Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Erick
      Thanks for the topology. The trigger will be different for labelled  packet as you would need to mention the values of labels too in the  trigger.
       Below are two examples of one or two labels being  used, it depends on where you are capturing the packet in mplsvpn  scenario which will decide teh number of labels being imposed on the  packet.
  Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
  Trigger for two labels. (for other core routers)
  IGP label - 1234
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
      You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
       I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
       Please let me know if this helps.
  Thanks & Regards
  Hitesh & Rahul

• Ask the Expert : Initial Set Up and LAN Connectivity for Cisco UCS Servers

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about related to the initial setup of UCS C & B Series which include LAN connectivity from the UCS perspective with Cisco subject matter expert Kenny Perez.
  In particularly, Kenny will cover topics such as: ESXi/Windows  installations, RAID configurations (best practices for good performance and configuration), VLAN/Jumbo Frames configuration for B series and C series servers, Pools/Policies/Upgrades/Templates/Troubleshooting Tips for blade and rack servers, Fabric Interconnects configuration, general compatibility of Hardware/Software/drivers amongst other topics
  Kenny Perez is a technical leader in Cisco Technical Assistance Center, where he works in Server Virtualization support team. His main job consists of supporting customers to implement and manage Cisco UCS B series and C series. He has background in computing, networking, and Vmware ESXi and has 3+ years of experience support UCS servers and is VCP certified.
  Remember to use the rating system to let Kenny know if he has given you an adequate response. 
  This event lasts through October 10th, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi,
  Actually  we have UCS 6248 fabric interconnect - first twelve ports are enabled  and same in Cisco UCS Manager.
  But when more port will be active by expansion module  then UCSM can manage that too or need any other licence  for UCSM too?

• Ask the Expert: Cisco Nexus 2000, 5000, and 6000 Series Switches

  with Cisco Expert Vinayak Sudame
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions how to configure and troubleshoot the Cisco Nexus 2000, 5000 and 6000 Series Switches with Cisco subject matter expert Vinayak Sudame. You can ask any question on configuration, troubleshooting, features, design and Fiber Channel over Ethernet (FCoE).
  Vinayak Sudame is a Technical Lead in Data Center Switching Support Team within Cisco's Technical Services in RTP, North Carolina. His current responsibilities include but are not limited to Troubleshooting Technical support problems and Escalations in the areas of Nexus 5000, Nexus 2000, FCoE. Vinayak is also involved in developing technical content for Cisco Internal as well as external. eg, Nexus 5000 Troubleshooting Guide (CCO), Nexus 5000 portal (partners), etc. This involves cross team collaboration and working with multiple different teams within Cisco. Vinayak has also contributed to training account teams and partners in CAE (Customer Assurance Engineering) bootcamp dealing with Nexus 5000 technologies. In the past, Vinayak's responsibilities included supporting MDS platform (Fiber Channel Technologies) and work with EMC support on Escalated MDS cases. Vinayak was the Subject Matter Expert for Santap Technologies before moving to Nexus 5000 support. Vinayak holds a Masters in Electrical Engineering with Specialization in Networking from Wichita State University, Kansas. He also holds Cisco Certification CCIE (#20672) in Routing and Switching.
  Remember to use the rating system to let Vinayak know if you have received an adequate response.
  Vinayak might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community, Other Data Center Topics discussion forum shortly after the event.
  This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

  Hi Vinayak,
  Output of "show cfs internal ethernet-peer database"
  Switch 1
  ETH Fabric
  Switch WWN              logical-if_index
  20:00:54:7f:ee:b7:c2:80 [Local]
  20:00:54:7f:ee:b6:3f:80 16000005
  Total number of entries = 2
  Switch 2
  ETH Fabric
  Switch WWN              logical-if_index
  20:00:54:7f:ee:b6:3f:80 [Local]
  20:00:54:7f:ee:b7:c2:80 16000005
  Total number of entries = 2
  Output of "show system internal csm info trace"
  Switch 1 in which "show cfs peers" show proper output
  Mon Jul  1 05:46:19.145339  (CSM_T) csm_sp_buf_cmd_tbl_expand_range(8604): No range command in buf_cmd_tbl.
  Mon Jul  1 05:46:19.145280  (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
  Mon Jul  1 05:46:19.145188  (CSM_T) csm_sp_handle_local_verify_commit(4291):
  Mon Jul  1 05:46:19.145131  csm_continue_verify_ac[597]: peer is not reachable over CFS so continuing with local verify/commit
  Mon Jul  1 05:46:19.145071  csm_tl_lock(766): Peer information not found for IP address: '172.16.1.54'
  Mon Jul  1 05:46:19.145011  csm_tl_lock(737):
  Mon Jul  1 05:46:19.144955  (CSM_EV) csm_sp_build_tl_lock_req_n_send(941): sending lock-request for CONF_SYNC_TL_SESSION_TYPE_VERIFY subtype 0 to Peer ip = (172.16.1.54)
  Mon Jul  1 05:46:19.143819  (CSM_T) csm_copy_image_and_internal_versions(788): sw_img_ver: 5.2(1)N1(2a), int_rev: 1
  Mon Jul  1 05:46:19.143761  (CSM_T) csm_sp_get_peer_sync_rev(329): found the peer with address=172.16.1.54 and sync_rev=78
  Mon Jul  1 05:46:19.143699  (CSM_T) csm_sp_get_peer_sync_rev(315):
  Mon Jul  1 05:46:19.143641  (CSM_EV) csm_sp_build_tl_lock_req_n_send(838): Entered fn
  Mon Jul  1 05:46:19.143582  (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
  Switch 2 in which "show cfs peers" does not show proper output
  Mon Jul  1 06:13:11.885354  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 77 seq 482
  Mon Jul  1 06:13:11.884992  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 357 seq 369
  Mon Jul  1 06:13:11.884932  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 357 seq 368
  Mon Jul  1 06:13:11.884872  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 357 seq 367
  Mon Jul  1 06:13:11.884811  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 357 seq 366
  Mon Jul  1 06:13:11.884750  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 352 seq 365
  Mon Jul  1 06:13:11.884690  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 352 seq 364
  Mon Jul  1 06:13:11.884630  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 352 seq 363
  Mon Jul  1 06:13:11.884568  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 352 seq 362
  Mon Jul  1 06:13:11.884207  (CSM_EV) csm_sp_acfg_gen_handler(3011):  Preparing config into /tmp/csm_sp_acfg_1733916569.txt
  Mon Jul  1 06:13:11.878695  csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
  Mon Jul  1 06:13:11.878638  (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
  Mon Jul  1 06:12:29.527840  (CSM_T) csm_pss_del_seq_tbl(1989): Freeing seq tbl data
  Mon Jul  1 06:12:29.513255  (CSM_T) csm_sp_acfg_gen_handler(3106): Done acfg file write
  Mon Jul  1 06:12:29.513179  (CSM_EV) csm_sp_acfg_gen_handler(3011):  Preparing config into /tmp/csm_sp_acfg_1733911262.txt
  Mon Jul  1 06:12:29.508859  csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
  Mon Jul  1 06:12:29.508803  (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
  Mon Jul  1 05:53:17.651236  Collecting peer info
  Mon Jul  1 05:53:17.651181  Failed to get the argumentvalue for 'ip-address'
  Mon Jul  1 05:40:59.262736  DB Unlocked Successfully
  Mon Jul  1 05:40:59.262654  Unlocking DB, Lock Owner Details:Client:1 ID:1
  Mon Jul  1 05:40:59.262570  (CSM_T) csm_sp_del_buf_cmd(1713): Deleting comand with Id = 1
  Mon Jul  1 05:40:59.262513  DB Lock Successful by Client:1 ID:1
  Mon Jul  1 05:40:59.262435  Recieved lock request by Client:1 ID:1
  Mon Jul  1 05:40:41.741224  ssnmgr_ssn_handle_create_get: Session FSM already present, ID:1
  Mon Jul  1 05:40:41.741167  ssnmgr_handle_mgmt_request: Create/Get request received for session[process_n5kprof]
  show cfs lock gives no output.
  Just to further clarify, we have 4 5548UP switches in the same management vlan. 2 switches are in one location lets say location A and they are CFS peers and are working fine.
  These two switches which are having problem are in location B. All the switches are in the same vlan. Essentially the all CFS multicast messages will be seen by all 5548 switches as they are in the same vlan. I am assuming that this might not create any problems as we specify the peers in the respective configurations. Or do we have to change the CFSoIPv4 multicast addresses in location B or may be configure a different region.
  Regards.

