Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1738
Views
5
Helpful
8
Replies

acs 5.3 dispersed deployment

Andrew MacTaggart
Level 1
Level 1

‎08-06-2012 08:45 PM - edited ‎03-10-2019 07:23 PM

Here is the scenario

I have 2 campuses and 2 acs 5.3

each campus is somewhat independant

I need to setup the following

campus 1 - acs primary

LDAP store - point to local resource and secondary resource on campus 2

Host database for mac filtering - campus 1 acs as primary campus 2 acs as secondary - so replication from campus 1 to campus 2

campus 2 acs secondary

LDAP store - point to local resource and secondary resource on campus 1

Host database for mac filtering - campus 1 acs as primary campus 2 acs as secondary - so replication from campus 1 to campus 2

I am looking at the dispersed deployment, but there is not much info on setting it up.

Questions:

do I need to set the secondary to local mode for dispersed

or can I create everything I need in the primary

I have created access policies

1 for campus 1 - pointing to local ldap

and

1 for campus 2 - pointing to local ldap

but i am not certain how to make the secondary acs check local resources versus traversing the campus link and checking with the primary acs.

Any thoughts or info would be greatly appreciated.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_deploy.html

Dispersed ACS Deployment

A dispersed ACS deployment is useful for organizations that have  campuses located throughout the world. There may be a home campus where  the primary network resides, but there may be additional LANs, sized  from small to large, in campuses in different regions.

To optimize AAA performance, each of these remote campuses should have its own AAA infrastructure. See Figure 1-5. The centralized management model should still be used to maintain a consistent, synchronized AAA policy.

A centralized-configuration, primary ACS server and separate Monitoring  and Report server should still be used. However, each of the remote  campuses will have unique requirements.

Figure 1-5     Dispersed ACS Deployment

Labels:
0 Helpful
8 Replies 8

Tarik Admani
VIP Alumni
VIP Alumni

‎08-07-2012 12:38 AM

Simon,

Just out of curiosity is your dns environment replicated between both sites? If not, you can try to create another dns alias (cname) and have site resolve to primary and site b resolve to secondary. Then create another alias records which reverses the order at both sites?

Thanks,

Tarik Admani
*Please rate helpful posts*

Andrew MacTaggart
Level 1
Level 1
In response to Tarik Admani

‎08-07-2012 05:56 PM

Thanks

DNS is separate but contains overlapping info for both locations. The LDAP server name is configured on both sides. although I guess I could call it something completely different, however, the LDAP store was configured with IP addresses originally. I will have to think about it.

Thanks for the idea

At this point I have deregistered the secondary and edited the access policy to use the local resources.

for the mac filtering, I am thinking that I will update campus 1 and export the cvs.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Andrew MacTaggart

‎08-07-2012 07:13 PM 

for the mac filtering, I am thinking that I will update campus 1 and export the cvs.

Simon,

If you are going to populate the internal host database on acs primary this will replicate to acs secondary.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Andrew MacTaggart
Level 1
Level 1
In response to Tarik Admani

‎08-07-2012 07:16 PM

Yes, only if I have primary and secondary setup, but I can't figure out a way for campus 2 to point to local resources. so currently it's detached. The cname would have done the trick, but our LDAP servers share the same dns name so I can't use cname because it would still send ldap requests to campus 1 due to the round robin.

Cheers

0 Helpful

Andrew MacTaggart
Level 1
Level 1
In response to Tarik Admani

‎08-07-2012 07:13 PM

It was a good thought, but our ldap dns entries are setup for round robin - so cname would defeat the purpose.

Cheers

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Andrew MacTaggart

‎08-07-2012 07:23 PM

Simon,

This would have worked with Active Directory by using Sites and Services. Are you using AD or an ldap server? If this is AD why are you going the LDAP route?

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Andrew MacTaggart
Level 1
Level 1
In response to Tarik Admani

‎08-07-2012 08:29 PM

LDAP is what we have. We are an old Novell shop.

Cheers

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Andrew MacTaggart

‎08-10-2012 12:37 AM

Simon,

Here is a guide that explains how you can process dns replies based on the clients source ip address. This may allow you resolve the dns queries per your design. I didnt get a chance to get deep into this but though this would be something you were after:

http://support.microsoft.com/kb/842197

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents