Best Practice QOS in MPLS core

Similar Messages

• BGP Best Practice / Private-AS vs. Public-AS in the MPLS Core

  Dears,
  We have recently aquired a large network with ASR9K as Internet Gateways and non-Cisco devices in the MPLS Core.
  We would liike to know which is the best recommended solution to use Private MP-BGP AS in the MPLS Core or extend the IGW Public AS, knowing  that the IGW will be in a VRF and not the global routing table. Moreover, the clients of the MPLS Core have their own BGP Public AS and would need to connect to the MPLS Core to obtain internet services from the IGW.
  (Cust1)------EBGP------[VRF_Cust_1](MPLS CORE AS_2)[VRF_IGW]------EBGP-----(IGW AS_1) in the case of having a private BGP AS in the core
  (Cust1)------EBGP------[VRF_Cust_1](MPLS CORE AS_1)[VRF_IGW]------iBGP-----(IGW AS_1) in the case of having same public BGP AS in the core
  Waiting for your feedback and thoughts.
  Thanks,
  Michel.

  Michel,
  if your mpls core is also used for internet transit, then it is best to be a public AS.
  if not, then you can leave it be and remove the private AS at your border routers.
  If oyu are connecting multiple MPLS networks together to link L2 or L3 VPN services, I think it is easiest to have it all one AS, otherwise you end up with complex designs such as Carrier supporting Carrier (CSC) or Inter-AS option A (vrf lite), B (using vpnv4 at the inter AS gateay) or C (using vpnv4 at the interAS gateway with route reflectors in each AS peering with each other).
  regards
  xander
  Xander Thuijs CCIE #6775
  Principal Engineer 
  ASR9000, CRS, NCS6000 & IOS-XR

• Best practice MPLS design/configuration for small service provider

  We are a small regional service provider and did not have MPLS supported on our network.  To start supporting MPLS, I’d like to get opinions and recommendations on the best practice configuration. 
  Here is what we have today –
  We have our own BGP AS and multiple /24s.
  We are running OSPF on the Cores and BGP on the Edge routers peering with ISPs.
  We peer with multiple tier-1 ISPs for internet traffic. We do not provide public transit.
  What we want for phase one MPLS implementation –
  Configure basic MPLS /vpn functionality.
  No QoS optimization required for phase 1.
  We have Cisco ME 3600X for  PE. Any recommendations will be appreciated.

  Not sure what kind of devices or routers you have in your network but looks for if you have support for labeled multicast for MVPN support. That will avoid other complexity of using other control protocols (like PIM) in core.
  PE redundancy can be obtained by BGP attributes, CE-PE connectivity can be tunned using IGP or VRRP/HSRP...
  You can have mutiple RSVP TEs for various contract traffic and you can bind various kind of traffic to different RSVP Tunnels based on contract or service with your customer.
  RSVP-TE with link/node protection design will be of great help to achieve quicker failover.

• MPLS Design Best Practices for SP

  When deploying a new MPLS backbone for a Service Provider, what will be consider the best practices in general? For example what about the following list and any other items:
  - Define the Internet as a VRF?
  - Use private ASNs?
  - Define a VRF per special service?
  - Use at least two route reflectors?
  - Use OSPF as IGP?
  - Limit the CE-PE routing support to OSPF and BGP?
  What will be the best approach for management of the devices? A management VRF or the nodes to natively be on a management network?
  What to consider when designing from scratch?

  William some recommended practises, although you can point out your specific constraints in adopting any.
  - Define the Internet as a VRF?
  (Yes Logical speperation is the way to go.)
  - Use private ASNs?
  (No, use a Public AS, you may have to peer outside your AS in a VRF with other AS's)
  - Define a VRF per special service?
  (This is Perfect , Logical Seperation)
  - Use at least two route reflectors?
  (Right, atleast 2 and above that depends on the size of your network)
  - Use OSPF as IGP?
  (I dont see any problems with OSPF in scaling for big networks)
  - Limit the CE-PE routing support to OSPF and BGP?
  (This aspect shouldnt impact much really, you can very well support all the protocols, as its more of serving your customers, rather than dictating the conditions.
  Yes have a seperate VRF for Device Managements (also give a thought for a management subnet, which would be unique across your network)
  You should generally start with a overview topology, introdcution of the objectives. And then go ahead with the suggested phy topo,
  And then move on to the logical services, beggining from Core IGP, then core BGP, and then all the add on protocols, multicast , MPLS TE etc/. Then you can cover specilized service and their logic and description in the end.
  Pretty much, just simply think of building out right from scratch that is Physical Layer and Move to Layer 2 and then Layer 3 Layer 4 .
  So basically you doc should be index in a manner following the sequence of the OSI layers, this gives a good flow to the doc. And rest remains is the description of the logic used in each service or deployment method, that would be your skill.
  HTH-Cheers,
  Swaroop