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• Ask the Expert: One Management with Prime Infrastructure 1.2

  With Tejas Shah
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions from Cisco expert Tejas Shah on One Management with Prime Infrastructure 1.2 Combining the wireless functionality of Cisco Prime Network Control System (NCS) with the wired functionality of Cisco Prime LAN Management Solution (LMS),  Cisco Prime Infrastructure simplifies and automates many of the day-to-day tasks associated with maintaining and managing the end-to-end network infrastructure from a single pane of glass. The new converged solution delivers all of the existing wireless capabilities for RF management, user access visibility, reporting, and troubleshooting along with wired lifecycle functions such as discovery, inventory, configuration and image management, automated deployment, compliance reporting, integrated best practices, and reporting.
  Tejas Shah is a senior technical marketing engineer for Cisco Prime Infrastructure and Collaboration products. He has deployed Cisco Prime Collaboration Manager at various customer sites to help customers monitor and troubleshoot their video infrastructure. In addition, he is part of the Network Operations Center team at Cisco Live events for six years. Shah joined Cisco in 1995 and was in the Technical Assistance Center team supporting various network management system products for more than six years.
  Remember to use the rating system to let Tejas know if you have received an adequate response. 
  Tejas might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless Mobility sub-community discussion forum shortly after the event. This event lasts through Sept 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Raun, please see my responses inline:
  Can you go over the licensing method with Prime Infrastructure 1.2 please? 
  Raun, you can check out the following link for ordering guide at
  http://www.cisco.com/en/US/products/ps12239/products_data_sheets_list.html
  I currently have NCS and do NOT currently have LMS.  I know I can move to Prime Infrastructure through Cisco Product Upgrade Tool.  However, what I am confused about is do I still have to buy LMS to have LMS functionality in Prime Infrastructure 1.2? 
  ==> Not at all.  The converged product will give you basic management capability for routers and switches that LMS provided in this release.   Feature/Functionality will keep on growing with upcoming releases.
  If not, do the licenses I transfer into Prime Infrastructure 1.2 from NCS also work for devices to work under LMS? 
  ==> Licensing is different than NCS or LMS.  You don't have to transfer the license.  Each install of Prime Infrastructure will have a unique UID string on which the licenses are based.  A new license will be applied to the product.
  Mean, can my currently 350 licenses be used for AP's as in NCS and routers in the LMS portion of Prime Infrastructure 1.2?
  ==> I would recommend getting a total count of your wired and wireless devices and match the right SKU based on that.
  Hope this helps.. Let me know if you have any further questions,
  Tejas

• Ask the Expert: Plan, Design, and Implement Mobile Remote Access, the Cisco Collaboration Edge Architecture

  Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
  Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
  For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide. 
  Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
  Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
  Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Marcelo,
     Yes, there are some requirements for certificates in Expressway.
  Expressway Core (Exp-C)
  - Can be signed by either External or Internal CA
  - Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
  - Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
  - If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
  - The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
  - For TLS b/w CUCM, IM-P & Exp-C
    + If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
    + If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
    + Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
    + Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
  Expressway Edge (Exp-E)
  - Signed by External CA
  - Configured Unified Communications domain as Subject Alternate Name
  - If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
  - If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
  For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
  http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
  - Aashish

