Best practice switching subs on/off?

Similar Messages

• Long-form workflow best practice? (sub clips)

  I am struggling with the new media management and organizational challenges of FCP X.
  Am I the only person in the FCP community who used sub clips?  In all the extensive belly aching about the new FCP, I've yet to see anyone list the death of subclips as a dealbreaker.
  This leaves me to believe that even in the pre-FCP X world people used a different (better) workflow than the one I used for over a decade.
  Tom Wolsky tells me that I'm trying to force the new software to work like the old...  Maybe, but I think it's reasonable to expect that an "upgrade" means that the new version of a software will have all the functionality of the software it's replacing with new capabilities added....  What we have, however, are lots of new (and admittedly) very desirable new capabilities with (infuriatingly) many of the capabilities most of us thought were crucial to our editing approaches stripped entirely.  Of course there's the promise that "some" of these capabilities will return at some future, unspecified date.
  Enough of my mini-rant, here's the question....
  If I shoot 22 hours of raw footage and hope to mine 90 minutes for the final cut, which has approximately 45 scenes, how should I use these radical new organization features to be able to easily locate my clips?
  In the old way, I'd get my Sony PMW-EX3 clips into FCP (not intuitive--another question, when will FCP accept the native SxS files?), then look at each of those master clips and cut those clips into sub clips.
  Each subclip would have a unqiue name.  And I would create a series of folders for the subclips.  Very clean, very organized and when I need a cutaway shot of the dog barking in scene 22, I look at folder 22, open it and there it is... "Dog Barking."
  The new FCP X uses Favorites or Keywords... both approaches inferior (in my opinion) to my old workflow...  So what am I missing?  How is the new way better?  Was there a better way before that I was just missing???
  And now I'm getting the whiff of an even bigger problem...  I haven't encountered it myself but others are finding that once a project exceeds twelve minutes, things become terribly unstable.
  Oh, well.  Growing pains, I suppose.  And people are correct, I can just use FCP 7...  but I had such hopes... such hopes....
  Dale

  Yes, I know FCP X is an upgrade in name only.  That's part of Apple's PR headache over this whole debacle.  When people launch a program and 10.0 Final Cut Pro X stares them in the face, they are justified to expect that it's a true update (upgrade) of Final Cut Pro.  And with Apple overselling the product.... oh, well, it is what it is.
  Most of us would have been happy with Final Cut Pro 8, a true 64 bit upgrade of the program that was working for us.
  Yes, Favorites and Keywords are similar to Subclips but they are still so tied to the Master Clip.. If I Favorite 10 clips and sort by favorites, I get the Master Clips and have to hit the triangle beside them to see the Favorites.  Even if all 10 Favorites are from the same Master Clip, I get ten redundant lines I have to wade through....
  The old way was better... One bin with ten uniquely named subclips.  Clear and clean....
  The new program does not seem informed by anyone who ever made a movie longer than five minutes... and evidently (from all reviews) it wasn't influenced by anyone who considers himself a professional editor.  (I do not consider myself a professional editor, just an independent movie maker who writes, directs, acts, edits, etc., and who happily used Final Cut Pro for over a decade.)
  I'm hanging around for FCP X 10.1... I've never seen Apple so mishandle a situation...  On a much smaller scale, it's Apple's Vista moment....
  Thanks for responding...
  Dale

• Best Practice for 2008R2 DC off site backup

  hello.
  at the request of the management i am trying to finalize a plan that covers off different potential events that could afflict our domain controllers.
  we currently have 2 DC's in our environment 1 holds all FSMO so we have redundancy if 1 goes down and i can use DC promo to build a new one and add it to the domain, then doing meta data clean up if needed.
  i have system state backups which will be useful if something happens to AD and i still have the original hardware to restore onto.
  however if something horrific happens i lose both dc's and need to restore to new hardware i am dubious of the reliability of these system state backups as i have tested them in the past and often got BSOD issues.
  i toyed with the idea of have a 3rd DC hosted off site in a data center, have replication occur to this and then i could use to rebuild new ones onsite if such a disaster were to occur.
  any one have any suggestions or ideas on this one, or speak from there own experiences in this subject
  Many Thanks

  Having a off-site DC is always good, but in the event of a replicated failure it's not going to help, there is situations where you would need to do a forest recovery (for example backing out of a schema update) Then you need to restore a system state
  backup of one DC and preferably re-install the others. 
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Best Practices with sub-par equipment