• Best practice for sqlldr -- direct to core or to stage first?

  We want to begin using sql loader to load simple (but big) tables that have, up to this point, been loaded via perl and it's DBI connection to Oracle. The target tables typically receive 10-20 million rows per day (parsed log data from many thousands of machines) and at any one time can hold more than a billion total records PER TABLE. These tables are pretty simple (typically 5-10 columns, 2 or 3 part primary keys). They are partitioned BY MONTH (DAY is always one of the primary key columns) and set up on very large SAN disk arrays, stripped, etc. I can use sqlldr to load the core tables directly, OR, I could use sqlldr to load a staging table on a daily basis, then PL/SQL and SQL+ to move data from the staging table to the core. My instinct tells me that the second route is SAFER, that is there is less chance that something catastrophic could corrupt the core table, but obviously this would (a) take more time to develop and (b) reduce our over-all throughput.
  If I go the first route, loading the core directly with sqlldr, what is the worst thing that could possibly happen? That is, in anyone's experience, can a sqlldr problem corrupt a very large table? Does the likelihood of a catastrophic problem increase in proportion to the number of rows already in the target table? Are there strategies that will mitigate potential catastrophies besides going to staging and then to core via pl/sql? For example, if my core is partitioned by month, might I limit potential damage only to the current month? Are there any known potential pitfalls to using sqlldr directly in this fashion?
  Thanks
  matthew rapaport
  [email protected]

  Wow, thanks everyone!
  1. External tables... I'd thought of this, but in our development group we have no direct access to the DBMS server so we'd have to do some workflow to move the data files to the dbms server and then write the merge. If sql loader will do the job directly (to the core) without risk, then that seems to be the most straight-forward way to go.
  2. The data in the raw files is very clean, this being done in the step that parses the raw logs (100-500mb each) to the "insert files" (~20mb each), and there would be no transformations in moving data from staging to core, so again that appears to argue for direct-to-core loading.
  3. The data is collected by DAY, but reported on mostly by MONTH (e.g., select day, sum(col), count(col), from TABLE where day between A and B, group by day, order by day, etc where A and B are usually the first and last day of the month) and that is why the tables are partitioned by month, but perhaps this is not the best practice (???). I'm not the DBA, but I can make suggestions... What do you think?
  4. Time to review my sqlldr docs! I haven't used it in a couple of years, and I'm keeping my fingers crossed that it can handle the particular delimiter used in these files (pipe-tab-pipe expressed in perl as "|\t|". If I recall it can, but I'm not sure how to express the tab...
  Meanwhile, thank you very much, you have all been a BIG help... Strange no one asked me how it was that a Microsoft company was using Oracle :-) ... I work for DANGER INC (was www.danger.com if anyone interested) which is now owned (about 9 months now) by Microsoft, and this is the legacy reporting system... :-)
  matthew rapaport
  [email protected]
  [email protected]

• Server Core 2008 R2 SP1 - AD DS Best Practice Analyzer Scans Don't Produce Any Output