• Ask the Expert: Cisco Unified Computing System Director

              With Andrew Nam
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Unified Computing System (UCS) Director with Cisco expert Andrew Nam.
  Cisco UCS Director was designed to operationally integrate bare-metal and virtual data center infrastructure resources to address complex, time-consuming, manual, and compartmentalized management processes. These processes burden IT organizations, preventing them from achieving business agility and efficiency.  Cisco expert Andrew Nam will provide an update on installation, configuration, and troubleshooting VM provisioning process using Cisco UCS Director.
  Andrew Nam is a data center solution engineer in the DC Solution team in Sydney, Australia, responsible for orchestrating the end-to-end solution support of Cisco Data Centre solutions, including Cisco UCS, Cisco Nexus architecture, VBlock/FlexPod, VDI/VXI, and cloud solutions. His areas of expertise include routing and switching, load balancer, WAN optimization, VPN, and firewalls. Andrew has worked for Cisco for more than 13 years and has 15 years of experience in the networking industry. He graduated from New South Wales University in Australia with a mechanical/manufacturing engineering degree and holds R&S CCIE 9586, VMware VPC5, and Citrix CCA - Xendesktop5 certifications. 
  Remember to use the rating system to let Andrew know if you have received an adequate response. 
  Andrew might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Data Center community,  sub-community, Unified Computing discussion forum shortly after the event. This event lasts through January 17, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi James
  This Ask the Expert session may not be the right place to show you all the essential steps for how the workflow can be related to task library to achieve your initial setup flow chart, and onboarding a new client.
  However, I can briefly walktthrough "Client blade Provisioning" task so it might give some idea and how you can go about.
  Assumption :  the infrastructure used in the following examples consists of:
  -  Vmware VCenter
  -  Cisco UCS
  -  NetApp ONTAP controlled storage
  To be able to provision Cisco UCS blade server in automated fashion, you need to create and define the below UCS entities beforehand.
  - Create UCS Organisation
  - Create UUID Pool
  - Create MAC Address Pool
  - Create WWNN Pool
  - Create WWPN Pool
  - Create vHBA Templates
  - Create vNIC Templates
  - Create UCS Policy vHBAs
  - Create UCS Policy vNICs
  - Create Storage Policy
  - Create Network Policy
  - Create SAN Boot Policy
  - Create LAN Boot Policy
  Once you create all the policy above, you are good to set up a workflow container for the client blade provisoining.
  1. Create UCS Service Profile
  - Add a ‘Create UCS Service Profile’ workflow task and select ‘Map to User Input’ for ‘Service Profile Name’. Select the ‘Service Profile Name’ dropdown as created when the workflow container was created.
  - ‘Create UCS Service Profile’ inputs. Ensure that Storage_Policy, Network_Policy, Boot_Policy_LAN and Boot_Policy_SAN entries are correct.
  - Once this is done , you can move to SAN zoning.
  2. Configure SAN Zoning
  - In this step, a new workflow task will be created in order to configure SAN zoning. Rather than use a specific user input for this task, output variables from the previous ‘Create UCS Service Profile’ workflow task will be used as input items for this task.
  - Open the workflow and search for the workflow task ‘configure san zoning’. Drag the storage workflow task into the work area and map the following user inputs.
  Create Flexible Volume
  - Create a ‘Create Flexible Volume’ workflow task in order to build a NetApp flexible volume and provision it for the required size.
  - Once again, reconfigure the workflow such that the success criteria from the ‘Configure SAN Zoning’ workflow task proceeds to ‘Create Flexible Volume’.
  Create LUN
  - Using the NetApp ONTAP ‘Create LUN’ workflow task, create a LUN located within the volume created during the previous step. In order to do this, map the Volume Name user input to the output from the previous ‘Create Flexible Volume’ workflow task.
  - Next, enter the LUN details, ensuring that the configured size is less than that of the volume created in the previous step.
  - As before, re-map the workflow designer flow so that the successful output of the Create Flexible Volume workflow task flows into this task.
  3. Create Initiator Group
  - Create a ‘Create Initiator Group’ workflow task in order to build a NetApp ONTAP Initiator Group. Map the ‘Filer Identity Name’ attribute to the OUTPUT_FILER_IDENTITY output variable as supplied by the ‘Create NetApp Flexible Volume’ workflow task as created earlier in this workflow.
  - Once again, modify the the workflow designer flow so that the successful output from ‘Create LUN’ flows into ‘Create Initiator Group’
  4. Add Initiator to Initiator Group
  - Create an ‘Add Initiator to Initiator Group’ workflow task and map the ‘Initiator Group Name’ entry to the OUTPUT_IGROUP_IDENTITY output variable from the ‘Create NetApp Initiator Group’ workflow task and map the ‘Initiator Name’ entry to the SP_VHBA1 output variable from the ‘Create UCS Service Profile’ workflow task created earlier in this flow.
  - Repeat this task for in order to add initiator name entry for SP_VHBA2. Once done, re-map the successful output from the two Create Initiator Group workflow tasks so that they flow into each other as follows:
  - Move onto the next step in order to map the created LUN to the initiator group.
  And the rest of steps are fairly similar to above. Create a Workflow and map the User Input Mappings".
  5. Map LUN to Initiator Group
  6. Modify UCS Boot Policy LUN ID
  7. Select UCS Server
  8. Associate UCS Service Profile
  9. Power On UCS Server
  10. Modify UCS Service Profile Boot Policy
  11. Add VLAN to Service Policy
  12. Disassociate UCS Service Profile
  13. Wait for Specified Duration
  14. Associate UCS Service Profile
  15. Power On UCS Server
  16. Register Host with VCenter
  regards
  Andrew

• Ask the Expert: C-Series Integration with Cisco Unified Computing System Manager