  Hi guys, I am needing some suggestions for the best way to capture and edit with the equipment I have to work with. Basically, I have the following:
  (1) Panasonic AG-DVC20P DV-Cam with Firewire connection
  (1) Kodak Easyshare z812
  (1) Zoom h4 digital audio recorder
  I have been capturing video with the two cameras. The quality of video from the Kodak camera is surprisingly good for low-action footage (the color is much more vibrant than the Panasonic DV-cam). I have been using it as a second camera angle. However, it doesn't give any timecode. I have to sync it to the audio manually. Also, I have been recording audio in MP3 with the h4. This seems to get out of sync with the DV over a period of about 10 minutes at which point it becomes very noticeable. I am working on editing a 3-hour long event and it is very time-consuming. I guess my question is how can I streamline things?
  • Has anyone else experienced drift in the audio with the H4? I recorded in MP3. If I record in WAV will it minimize the drift? I have been opening the MP3 in Quicktime and exporting as an audio-only Quicktime MOV.
  • Is there an advantage to syncing the two video tracks as Multi-Clips? I haven't really delved into that possibility.
  Thanks!

  With regard to the 29.97/30 thing, you'll find that video people are idiosyncratically imprecise about that. We say 60 when we mean 59.94, we say 30 when we mean 29.97 and we say 24 when we mean 23.976.
  We're quirky.
  Whenever somebody says one of those nice, round numbers, you can assume they're really talking about the corresponding ugly fraction.
  Unless they're film people, in which case +24 means 24, dangit.+

• Best Practice - IPv6 Turn Off? Windows 2008 (and R2) Servers

  Hi,
  I work for a large organization.  We have close to 10,000 servers globally.  A question has come up if we should disable IPv6 on our Windows 2008 servers.  Our network is not yet capable of using IPv6.
  It seems like you have to go out of your way to disable IPv6; therefore, I would assume that it is best to leave IPv6 turned on.
  Does anyone have any thoughts about this.  It would be most helpful to have links to pros/cons - best practice.
  Thank you.

  No, do not disable IPv6. There is no reason to do so unless you have a very specific application issue which is highly unlikely (although there are a few documented ones out there).
  http://blogs.technet.com/b/ipv6/archive/2007/11/08/disabling-ipv6-doesn-t-help.aspx
  http://blogs.technet.com/b/jlosey/archive/2011/02/02/why-you-should-leave-ipv6-alone.aspx
  Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys
  Whoever marked this as an "answer" obviously doesn't remember that bad-old-days of "Everything's on by default! It just works!!" and the billions of dollars in lost productivity that ensued from the hundreds (thousands?) of exploits that followed this
  painfully short-sighted decision. You'd think Microsoft would have learned their lesson from the "IIS is on by default!" debacle, but that doesn't seem to be the case.
  Best practices for system administration say "turn off the services and protocols you don't use." As such,
  IPv6 should ALWAYS be disabled on servers and business workstations if you're not currently using it, just like any other protocol or service you haven't implemented or aren't using. Not using FTP? Don't install or enable
  an FTP server. Not using IPv6? Why would you have IPv6 enabled? Just because IPv6 is the newest, shiniest thing on the block doesn't mean you have to use, and it definitely shouldn't require you to start hacking about in the registry to turn it off.
  The only exception to this rule would be laptops or mobile devices where the user might (conceivably) take them into an IPv6 environment. Even then, though, you have to balance the "convenience" of not having to switch-on IPv6 against the risk that
  your unconfigured IPv6 stack might be exploitable by nefarious patries. Even so, the fact that almost nobody has switched their internal networks to IPv6 means that turning it off on laptops is still probably a "good idea." 
  For example, my laptop wireless interface might make sense to leave IPv6 enabled--I don't have any idea when I'll walk into an environment that uses IPv6 and want to use my wireless. But in the office when I'm hard-connected? We don't use IPv6 so it needs
  to be "off." Even if it's just a bit of code in the Windows firewall that can be used to say "just reject IPv6 traffic on x interface" is still a big improvement. An absolute home-run would be the addition of logic that allows Windows to dynamically disable
  IPv6 when there aren't any NICs or WNICs that are allowed to use it.
  Finally, none of this should be construed to mean I'm advising against implementing IPv6, because I'm not. However, like any major technology project you should plan carefully, making sure you understand ALL of the consequences (not just the marketing hype,)
  and making sure you'll be able to administer the changed environment as well as your administer the current one. You definitely should not let a vendor (of all things) force the decision to use it upon you because it's "on by default."