  Hi,
  This is a re-post moving this discussion to the recommended forum "Server Core" from here:
  http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/cc33d429-88e0-4450-a73c-361e395fd217.
  I am having problems producing any output for any AD DS Best Practice Analyzer Scans on a Windows Server Core 2008 R2 SP1 Domain Controller.
  I have imported the "ServerManager" and "BestPractices" PS modules on that Server by running the following commands:
  Import-Module ServerManager
  Import-Module BestPractices
  I've then run
  get-BPAModel, to find out what best practice scan models are availale, this returns the following output:
  Id                                                       
  LastScanTime
  Microsoft/Windows/DirectoryServices     Never
  Microsoft/Windows/DNSServer               Never
  I then run all the BPA scans on that box:
  Get-BPAModel | Invoke-BPAModel
  This returns the following output:
  ModelId                                          
  Success  Detail
  Microsoft/Windows/DirectoryServices True       (InvokeBpaModelOutputDetail)
  Microsoft/Windows/DNSServer          True       (InvokeBpaModelOutputDetail)
  Since the BPA invocation results weren’t displayed automatically, I entered the following command to see them:
  Get-BPAModel | Get-BPAResult | Out-File "D:\Source\BPA.txt"
  This command will create a text file with the scan results but I only see the results of the DNSServer scan, not the DirectoryServices scan.
  I have also tried to view the results in a HTML format by running the following command but still only see the DNSServer scan results:
  Get-BPAModel | Get-BPAResult | ConvertTo-Html | Set-Content d:\Source\BPA.htm
  I have also tried exeucuting the scan ONLY for the "Microsoft/Windows/DirectoryServices" model but can't get any results to be returned.  I have also connected using server manager from a Full install of Server 2008 R2 SP1 but that
  doesn't seem to show any results under the "Best Practices Analyzer" section when the "Active Directory Domain Services" node is selected, all 4 tabs ("Noncompliant", "Excluded", "Compliant" and "All") show zero (0).  However, the summary text above the
  tabs does show when the last scan was performed. which seems to be correct.
  Is there something special that needs to be done to produce the BPA results for the "Microsoft/Windows/DirectoryServices" BPA model on Server Core 2008 R2 SP1?
  BTW: The Forest/Domain is W2K3R2 Native, this is the first W2K8R2 DC in the environment and I have installed .NET 4 framework (Server Core) to support Powershell 3, also installed.
  Thanks, Paul.
  belpad