  Welcome to the Cisco Support Community Ask the Expert conversation. This conversation is an opportunity to learn and ask questions about Cisco C-Series Integration with Cisco Unified Computing System® Manager (Cisco UCS® Manager) with Cisco experts Vishal Mehta and Manuel Velasco.
  Cisco UCS C-Series Rack-Mount Servers are managed by the built-in standalone software, Cisco Integrated Management Controller (Cisco IMC). When a C-Series rack-mount server is integrated with Cisco UCS Manager, the IMC no longer manages the server. Instead you will manage the server using the Cisco UCS Manager GUI or Cisco UCS Manager command-line interface (CLI).
  Cisco UCS Manager 2.2 provides three connectivity modes for Cisco UCS C-Series Rack-Mount Server management. The following are the connectivity modes:
  Dual-wire management (shared LAN On Motherboard [LOM]): Shared LOM ports on the rack server are used exclusively for carrying management traffic.A separate cable connected to one of the ports on the Payment Card Industry Express (PCIe) card carries the data traffic.
  SingleConnect (Sideband): Using Network Controller Sideband Interface (NC-SI), the Cisco UCS Virtual Interface Card 1225 (VIC1225) connects one cable that can carry both data and management traffic.
  Direct Connect Mode: Cisco UCS Manager Version 2.2 introduces an additional rack server management mode using direct connection to the Fabric Interconnect.
  Vishal Mehta is a customer support engineer for Cisco’s Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in the TAC for the past 3 years with a primary focus on data center technologies such as Cisco Nexus® 5000, Cisco UCS, Cisco Nexus 1000V, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching and service provider.
  Manuel Velasco is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California.  He has been working in the TAC for the past 3 years with a primary focus on data center technologies such as Cisco UCS, Cisco Nexus 1000V, and virtualization.  Manuel holds a master’s degree in electrical engineering from California Polytechnic State University (Cal Poly) and CCNA® and VMware VCP certifications. Remember to use the rating system to let Vishal and Manuel know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation in the Data Center, under subcommunity, Unified Computing, shortly after the event. This event lasts through May 23, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Sebastian,
  The different modes of connecting C-Series with UCSM come into play depending on the type of infrastructure you already have along with C-Series and NIC model.
  Cisco UCS C-Series Rack-Mount Servers are managed by the built-in standalone software, Cisco Integrated Management Controller (CIMC) .
  Powerful features provided by Cisco UCS Manager can be leveraged to manage C-Series server by integrating  C-Series Rack-Mount Server with UCSM.
  This not only gives you rich-feature set but also one management plane to operate UCS-B Series Chassis and UCS-C Series Rack Server.
  You will manage the server using the Cisco UCS Manager GUI or Cisco UCS Manager CLI.
  Cisco UCS Manager 2.2 provides three connectivity modes for Cisco UCS C-Series Rack-Mount Server management.
  The following are the connectivity modes:
  •  Dual-wire Management (Shared LOM):
  Shared LAN on Motherboard (LOM) ports on the rack server are used exclusively for carrying management traffic. A separate cable connected to one of the ports on the PCIe card carries the data traffic. Using two separate cables for managing data traffic and management traffic is also referred to as dual-wire management.
  http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c-series_integration/ucsm2-2/b_C-Series-Integration_UCSM2-2/b_C-Series-Integration_UCSM2-2_chapter_0100.html
  This mode is recommended when you have C-Server which does not  have or cannot support VIC 1225 card (such C-200 server)
  •  SingleConnect (Sideband):
  Using Network Controller Sideband Interface (NC-SI), Cisco UCS VIC1225 Virtual Interface Card (VIC) connects one cable that can carry both data traffic and management traffic.
  This feature is referred to as SingleConnect.
  http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c-series_integration/ucsm2-2/b_C-Series-Integration_UCSM2-2/b_C-Series-Integration_UCSM2-2_chapter_011.html
  This most recommended Integration model when using FEX and VIC 1225 card
  •  Direct Connect Mode:
  Cisco UCS Manager release version 2.2 introduces an additional rack server management mode using direct connection to the Fabric Interconnect.
  This mode will eliminate the need for FEX module as Servers are directly plugged into the base ports of Fabric Interconnect
  http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c-series_integration/ucsm2-2/b_C-Series-Integration_UCSM2-2/b_C-Series-Integration_UCSM2-2_chapter_0110.html
  Please let us know if you need more information. Thank you!
  Thanks,
  Vishal

• Ask the Expert: Layer 2 Security on Cisco Catalyst Platforms

  With Wilson Bonilla
  Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about about issues in designing, planning, and implementing Layer 2 security in your LAN network with expert Wilson Bonilla. 
  Wilson will cover topics that network engineers face daily such as Spanning Tree Protocol security, private VLANs, IP source guard, protected ports, dynamic ARP inspection, virtual LAN access-control lists (VLAN ACLs), and Dynamic Host Configuration Protocol (DHCP) snooping over Cisco Catalyst platforms.  With the fast growth of networks, Layer 2 security is even more critical in the LAN to help your network become more reliable, efficient, and secure. Wilson will answer your questions about LAN networks with Cisco Catalyst switches.  
  Wilson Bonilla is a technical networking trainer at the Learning and Development Department for Cisco Technical Assistance Center located in Costa Rica. Before joining the Training Department, he worked for the Cisco TAC as a customer support engineer focused on LAN Switching for more than two years. While working on LAN switching, Wilson also had roles such as technical leader and trainer, adding to his area of expertise in Cisco Catalyst Layer 2 switching. He has CCNP routing and switching certification and is currently studying to achieve his CCNA certification in data center.
  Remember to use the rating system to let Wilson know if you've received an adequate response. 
  Because of the volume expected during this event, Wilson might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure community, subcommunity, LAN, Switching and Routing, shortly after the event. This event lasts through November, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

  Hello NetNavi.
  Check the post above about MacSec for more information and let me know if you need further clarification, if so I will do my best,
  In regards to best practices there is a Cisco document; it describes deployments and best practices in every scenario; Supplicants, authenticator, authentication services and other configurations. Please check it out:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html
  In regards to Private VLANS:
  What is a Private Vlan?
  A private Vlan is a way to isolate hosts within the same Vlan or broadcast domain. So even when you might have devices sharing the same broadcast domain they can be isolated, this isolated is configured based on sub-domains also most often called primary and secondary Vlans.
  What is a primary Vlan?
  The primary Vlan is representation of the private Vlan, a primary Vlan has one or more secondary Vlans, a switch uses the primary Vlan to present traffic from the secondary Vlans to its neighboring devices.
  What is a secondary Vlan?
  A secondary Vlan is a sub-domain of the primary Vlan. We could say that the secondary Vlans belongs to the primary. The must be associated to a primary Vlan. There are two types of secondary vlans: Isolated and Community secondary Vlans.
  What does it happen to host within a secondary isolated Vlan?
  Host within the isolated vlan; can’t communicate to neither other host in the same isoalted vlan nor host in a community vlan.
  What does it happen to host within the secondary community Vlan?
  Host within the community Vlan can communicate with other host assigned to the same community vlan, but they can’t talk to host in other community vlans.
  What are the benefits of implementing private Vlans?
  Scalability: The most common scenario is a service provider. Imagine all customers of a service provider connected through DSL, cable modem… it’s very likely that all customers belong to the same broadcast domain, however if that’s the case why is it that I can’t use my neighbor’s printer, or maybe why is it that I can’t access the files he has store in his computer, (security) we are in the same broadcast shouldn’t I be able to at least ping his ip address?. Well that’s because the ISP must guarantee some type of security for their customers, and because put every single customer that they have in a single Vlan is not scalable they use private Vlans.
  Examples:
  ISP use private vlans to protect from security bridges, Private vlans and isolated Vlans are used to protect personal information for example from one customer to another.
  DMZ; Many implementations utilizes private vlans in a DMZ to limt or minimize that risk of a compromised server.
  I would like to share this documentation with you for further information and configuration guidelines
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml#hw
  This document explains what Cisco Catalyst switches support Private Vlans. 
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml
  Let me know if you have further questions.
  Regards
  Wilson B.

• Ask the Expert: Enterprise Design and Deployment of Multicast

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco enterprise design and deployment of multicast solutions.
  The enterprise world is evolving to be overcome with large throughput capacity and record numbers of users connecting to the network. Mechanisms such as multicast, which allows for a minimization of throughput for multiple users subscribing to the same stream, are a welcome addition. Applications such as enterprise all-hands video streaming, trading applications, mass operating system deployment, and custom implementations can put a strain on the network if done via unicast. Multicast can minimize this strain by replicating a single stream for subscription by multiple parties who would like to receive the same information. For this Ask the Expert event, Patrick Lloyd, CCIE R&S no. 39750 and a network consulting engineer with Cisco’s Enterprise Advanced Services Delivery Team, will answer questions about multicast design and implementation based on best practices and prior experience with large enterprise deployments.
  Patrick Lloyd is a network consulting engineer for Cisco’s Enterprise East Advanced Services team, working to support and lend his expertise to a number of financial, insurance, healthcare, and consulting customers. In his four years of experience, he has lent design expertise to multicast networks ranging from 500 Cisco devices and 20K users to upward of 4500 Cisco devices and 50K users. Patrick is certified with his Cisco Certified Internetworking Expert no. 39750 in the Routing and Switching track and also has achieved certification in CCNA Security and Securing Cisco Routers and Switches as part of the CCNP Security track. Patrick received his MS degree in networking and systems administration from Rochester Institute of Technology in Rochester, NY, and his BS degree in computer science from Eastern Connecticut State University. He frequently gives customer-based knowledge transfers.
  Remember to use the rating system to let Patrick know if you have received an adequate response.
  Because of the volume expected during this event, Patrick might not be able to answer every question. Remember that you can continue the conversation in Network Infrastructure under the subcommunity WAN, Routing & Switching shortly after the event. This event lasts through September 12, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Thanks for the question!  This is actually a good one that I've encountered with a couple customers in the past, the tradeoff between a flood and prune type design, as opposed to the shared tree -> shortest path tree sequence.  As per Cisco best practice, we are actively trying to get customers to implement sparse mode, going so far as to not support PIM dense mode in our data center products.  And for good reason!  The last thing you want is a chatty protocol within the data center which is flooding traffic out to receivers who may or may not be interested in it every 3 minutes.  Instead, you're much better off having interested receivers join a stream, have your RP connect the interested senders and receivers, and then transition to the shortest path between source and destination.
  That being said, if you're studying for CCIE or looking to get experience in how multicast works, dense mode should at least be a lab exercise!
  Links for reference as to the difference in PIM modes:
  Dense Mode Operation:
  http://www.cisco.com/en/US/docs/ios/ipmulti/configuration/guide/imc_pim_dense_rfrsh.pdf
  Pim Modes and explanation of each:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swmcast.html#wp1077051
  A great slide deck to learn the operation of multicast:
  https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=6633&backBtn=true
  Troubleshooting Multicast:
  https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78578&backBtn=true
  Let me know if this is the answer you're looking for!

• Ask the Expert: NGWC (3850/5760): Architecture and Deployment

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about NGWC (3850/5760): Architecture and Deployment.
  Ask questions from Monday, April 13th, 2015 to Friday, April 24th, 2015
  This Ask the Expert Session will cover questions spanning NGWC products (3850/5760) on Implementation and Deployment from the Wired and Wireless perspective. This will be more specific to Customer’s and Partners questions covering 3850/5760 configuration, Implementation and deployment.
  Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Wireless CUWN and NGWC Product line. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC-Written) and CCIE Wireless certification.
  Naveen Venkateshaiah is working as a Customer support engineer in High-Touch Technical Services (HTTS) handling  and supporting Lan-switching and Data center Products. His areas of expertise include Catalyst 3k,4k , 6500 , Nexus 7k Platform  He has over 7 years of industry experience working with large Enterprise and Service Provider networks. He also holds CCNA, CCNP (RS) and  CCDP-ARCH,CCIE-R&S Written, AWLANFE, LCSAWLAN Certification.
  Find other  https://supportforums.cisco.com/expert-corner/events.
  **Ratings Encourage Participation! **
  Please be sure to rate the Answers to Questions

  Hi Dhiyadav,
  thank you for your reply it cleared some doubts that were in my mind but i need your more support to guide me a converged access deployment which i am going to deploy within few days.
  i have 
  2x5508 in HA as MC
  30x3850 switches, and all will be used as MA(s) with multiple SPGs
  2X5508  1:1 as an anchor controller
  1xISE 1.3 for guest access
  1xCPI for wireless mgmt and monitoring purpose
  1xMSE3355 with wips and context aware licenses
  200x cisco 3702i WAP
  50x WSSI module for monitoring the channels
  can you please put a light on the design and guide me that which are the best possible solutions to get this job done very smoothly.
  i will also let you know about my proposed design scenario but for sure i need your recommendations as well :)
  so,
  i will use 2x5508 wlcs in HA as a MC which are AP-Count and HA licensed..
  3850 switches will be MA and i ll configure SPGs per floor switches stacks 
  WAPs will join on these 3850 MAs base on each floor
  i would have 2 ssid like employee and guest
  i will configure them on each 3850 stack MA along with their SVIs for users access like (empolyee and guest ssid)
  here my question is for guest ssid and its vlan... do i configure it here or on anchor controller???
  i want ISE to be integrated with wireless for employee 802.1x and for guest web Auth. so, how i will integrate ISE with wireless. i mean weather i will integrate it anchor controller or with each 3850 MA???
  between foreign and anchor controller i will use new mobility instead of old EOIP!!!
  where shall place ISE in my network, in DMZ or with Core switch?
  my target for guest users to do not have access to any corporate network sources ?
  MSE:
  can i use both wips and context aware on the single MSE box?
  if yes, than what is the best practice for configuring them?
  are each 3850 MA will be added in MSE?
  WSSI module . will be used for monitoring purpose for wips and context aware profiles.
  all access point will be worked in local mode for serving users access.
  thank you

• Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

  With Prashanth Goutham R.
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 
  Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA is a key component of the Cisco SecureX Framework, protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
  Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
  Remember to use the rating system to let Prashanth know if you have received an adequate response. 
  Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello John,
  This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.
  access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0    class-map Tunnel_Policy1     match access-list tunnel_one   class-map Tunnel_Policy2     match access-list tunnel_two   class-map Tunnel_Policy3     match access-list tunnel_three   class-map Tunnel_Policy4     match access-list tunnel_four  policy-map tunnel_traffic_limit     class Tunnel_Policy1      police output 4096000   policy-map tunnel_traffic_limit     class Tunnel_Policy2      police output 5734400   policy-map tunnel_traffic_limit     class Tunnel_Policy3      police output 2457600    policy-map tunnel_traffic_limit     class Tunnel_Policy4      police output 4915200service-policy tunnel_traffic_limit interface outside
  You might want to watch out for the following changes in values:
  HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400WARNING: police rate 5734400 not supported. Rate is changed to 5734000    
  HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600WARNING: police rate 2457600 not supported. Rate is changed to 2457500HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200WARNING: police rate 4915200 not supported. Rate is changed to 4915000I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/
  The Final outputs of the configured values were :
      Class-map: Tunnel_Policy1      Output police Interface outside:        cir 4096000 bps, bc 128000 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps     Class-map: Tunnel_Policy2      Output police Interface outside:        cir 5734000 bps, bc 179187 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy3      Output police Interface outside:        cir 2457500 bps, bc 76796 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy4      Output police Interface outside:        cir 4915000 bps, bc 153593 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps
  Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html
  Hope that helps..

• Ask the Experts: Wired Guest Access

  Sharath K.P.
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
  Remember to use the rating system to let Sharath know if you have received an adequate response. 
  Sharath might not be able to answer each question due to the volume expected during this event.
  Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
  through January 27, 2012. Visit this forum often to view responses to your questions and the questions
  of other community members.

  Hi Daniel ,
  Wonderful observation and great question .
  Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios  where  we  have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
  Two separate solutions are available to the customers:
  A single WLAN controller (VLAN Translation mode) - the access switch  trunks the wired guest traffic in the guest VLAN to the WLAN controller  that provides the wired guest access solution. This controller carries  out the VLAN translation from the ingress wired guest VLAN to the egress  VLAN.
  Two WLAN controllers (Auto Anchor mode) - the access switch trunks  the wired guest traffic to a local WLAN controller (the controller  nearest to the access switch). This local WLAN controller anchors the  client onto a DMZ Anchor WLAN controller that is configured for wired  and wireless guest access. After a successful handoff of the client to  the DMZ anchor controller, the DHCP IP address assignment,  authentication of the client, etc. are handled in the DMZ WLC. After it  completes the authentication, the client is allowed to send/receive  traffic.
  So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
  I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
  We have already opened a bug for the same (Little late though )
  BUG ID :CSCtw44999
  The WLC Config Guide should clarify our support for redundancy options for wired guest
  Symptom:
  Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
  generate unpredictable results.
  Some of the other tthat changes we will be making as a part of doc correction would be
  http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
  1. The WiSM2 needs to be added as a supported controller.  (Not sure about the 7500, check with PM)
  2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
  "Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
  generate unpredictable results."
  3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
  Now  if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .
  Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
  Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
  00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
  I hope the above explanation could clarify your doubts to certain extent and also keep you
  informed on Cisco's  roadmap on this feature .
  Regards ,
  Sharath K.P.