• Best practice - updating figure numbers in a file, possibly to sub-sub-chapters

  Hi,
  I'm a newbie trying to unlearn my InDesign mindset to work in FrameMaker. What is best practice for producing figure numbers to accompany diagrams throughout a document? A quick CTRL+F in the Framemaker 12 Help book doesn't seem to point me in a particular direction. Do diagrams need to be inserted into a table, where there is a cell for the image and a cell for the figure details in another? I've read that I should  use a letter and colon in the tag to keep it separate from other things that update, e.g. F: (then figure number descriptor). Is there anything else to be aware of, such as when resetting counts for chapters etc?
  Some details:
  Framemaker12.
  There are currently 116 chapters (aviation subjects) to make.
  Each of these chapters will be its own book in pdf form, some of these chapters run to over 1000 pages.
  Figure number ideally takes the form: "Figure (a number from one of the 1-116 chapters used) - figure number" e.g. "Figure 34 - 6." would be the the 6th image in the book 'chapter 34'.
  The figure number has to cross reference to explaining text, possibly a few pages away.
  These figures are required to update as content is added or removed.
  The (aviation) chapter is an individual book.
  H1 is the equivalent of the sub-chapter.
  H2 is the equivalent of the sub-sub-chapter.
  H3 is used in the body copy styling, but is not a required detail of the figure number.
  I'm thinking of making sub-chapters in to individual files. These will be more manageable on their own. They will then be combined in the correct order to form the book for one of these (1 of 116) subject chapters.
  Am I on the right track?
  Many thanks.
  Gary

  Hi,
  Many thanks for the link you provided. I have implemented your recommendation into my file. I have also read somewhere about sizing anchored frames to an imported graphic using 'esc' + 'm' + 'p'.
  What confuses me, coming from InDesign is being able to import these graphics at the size they were made ( WxH in mm at 300ppi) and keeping them anchored to a point in the text flow.
  I currently have 1 and 2 column master pages built. When I bring in a graphic my process is:
  insert a single cell table on the next space after current text > drop the title below the cell > give the title a 'figure' format. When I import a graphic it either tries to fit it in the current 2 column layout with only part of it showing in a box which is half the width of a single column!
  A current example: page 1 (2 column page) the text flows for 1.5 columns. At the end of the text I inserted a single cell table, then imported and image into the cell.
  Page 2 (2 column page) has the last line of page 1's text in the top left column.
  Page 3 (2 page column)  has the last 3 words of page 1 in its top left column.  The right column has the table in it with part of the image showing. The image has also bee distorted, like it's trying to fit. These columns are 14 cm wide, the cell is 2 cm wide at this point. I have tried to give cells for images 'wider' attributes using the object style designer but with no luck.
  Ideally I'm trying to make 2 versions. 1) an anchored frame that fits in a 1 column width on a 2 column width page. 2) An anchored frame that fits the full width of my landscape pages (minus some border dimension),  this full width frame should be created on a new proceeding page. I'd like to be able drop in images to suit these different frames with as much automation as possible.
  I notice many tutorials tell you how to do a given area of the program, but I haven't been able to find one that discusses workflow order. Do you import all text first, then add empty graphic boxes and/or tables throughout and then import images? I'm importing text from Word,  but the images are separate, having been vectored or cleaned up in Photoshop - they won't be imported from the same word file.
  many thanks