  Hi Diana,
  OK, pretty sure I've now found the root cause of the issue I've described above.
  I was also looking into Windows Update Agent issues for these W2K8R2 Server Core DC's, where no updates would be applied via WSUS (configured via GPO) and would fail with "FATAL: CBS called Error with 0x8000ffff windows update agent server
  core". 
  Yesterday, I managed to get one of the W2K8R2 Server Core DC's (WSUS updates) working again by removing one of the .NET 4 Framework security updates (KB2600211) which was manually applied when the server was initially setup.  .NET 4 (Server Core Edition
  http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=22833) was installed as a pre-requisitie for Powershell 3.  Once this update was removed, the affected server core DC was restarted and WSUS updates started to get applied.
  So I followed the same procedure on the other server core DC but this did not resolve the WSUS issue this time.  Next, I did further investigation into the Windows Update Agent problem.  This led me to the following article:
  http://blogs.technet.com/b/brad_rutkowski/archive/2008/07/03/windows-update-fails-with-8000ffff-e-unexpected.aspx which described an issue with NTFS permissions being set incorrectly on C: drive, with the "BUILTIN\Users" group completely
  missing on the C: drive.
  I found the affected Server Core DC also had this issue and when the "BUILTIN\Users" was assigned permissions on the C: drive as described above, and the Windows Update Agent re-started, the Server Core DC started to install all required updates
  configured via WSUS.
  Next, I ran the Directory Service BPA, which now produces the desired output either locally or remotely via Server Manager.
  Therefore, I can only assume that the Directory Service BPA also uses "Network Service" much like WUAUSERV (Windows Update Agent), which requires access to the C: drive via the "BUILTIN\Users" assignment.
  So this has subsequently led me to check the C: drive (%systemdrive%) permissions across multiple W2K8R2 machines, all of which showed differing assigned permissions, as follows:
  1. W2K8R2 Server Core DC - With Directory Services BPA and Windows Update Agent Not Working
  C:\>icacls c:\
  c:\ BUILTIN\Administrators:(OI)(CI)(F)
      CREATOR OWNER:(OI)(CI)(IO)(F)
      NT AUTHORITY\INTERACTIVE:(OI)(CI)(RX)
      NT AUTHORITY\SYSTEM:(OI)(CI)(F)
  2. W2K8R2 Server Core DC - With Directory Services BPA and Windows Update Agent Working OK
  C:\>icacls c:\
  c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
      BUILTIN\Administrators:(OI)(CI)(F)
      BUILTIN\Users:(OI)(CI)(RX)
      BUILTIN\Users:(CI)(AD)
      BUILTIN\Users:(CI)(IO)(WD)
      CREATOR OWNER:(OI)(CI)(IO)(F)
  3. W2K8R2 Full DC - With Directory Services BPA and Windows Update Agent Working OK
  C:\>icacls c:
  c: NT SERVICE\TrustedInstaller:(F)
     NT SERVICE\TrustedInstaller:(CI)(IO)(F)
     NT AUTHORITY\SYSTEM:(M)
     NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
     BUILTIN\Administrators:(M)
     BUILTIN\Administrators:(OI)(CI)(IO)(F)
     BUILTIN\Users:(RX)
     BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
     CREATOR OWNER:(OI)(CI)(IO)(F)
  4. W2K8R2 Server Core DHCP Server (Migrated from W2K3 with Server Migration Tools) - With DHCP BPA and Windows Update Agent Working OK
  C:\>icacls c:
  c: NT AUTHORITY\SYSTEM:(OI)(CI)(F)
     BUILTIN\Administrators:(OI)(CI)(F)
  5. W2K8R2 Server Core DHCP Server (Migrated from W2K3 with netsh) - With DHCP BPA and Windows Update Agent Working OK
  C:\>icacls c:
  c: NT AUTHORITY\SYSTEM:(OI)(CI)(F)
     BUILTIN\Administrators:(OI)(CI)(F)
     BUILTIN\Users:(OI)(CI)(RX)
     BUILTIN\Users:(CI)(AD)
     BUILTIN\Users:(CI)(IO)(WD)
     CREATOR OWNER:(OI)(CI)(IO)(F)
  None of the above servers have a Group Policy or any in-house scripts defined that configure C: drive permissions.  It seems odd that there should be such a variance in the C: (%systemdrive%) drive permissions across the above servers, with only
  scenarios 2 and 5 above have matching permissions.  I can only imagine that maybe some software or software update might be causing this.
  By reviewing the above output, it seems there is also a difference between the C: drive permissions of W2K8R2 Server Core and W2K8R2 Full.  Not sure if this is by design? 
  Is there any Microsoft Documentation describing what the default %systemdrive% NTFS permissions should be for W2K8R2 Server Core and Full.  Furthermore, do these permissions change when the various infrastructure roles are installed and enabled i.e.
  Domain Controller, DHCP etc.  I ask, since I would like to use the correct set of permissions for %systemroot% in each scenario. Please advise if I should be asking this question in a different forum?
  belpad

• QoS Beta(643-642), information for "QoS best practices"

  I'm preparing the "IP telephony operational specialist" exam and now for QoS beta(643-642).
  Can I get an URL for "QoS Best Practices" from CCO ? And any comments for the exam.
  Thanks,

  Best practices differ according to the type of service your are running, here are some examples
  http://www.cisco.com/en/US/tech/tk543/tk759/technologies_white_paper09186a00801348bc.shtml
  http://www.cisco.com/en/US/tech/tk543/tk544/technologies_white_paper09186a008011fde2.shtml

• Best Practice for FlexConnect Wireless roaming in MediaNet environment?

  Hello!
  Current Cisco best practice recommendations for enterprise MediaNet design, specify that VLANs be local to a switch / switch stack (i.e., to limit the scope of spanning-tree). 
  In the wireless world, this causes problems if you want users while roaming to keep real-time applications up and running.  Every time they connect to a new AP on a different VLAN, then they will need to get a new IP address, which interrupts real-time apps. 
  So...best practice for LAN users causes real problems for wireless users.
  I thought I'd post here in case there's a best practice for implementing wireless roaming in a routed environment that we might have missed so far!
  We have a failover pair of FlexConnect 7510s, btw, configured for local switching for Internal users, and central switching with an anchor controller on the DMZ for Guest users.
  Thanks,
  Deb

