ACS 5.4 Base License "500" Reached Max # of IP Addresses in Network Devices: (used IP Ranges)
We recently came to realize that we have maxed out our base license for IP addresses in Network Devices. We made the mistake of using "IP Ranges" for all of our Network Devices and AAA Clients, which according to what I've read is the quickest way to deplete the Base License Devices quickly.
What are some work around ideas, which don't count against the 500 Base License? Is using the "Default Network Device" under Network Resources in ACS 5.4, for AAA clients that haven't been defined in ACS, along with specifying specific 'unknown' location, the only solution that doesn't count against the 500 base device limit?
The way we are set-up now, is that we use TACACS+/RADIUS sourced loopbacks and common Managment VLAN, L3 SVI for TACACS+ remote access, and for Radius 802.1X authentication implemented on switch ports for PC's. We are still in the rollout phase of 802.1X, and looking at a way to modify our ACS to still allow authentication for dot1x and also allow remote access to all our network devices (all Cisco).
Also, on our routers and main L3 access switches (which has typically one or two other L3/L2 access switches hanging off of it) we source the TACACS+/RADIUS server from a loopback, and use a common Management VLAN L3 SVI to source the TACACS+/RADIUS servers (Same ACS server IPs) on all of our ES modules and tail end Cisco 3750/3560 access switches. The question is, would this be considered optimal or should we use loopbacks for sourcing on all L3 switches? Does it really matter if sourced from a loopback or L3 SVI? And is it best practice to seperate your source interface on devices for your TACACS+ and RADIUS servers, such as loopback 0 for RADIUS and loopback 1 for TACACS+? Someone mentioned that to me as a better practice, but unclear if it really matters in the grand scheme of things. We haven't seen any issues in our network setup, with using the same source interface for both TACACS+ and RADIUS server.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...