• Best Practice for VPC Domain failover with One M2 per N7K switch and 2 sups

  I Have been testing some failover scenarios with 4 nexus 7000 switches with an M2 and an F2 card in each. Each Nexus has two supervisor modules.
  I have 3 VDC's Admin, F2 and M2
  all ports in the M2 are in the M2 VDC and all ports on the F2 are in the F2 VDC.
  All vPC's are connected on the M2 cards, configured in the M2 VDC
  We have 2 Nexus representing each "site"
  In one site we have a vPC domain "100"
  The vPC Peer link is connected on ports E1/3 and E1/4 in Port channel 100
  The peer-keepalive is configured to use the management ports. This is patched in both Sups into our 3750s. (this is will eventually be on a management out of band switch)
  Please see the diagram.
  There are 2 vPC's 1&2 connected at each site which represent the virtual port channels that connect back to a pair of 3750X's (the layer 2 switch icons in the diagram.)
  There is also the third vPC that connects the 4 Nexus's together. (po172)
  We are stretching vlan 900 across the "sites" and would like to keep spanning tree out of this as much as we can, and minimise outages based on link failures, module failures, switch failures, sup failures etc..
  ONLY the management vlan (100,101) is allowed on the port-channel between the 3750's, so vlan 900 spanning tree shouldnt have to make this decision.
  We are only concerned about layer two for this part of the testing.
  As we are connecting the vPC peer link to only one module in each switch (a sinlge) M2 we have configured object tracking as follows:
  n7k-1(config)#track 1 interface ethernet 1/1 line-protocol
  n7k-1(config)#track 2 interface ethernet 1/2 line-protocol
  n7k-1(config)#track 5 interface ethernet 1/5 line-protocol
  track 101 list boolean OR
  n7k-1(config-track)# object 1
  n7k-1(config-track)# object 2
  n7k-1(config-track)# object 5
  n7k-1(config-track)# end
  n7k-1(config)# vpc domain 101
  n7k-1(config-vpc-domain)# track 101
  The other site is the same, just 100 instead of 101.
  We are not tracking port channel 101, not the member interfaces of this port channel as this is the peer link and apparently tracking upstream interfaces and the peer link is only necessary when you have ONE link and one module per switch.
  As the interfaces we are tracking are member ports of a vPC, is this a chicken and egg scenario when seeing if these 3 interfaces are up? or is line-protocol purely layer 1 - so that the vPC isnt downing these member ports at layer 2 when it sees a local vPC domain failure, so that the track fails?
  I see most people are monitoring upstream layer3 ports that connect back to a core? what about what we are doing monitoring upstream(the 3750's) & downstream layer2 (the other site) - that are part of the very vPC we are trying to protect?
  We wanted all 3 of these to be down, for example if the local M2 card failed, the keepalive would send the message to the remote peer to take over.
  What are the best practices here? Which objects should we be tracking? Should we also track the perr-link Port channel101?
  We saw minimal outages using this design. when reloading the M2 modules, usually 1 -3 pings lost between the laptops in the diff sites across the stretched vlan. Obviously no outages when breaking any link in a vPC
  Any wisdom would be greatly appreciated.
  Nick

  Nick,
  I was not talking about the mgmt0 interface. The vlan that you are testing will have a link blocked between the two 3750 port-channel if the root is on the nexus vPC pair.
  Logically your topology is like this:
      |                             |
      |   Nexus Pair          |
  3750-1-----------------------3750-2
  Since you have this triangle setup one of the links will be in blocking state for any vlan configured on these devices.
  When you are talking about vPC and L3 are you talking about L3 routing protocols or just intervaln routing.
  Intervlan routing is fine. Running L3 routing protocols over the peer-link and forming an adjaceny with an router upstream using L2 links is not recommended. Teh following link should give you an idea about what I am talking here:
  http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/
  HSRP is fine.
  As mentioned tracking feature purpose is to avoid block hole of traffic. It completely depends on your network setup. Don't think you would be needing to track all the interfaces.
  JayaKrishna

• Template(best practice) for Switch ports

  Hi,
  Looking for best practice advice on switchport config for client facing ports.
  We recently had an incident where an access port turned into a trunk(trunk mode desirable), which we obviously do not want to happen again!
  For Access Ports(First two should stop DTP I'm hoping?):
  switchport mode access
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree portfast
  spanning-tree bpdufilter enable
  spanning-tree guard root
  switchport port-security maximum 10
  switchport port-security
  switchport port-security aging time 10
  And for trunk ports to clients:
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan xxx,xxx
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree bpdufilter enable
  spanning-tree guard root
  Thanks in advance.

  Look here: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html#wp68930
  That's Cisco's branch design doc from Design Zone.
  For those that want a fast answer:
  For VoIP phones and PC:
  interface GigabitEthernet1/0/6 - interface GigabitEthernet1/0/23
  description phone with PC connected to phone
  switchport access vlan 102
  switchport mode access
  switchport voice vlan 101
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  mls qos trust device cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  For data only:
  interface GigabitEthernet1/0/24- interface GigabitEthernet1/0/28
  description DATA only ports
  switchport access vlan 102
  switchport mode access
  switchport port-security maximum 3
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  That's Cisco's recommendation.
  And just my opinion is that I'd much rather shut a port down that receives a BPDU than just filter it. Reason being that you can't trust users not to do something stupid, like hook two switch ports to the same switch they're using at their desk in an effort to "make the network faster". For two, if someone malicious plugs in a switch into your environment, shut the port down. . .that makes it hard for them to do anything malicious.

