I would recommend that you

GRANT3779 · ‎01-05-2015

Hi All,

I have 2 x ACS 5.6 VMs and looking into the best way to use these in our current network.

We have about 30 sites in total each with a minimum of 5 AAA clients. Some sites will have 15+ AAA clients.

At the moment we are using 1 x ACS 4.2 VM and all my clients are configured to use this for AAA.

Some of the things I am unsure about are, should I configure all my AAA clients to use the new IP address of my ACS 5.6 server, or should I look at reusing the current ACS 4.2 address. However, If I am using 2 ACS 5.6 servers (one primary and one secondary) do all my AAA clients need to be aware of the both the primary and secondary server? My concern is that we have so much devices some will be missed if they need reconfigured. Are there any best practices / Tips / Advice for someone currently running 4.2 and moving a to a new clean install of 5.6?

Many Thanks

nspasov · ‎01-05-2015

- You can try to re-use the IP address from your 4.x deployment but it becomes a bit tricky when doing the cutover and/or rollback (thing like: connecting/disconnecting the NICs, clearing arp, etc). I have always preferred to stand up the new servers with new IP addresses and then list those IPs as additional AAA (Radius or TACACS+) servers in each AAA client. That way, if something goes wrong with the new deployment, I can just turn off the new servers and the AAA device will fallback to the original ACS server and continue to function.

- Yes, the IP addresses of both ACS servers will need to be listed in your AAA clients. If you have many AAA clients then you have some options outside of doing this manually:

1. You can get an application like SolarWinds' NCM (Network Configuration Manager) and use it to configure multiple devices.

2. If your organization has a load balancer then you can make things even easier. You can then list all three servers' IP addresses behind one VIP (Virtual IP). That way you can add/remove AAA servers without impacting the rest of the environment

I hope this helps!

Thank you for rating helpful posts!

GRANT3779 · ‎01-05-2015

Hi Neno,

Thanks for that. Gave me some more things to think about. Regarding the Load Balancer, would this have to be a Cisco product?

nspasov · ‎01-05-2015

The load balancer doesn't have to be Cisco. In fact Cisco discontinued their load balancer product/solution (ACE). F5 would probably be your best option out there along with NetScaler.

Thank you for rating helpful posts!

GRANT3779 · ‎01-06-2015

Hi Neno,

If I have both my ACS servers sitting behind a load balancer, what would you recommend for the deployment model?, e.g Is it still OK to have a primary and secondary server or use a split deployment model?

nspasov · ‎01-06-2015

I would recommend that you still keep them in a "clustered - primary/secondary" deployment. That way all configuration changes are done on one primary unit and then replicated on the secondary one. Otherwise, you would have to manage two separate configuration databases which would add unnecessary administrative overhead and leave room for errors. Also, if you are using the "large deployment" license, you would have to purchase one for each unit (if you split the deployment)

Thank you for rating helpful posts!

ACS 5.6 Clean Install / AAA Client Query