  Thanks for your replies, Stephen and JSnyder.
  The situation here is that the original design engineer is no longer here, and the original design was not MediaNet-friendly, in that it had a very few /20 subnets bridged over entire large sites. 
  These several large sites (with a few hundred wireless users per site), are connected to an HQ location (where the 7510s in failover mode are installed) via 1G ethernet hand-offs (MPLS at the WAN provider).  The 7510s are new, and are replacing older contollers at the HQ location. 
  The internal employee wireless users use resources both local to their site, as well as centralized resources.  There are at least as many Guest wireless users per site as there are internal employee users, and the service to them consists of Internet traffic only.  (When moved to the 7510s, their traffic will continue to be centrally switched and carried to an anchor controller in the DMZ.) 
  (1) So, going local mode seems impractical due to the sheer number of users whose traffic bound for their local site would be traversing the WAN twice.  Too much bandwidth would be used.  So, that implies the need to use Flex / HREAP mode instead.
  (2) However, re-designing each site's IP environment for MediaNet would suggest to go routed to the closet.  However, this breaks seamless roaming for users....
  So, this conundrum is why I thought I'd post here, and see if there was some other cool / nifty solution I wasn't yet aware of. 
  The only other (possibly friendly to both needs) solution I'd thought of was to GRE tunnel a subnet from each closet to the collapsed Core / Disti switch at each site.  Unfortunately, GRE tunnels are not supported in the rev of IOS on the present equipment, and so it isn't possible to try this idea.
  Another "blue sky" idea I had (not for this customer, but possibly elsewhere in the future), is to use LAN switches such as 3850s that have WLC functionality built-in.  I haven't yet worked with the WLC s/w available on those, but I was thinking it looks like they could be put into a mobility group, and L3 user roaming between them might then work.  Do you happen to know if this might be a workable solution to the overall big-picture problem? 
  Thanks again for taking the time and trouble to reply!
  Deb

• Best Practice for config upgrade

  Hi
  Is there a best practice guide to follow to performing a network upgrade. So I am replacing a stack of 5 3750 switches and replacing with 2 stacks of 2 3750x switches, but then also introducing a 4500x vss pair aswell as the new core. Is there an easy migration process to migrate the config or do I have to understand what the current network is configured as and build a new config for the new topology.
  Im new to this process so just wondering if I can find an easier way, Thanks

  Is there an easy migration process to migrate the config or do I have to understand what the current network is configured as and build a new config for the new topology.
  You really need to understand how the current network is configured before you can do the upgrade otherwise if something doesn't work you will have no idea of where to begin troubleshooting.
  That doesn't mean you need to build an entirely new configuration because you may well be able to apply most of the configuration on your existing switches to the new switches although it's not clear what functions the new switches will be doing ie.
  currently you have a stack of 3750s doing what ? eg. access for users, routing for vlans etc.
  you are replacing them with 3750x's switches and 4500x switches so are you splitting up the functions of the 3750s between them.
  If you are then obviously you cannot take the existing configuration and copy it to both the 3750x and the 4500x switches.
  When I did upgrades like this I would download the existing configurations to my laptop and make any necessary edits. If I couldn't use the existing configuration I just created new ones. When I came to upgrade I had all the configurations ready to load onto the switches.
  Bear in mind that some configuration just won't copy across ie. if you have QOS on your current switches and you try to copy that to the 4500x it probably wont work as they use different commands for a lot of the same functions.
  But the key thing is you must understand what you are trying to do ie. simply trying to copy across configurations without the understanding could create a lot of problems.
  Jon

• Dual 7010 - Layer 3 Peering Best Practice/Recommendation

  I have 2 Nexus 7010s with 2 Nexus 5548s dual connected to each 7K. The 7010s are acting as redundant core devices. Dual Sup2E in each.
  Can someone tell me what the best practice is for layer 3 peering (EIGRP) between these devices. I can't seem to find any example documents.
  VPCs are used
  Approx 20 Vlans. Mutliple functions, lots of virtualized servers (200+) on UCS and VMware.
  A firewall HA pair will be connected - 1 to each 7K. This leads to the Internet and DMZ.
  1 MPLS WAN router will be connected to the primary 7K.
  Let me know if you need any additional info. Thanks!

  I'm not sure that I understand your question. Is it EIGRP peering across the vPC links between the Core switches?
  If so see below an example for OSPF but the concepts are the same for EIGRP
  http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/
  Don't forget to rate all posts that are helpful

• LDP - Best practices

  Hello,
  we have just rolled an MPLS network as service provider and will soon  lunch services through it, to start with is l3vpn. I would like to find out what are the best practices for LDP setup such as would you recommend to have;
  - MD5 passwords from the word go or it can done at later stage.
  - what configuration tweaks do you reckon should be resolve before we can start adding clients to the network or what should my audit checklist be like to ensure I am putting out a network that meets operational best practice.
  - our IGP is ISIS.
  I will appreciate your invaluable advise.
  Regards,

  Hello,
  Following is the best MPLS Practises:
  1- The Use of LDP MD5 - Password Protection in your MPLS Network.
  2- The Use of Route Reflectors for Scalability reasons.
  3- The Use of Public AS Number within the MPLS Backbone, this helps you plan to be a Global MPLS Provider.
  4- Redundancy at the Core is a Must, Redundancy at the Edge is Prefered.
  5- Never Run LDP between Different MPLS Service Provider, its NOT a good Security Practise. Applicable for (Inter-AS) Architecture Approach.
  6- The Best approach is to have the PE at each POP peers with two different P routers at the Core. If you Hvae Two PEs at each POP this would Provide fully redundant Edge Network.
  7- Your Core Should be High End Series, I would advice with CRS , 12000 Or at Least ASR9K for Medium Service Providers, and 7600 can be installed at the Edge.
  8- The Last Note Would be to try Avoiding (VRF - Route Leaking) as Much as possible. Design Your VRFs according to your Needs from the begining.
  Good Luck,
  Mohamed

• SAP Best Practice Integrated with Solution manager

  We have a server in which we installed SAP Best practice baseline package and we have the solution manager 7.01 SP 25
  We maintained the logical port but when we try to check connectivity to solution manager we got the following error:
  Connectivity check to sap solution manager system not successful
  Message no. /SMB/BB_INSTALLER375
  Can anyone guide us how to solve the problem and also if there is another way to upload the solution defined on the best practice solution builder into sap solution manager as a template project
  Thanks,
  Heba Hesham

  Hi,
  Patches for SAPGUI 7.10 can be found at the following location:
  http://service.sap.com/patches
  -> Entry by Application Group -> SAP Frontend Components
  -> SAP GUI FOR WINDOWS -> SAP GUI FOR WINDOWS 7.10 CORE
  -> SAP GUI FOR WINDOWS 7.10 CORE -> Win 32
  -> gui710_2-10002995.exe

• Best Practices for Integrating UC-5x0's with SBS 2003/8?

  Almost all of Cisco's SBCS market is the small and medium business space.  Most, if not all of these SMB's have a Microsoft Small Business Server 2003 or 2008. It will be critical, In order for Cisco to be considered as a purchase option, that the UC-5x0 integrates well into these networks.
  To that end, I see a  lot of talk here about how to implement parts and pieces of this, but no guidance from Cisco, no labs and no best practices or other documentation. If I am wrong, please correct me.
  I am currently stumbling through and validating these configurations myself, Once complete, I will post detailed recommendations. However, it would have been nice to have a lab to follow instead of having to learn from each mistake.
  Some of the challanges include;
  1. Where should the UC-540 be placed: As the gateway for QOS or behind a validated UC-5x0 router/security appliance combination
  2. Should the Microsoft Windows Small Business Server handle DCHP (as Microsoft's documentation says it must), or must the UC-540 handle DHCP to prevent loss of features? What about a DHCP relay scheme?
  3. Which device should handle DNS?
  My documentation (and I recommend that any Cisco Lab/Best Practice guidence include it as well) will assume the following real-world scenario, the same which applies to a majority of my SMB clients;
  1. A UC-540 device utilizing SIP for the cost savings
  2. High Speed Internet with 5 static routable IP addresses
  3. An existing Microsoft Small Business Server 2003/8
  4. An additional Line of Business Application or Terminal Server that utilizes the same ports (i.e. TCP 80/443/3389) as the UC-540 and the SBS, but on seperate routable IP's (Making up crazy non-standard port redirections is not an option).
  5. A employee who teleworks from various places that provide a seat and a network jack, which is not under our control (i.e. a employees home, a clients' office, or a telework center). This teleworker should use the built in VPN feature within the SPA or 7925G phones because we will not have administrative access to any third party's VPN/firewall.
  Your thoughs appreciated.