• What is the best practice way of stopping a sub-domain from being indexed?

  Hi there
  I notice that a client site is being indexed as both xxx.com.au [their primary domain] as well as xxx.PARTNERDOMAIN.com.au.
  I have Googled quite a bit on the subject and have browsed the forums, but can't seem to find any specific best practice approach to only having the primary domain indexed.
  One method that seems to be the most recommended is having a second robots.txt site for the sub-domain xxx.PARTNERDOMAIN.com.au with Disallow: /
  Does anyone have a definitive recommendation?
  Many thanks
  Gavin

  Sorry I assumed they were two different sites, they are the same "content" just two different URLs?
  Canonical links will help but it wont stop or remove you being indexed it only adds higher index weight to the Canonical linked URL. Plus only search engines that support that meta tag will work.
  You essentially need two robots.txt to do this effectively or add the META TAG if you can split the sites somehow.
  There is a more complex way, you could host the second domain somewhere else, use htaccess or similar to do a reverse proxy to the main site to pull the contents in realtime, all except the robots.txt file. This way you could have two sites with only 1 to update but still have two robots.txt's
  http://en.wikipedia.org/wiki/Reverse_proxy
  I've done this for a few sites, you are essentially adding a middle man, it will be a tad slower depending on how far the two servers are apart, but it is like having a cname domain but with total control.

• What is best practice for remotely managing bank of switches over POTS

  I need to be able to have a back door into several catalyst switches and ASA.
  What is the best practice for accessing them remotely. ?

  Just place a modem into any console port. Ideally you use a terminal server, but is not always really needed.

• Keep wifi on/off for shutdown  what is best practice?

  hi all
  i was wondering what the general consensus was for turning wifi on and off. i normally shut down my MBP during the night, and turn my wifi off as well.
  is it worth to turn the wifi off at all, or can i just leave it on?
  the reason i ask is because it would be nice to just power on and have it set up without taking the extra (5 seconds) to turn it on.
  thoughts? what do you all do? what is considered best practice here?

  Radium88 wrote:
  007, i was talking about my MBP not the actual router.
  thanks for the reply
  Well in your first post you say, "I shut down my MBP during the night", and then say, and turn my WIFi off as well".
  If you shut down your MBP then the WiFi in the MBP is off to begin with. No power to the MBP is No power to the WiFi card in the MBP. So I assumed you were talking about your WiFi router.

• Switching Best Practice - Spanning Tree andEtherchannel

  Dear All,
  Regarding best practice related to Spanning Tree and Etherchannel, we have decided to configure following.
  1. Manually configure STP Root Bridge.
  2. On end ports, enable portfast and bpduguard.
  3. On ports connecting to other switches enable root guard.
  In etherchannel config, we have kept mode on on both side, need to change to Active and desirable as I have read that mode on may create loops? Please let me know if this is OK and suggest if something missing.
  Thank You,
  Abhisar.

  Hi Abhisar,
  Regarding your individual decisions: Manually configuring the Root Bridge is a natural thing to do. You should never leave your network just pick up a root switch based on default switch settings.
  On end ports, using PortFast and BPDU Guard is a must especially if you are running Rapid PVST+ or MSTP.
  Regarding the Root Guard on ports to other switches - this is something I do not recommend. The Root Guard is a protective mechanism in situations when your network and the network of your customer need to form a single STP domain, yet you want to have the STP Root Bridge in your network part and you do not want your customer to take over this root switch selection. In these cases, you would put the Root Guard on ports toward the customer. However, inside your own network, using Root Guard is a questionable practice. Your network can be considered trustworthy and there is no rogue root switch to protect against. Using Root Guard in your own network could cause your network to be unable to converge on a new workable spanning tree if any of the primary links failed, and it would also prevent your network from converging to a secondary root switch if the primary root switch failed entirely. Therefore, I personally see no reason to use Root Guard inside your own network - on the contrary, I am concerned that it would basically remove the possibility of your network to actually utilize the redundant links and switches.
  Regarding EtherChannels - yes, you are right, using the on mode can, under circumstances, lead to permanent switching loops. EtherChannel is one of few technologies in which I wholeheartedly recommend on relying on a signalling protocol to set it up, as opposed to configuring it manually. The active mode is my preferred mode, as it utilizes the open LACP to signal the creation of an EtherChannel, and setting both ends of a link to active helps to bring up the EtherChannel somewhat faster.
  If you are using fiber links between switches, I recommend running UDLD on them to be protected against issues caused by uni-directional links. UDLD is not helpful on copper ports and is not recommended to be run on them. However, I strongly recommend running Loop Guard configured globally with the spanning-tree loopguard default. Loop Guard can, and should, be run regardless of UDLD, and they can be used both as they nicely complement each other.
  My $0.02...
  Best regards,
  Peter

