ACS NDG nesting

Michael ONeil · ‎11-03-2011

I have a admin who nested a Network device group inside another network device group. Is that reccomended? For instance, there is a NDG for Asia, and inside asia he put other NDG for Routers, another for switches, and yet another for firewalls. This seems way too complicated for Tacacs authentication use.

I have seen Cisco Security manager balk at these nested groups and not be able to see down into the nested groups to see if a device is setup in ACS .

I would like to restructure the group for Asia to be one big NDG containing all IPs of devices under one heading.

What do you reccommend?

c-computershare · ‎11-03-2011

Hi Michael

I don't think there is wrong or right way. I'm currently in testing stages of our new ACS roll out.

What I have done is to create 3 NDG and set them up as follows

Location - COntinent - COuntry - Town - Office location

Device Type - Type of device - Vendor name

Department - department who manages the device

I can then use these in my policies to allow read only access based on device type and location. I can also use the department ndg to allow admin access to devices if its managed by a different team other than ours.

This seems to work ok based on the bit of testing I have done so far.

Cheers

Jay

ACS NDG nesting

Nexus Dashboard: acs コマンドについて (version 3.x)

Nested EEM script error

Nexus Dashboard: acs コマンドについて (version 2.x)

ACS 5.x: File / Bulk Operations on NDG (Network Device Group)

Multiple ACS/AD Groups for NDG