  Progress Report;
  The following changes have been made to the router in support of the previously detailed scenario. Everything appears to be working as intended.
  DHCP is still on the UC540 for now. DNS is being performed by the SBS 2008.
  Interestingly, the CCA still works. The NAT module even shows all the private mapped IP's, but no the corresponding public IP's. I wouldnt recommend trying to make any changes via the CCA in the NAT module.  
  To review, this configuration assumes the following;
  1. The UC540 has a public IP address of 4.2.2.2
  2. A Microsoft Small Business Server 2008 using an internal IP of 192.168.10.10 has an external IP of 4.2.2.3.
  3. A third line of business application server with www, https and RDP that has an internal IP of 192.168.10.11 and an external IP of 4.2.2.4
  First, backup your current configuration via the CCA,
  Next, telent into the UC540, login, edit, cut and paste the following to 1:1 NAT the 2 additional public IP addresses;
  ip nat inside source static tcp 192.168.10.10 25 4.2.2.3 25 extendable
  ip nat inside source static tcp 192.168.10.10 80 4.2.2.3 80 extendable
  ip nat inside source static tcp 192.168.10.10 443 4.2.2.3 443 extendable
  ip nat inside source static tcp 192.168.10.10 987 4.2.2.3 987 extendable
  ip nat inside source static tcp 192.168.10.10 1723 4.2.2.3 1723 extendable
  ip nat inside source static tcp 192.168.10.10 3389 4.2.2.3 3389 extendable
  ip nat inside source static tcp 192.168.10.11 80 4.2.2.4 80 extendable
  ip nat inside source static tcp 192.168.10.11 443 4.2.2.4 443 extendable
  ip nat inside source static tcp 192.168.10.11 3389 4.2.2.4 3389 extendable
  Next, you will need to amend your UC540's default ACL.
  First, copy what you have existing as I have done below (in bold), and paste them into a notepad.
  Then, im told the best practice is to delete the entire existing list first, finally adding the new rules back, along with the addition of rules for your SBS an LOB server (mine in bold) as follows;
  int fas 0/0
  no ip access-group 104 in
  no access-list 104
  access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_24##
  access-list 104 remark SDM_ACL Category=1
  access-list 104 permit tcp any host 4.2.2.3 eq 25 log
  access-list 104 permit tcp any host 4.2.2.3 eq 80 log
  access-list 104 permit tcp any host 4.2.2.3 eq 443 log
  access-list 104 permit tcp any host 4.2.2.3 eq 987 log
  access-list 104 permit tcp any host 4.2.2.3 eq 1723 log
  access-list 104 permit tcp any host 4.2.2.3.35 eq 3389 log 
  access-list 104 permit tcp any host 4.2.2.4 eq 80 log
  access-list 104 permit tcp any host 4.2.2.4 eq 443 log
  access-list 104 permit tcp any host 4.2.2.4 eq 3389 log
  access-list 104 permit udp host 116.170.98.142 eq 5060 any
  access-list 104 permit udp host 116.170.98.143 any eq 5060
  access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
  access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
  access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
  access-list 104 permit udp host 116.170.98.142 eq domain any
  access-list 104 permit udp host 116.170.98.143 eq domain any
  access-list 104 permit icmp any host 4.2.2.2 echo-reply
  access-list 104 permit icmp any host 4.2.2.2 time-exceeded
  access-list 104 permit icmp any host 4.2.2.2 unreachable
  access-list 104 permit udp host 192.168.10.1 eq 5060 any
  access-list 104 permit udp host 192.168.10.1 any eq 5060
  access-list 104 permit udp any any range 16384 32767
  access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 104 deny   ip host 255.255.255.255 any
  access-list 104 deny   ip host 0.0.0.0 any
  access-list 104 deny   ip any any log
  int fas 0/0
  ip access-group 104 in
  Lastly, save to memory
  wr mem
  One final note - if you need to use the Microsoft Windows VPN client from a workstation behind the UC540 to connect to a VPN server outside your network, and you were getting Error 721 and/or Error 800...you will need to use the following commands to add to ACL 104;
  (config)#ip access-list extended 104
  (config-ext-nacl)#7 permit gre any any
  Im hoping there may be a better way to allowing VPN clients on the LAN with a much more specific and limited rule. I will update this post with that info when and if I discover one.
  Thanks to Vijay in Cisco Tac for the guidence.