• Query: Best practice SAN switch (network) access control rules?

  Dear SAN experts,
  Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
  I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
  Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
  In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
  For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
  These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
  So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
  regards,
  Will.

  Hi William,
  That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
  Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
  for zones there are a few best practices:
  * Default Zone: Don't use it. unless you're running Ficon.
  * Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
  * Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
  * Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
  * LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
  * Read-Only exists, but again any modern array should be able to make a lun read-only.
  * QoS on Zoning: Isn't really an ACL method, more of a congestion control.
  VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
  When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
  Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
  They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
  I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
  To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
  That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

• Best Practice for Daisy Chaining 2 SG300-10 switches

  I have an initial SG300-10 installed and have run out of RJ-45 ports.
  Is there a "best practice" or preferred procedure to daisy chain a 2nd SG300-10 to the 1st switch?
  Thanks.

  These switches are not stack able.  Just add a second switch and uplink it just like the other 10.
  HTH

• Best Practices for multi-switch MDS 9124 Impelementations

  Hi,
  I was wondering if anyone had any links to best-practices guides, or any experience, building mutli-swtich fabrics with the Cisco MDS 9124 or similar (small) switches? I've read most of the FibreChannel books out there and they all seem pretty heavy on theory and FibreChannel protocol operations but lack when it comes to real-world deployment scenarios. Something akin to the Case Studies sections a lot of the CCIE literature has, but anything would be appreciated.
  Regards,
  Meredith Shaebanyan

  Hi Meridith
  www.Whitepapers.zdnet.com has links to good reading. It has links to items like:
  http://www.vmware.com/pdf/esx_san_cfg_technote.pdf is probably a typical SAN environment these days. It's basic and just put your 9124's in where the switches are.
  http://www.sun.com/bigadmin/features/hub_articles/san_fundamentals.pdf is for bigger SANs such as DR, etc.
  Things to consider with 9124's are:
  They can break so keep a good current backup on a tftp/ftp/scp server.
  Consider that if you have all the ports used, the two 8 port licences are not going to work on a replacement switch as they are bound to your hostid. The vendor that sold the switch should be able to get replacements quickly but you will lose time with them.
  Know exactly what the snmpserver command does as if you have your 9124 replaced and you load your backup config and you use Fabric Manager, it won't be able to manage the 9124 unless you change the admin password with snmpserver.
  9124/9134's don't have enough Buffer Credits to expand beyond about 10 km.
  Any ISL's used between switches should always be at least two and use Port Channels where possible.
  The 9124 or 9124e or 9134 are great value based switches. I keep a spare for training and emergencies. We use them in a core/edge solution and I am very satisfied with them. I have only had one failure with Cisco switches in the last 5 years and it was a 9140 that sat around for far too long doing nothing. The spare meant we were up and running in 30 minutes from the time we noticed the failure and got to the data centre. As there were two paths, no one actually noticed anything. My management system alerted me.
  Remember to make absolutely sure that any servers attached to the SAN have multipathing software. The storage array vendors (HDS, EMC, etc) can sell you the software such as HDLM or Powerpath. You can use an independent solution such as Veritas DMP. Just don't forget to use it.
  Follow the guidelines in the two documents and get some training as the MDS training is very good indeed. 5 days training and you will be confident about what to do in any sized SAN including Brocade and McData.
  A small SAN is just as satisfying as a large one. If in doubt, get a consultant to tell you what to do.
  Is that what you was after? I hope it was not too simple.
  Stephen