• Best Practices for new iMac

  I posted a few days ago re failing HDD on mid-2007 iMac. Long story short, took it into Apple store, Genius worked on it for 45 mins before decreeing it in need of new HDD. After considering the expenses of adding memory, new drive, hardware and installation costs, I got a brand new iMac entry level (21.5" screen,
  2.7 GHz Intel Core i5, 8 GB 1600 MHz DDR3 memory, 1TB HDD running Mavericks). Also got a Superdrive. I am not needing to migrate anything from the old iMac.
  I was surprised that a physical disc for the OS was not included. So I am looking for any Best Practices for setting up this iMac, specifically in the area of backup and recovery. Do I need to make a boot DVD? Would that be in addition to making a Time Machine full backup (using external G-drive)? I have searched this community and the Help topics on Apple Support and have not found any "checklist" of recommended actions. I realize the value of everyone's time, so any feedback is very appreciated.

  OS X has not been officially issued on physical media since OS X 10.6 (arguably 10.7 was issued on some USB drives, but this was a non-standard approach for purchasing and installing it).
  To reinstall the OS, your system comes with a recovery partition that can be booted to by holding the Command-R keys immediately after hearing the boot chimes sound. This partition boots to the OS X tools window, where you can select options to restore from backup or reinstall the OS. If you choose the option to reinstall, then the OS installation files will be downloaded from Apple's servers.
  If for some reason your entire hard drive is damaged and even the recovery partition is not accessible, then your system supports the ability to use Internet Recovery, which is the same thing except instead of accessing the recovery boot drive from your hard drive, the system will download it as a disk image (again from Apple's servers) and then boot from that image.
  Both of these options will require you have broadband internet access, as you will ultimately need to download several gigabytes of installation data to proceed with the reinstallation.
  There are some options available for creating your own boot and installation DVD or external hard drive, but for most intents and purposes this is not necessary.
  The only "checklist" option I would recommend for anyone with a new Mac system, is to get a 1TB external drive (or a drive that is at least as big as your internal boot drive) and set it up as a Time Machine backup. This will ensure you have a fully restorable backup of your entire system, which you can access via the recovery partition for restoring if needed, or for migrating data to a fresh OS installation.

• What are the best practices for using the enhancement framework?

  Hello enhancement framework experts,
  Recently, my company upgraded to SAP NW 7.1 EhP6.  This presents us with the capability to use the enhancement framework.
  A couple of senior programmers were asked to deliver a guideline for use of the framework.  They published the following statement:
  "SAP does not guarantee the validity of the enhancement points in future releases/versions. As a result, any implemented enhancement points may require significant work during upgrades. So, enhancement points should essentially be used as an alternative to core modifications, which is a rare scenario.".
  I am looking for confirmation or contradiction to the statement  "SAP does not guarantee the validity of enhancement points in future releases/versions..." .  Is this a true statement for both implicit and explicit enhancement points?
  Is the impact of activated explicit and implicit enhancements much greater to an SAP upgrade than BAdi's and user exits?
  Is there any SAP published guidelines/best practices for use of the enhancement framework?
  Thank you,
  Kimberly
  Edited by: Kimberly Carmack on Aug 11, 2011 5:31 PM

  Found an article that answers this question quite well:
  [How to Get the Most From the Enhancement and Switch Framework as a Customer or Partner - Tips from the Experts|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/c0f0373e-a915-2e10-6e88-d4de0c725ab3]
  Thank you Thomas Weiss!