09-22-2009 08:13 AM - last edited on 03-25-2019 05:26 PM by ciscomoderator
I currently have two productive ACS appliances up and running with everything i need. I have to enable several devices in a partner network to use all the AAA features already configured with the devices in my "local" network.
The problem, a direct connection between both ACS domains or any other direct flow between both networks is prohibited. The solution as an intermediate network which can host shared resources and is accessible from both sides.
So if i am not wrong i should be able to replicate from my local network ACS to an intermediate ACS and from there to my ACS in the partner network. So before i put another ACS appliance into the intermediate network i would like to have a second opinion on my planned replication topology.
I added a simple drawing of the planned replication topology.
Any advice is welcome, thanks for reading.
Roble
Solved! Go to Solution.
09-24-2009 07:02 AM
Hi Roble,
Sorry for the delay.
3) Correction
ACS A----> Partner B (Scheduled)
ACS B----> Partner C (Automatically triggered cascade)AAA-server A
ACS C----> AAA-server B Partner None (Manual)
AAA Server : It is the name of the ACS in the AAA Servers column under partners.
Regards,
~JG
09-22-2009 08:28 AM
Hi,
I guess that is a good thought since we cannot directly reach the remote site.
The plan you have should work fine , just ensure port 2000 is allowed from firewall.
Here is the replication check list,
1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication
2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.
3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.
4) Ensure that the secondary server has its replication scheduling set to "manual".
5) Please verify that your servers are all running exactly the same ACS version and build.
6) Also let me know if we have any firewall in between two ACS servers.
Regards,
~JG
Do rate helpful posts
09-22-2009 08:50 AM
Hi Jagdeep,
1) No NAT involved.
2) In my current setup i am sending the distribution table to the secondary server and so far i have not seen any issues. Could you explain the reason why this is necessary. A link explaining this would also help.
3) My current setup:
ACS #1 NW A, Partner -> ACS #2 NW A
ACS #2 NW A, no Partner, accept any
Planned:
ACS #1 NW A; Partner -> ACS #2 NW A, ACS #1 NW B, accept any
ACS #1 NW B; Partner -> ACS #1 NW C, accept any
ACS #2 NW B; no Partner, accept any
If you list all receiving ACS appliances in network B and C as partners, wouldn't the primary ACS try to directly contact the ACS'es in NW B and C? This is not possible due to the firewall restrictions.
4) Checked für ACS #2 NW A.
For the other ACS #1 in network B and C i planned -> Automatically triggered cascade
The ACS #2 in network C would then be set to manual as well.
5) verified
6) Yes loads of FW's between those appliances. But from previous experience we will make sure that the skinny inspection is disabled. "no inspect sccp" in the default policy.
Thanks for the fast answer!
Roble
09-22-2009 10:19 AM
Hi Roble,
2) Sending distribution server can change the setting on the secondary server, causing it to not able to authentication.
3) Lets say you have three ACS A B C
a) On ACS A---> Partner B and C
b) On ACS B ---> Partner C and AAA server A
c) On ACS C ---> Partner None and AAA server B A
4) On ACS B , you need to set up Automatically triggered cascade . C should be set to manual. ACS A should be set to scheduled or manual.
Regards,
~JG
Do rate helpful posts
09-23-2009 02:33 AM
Hi Jagdeep,
2) I will have to read about this in detail in the replication part of the manual. I have to admit that i don't understand it completely. So i will cue this part until i can ask more precisely.
3)
ACS A ---> Partner B and C
Will this result in a direct TCP connection to ACS C? Or is this necessary to make ACS C eligible to receive updates originating from ACS A?
What do you mean with AAA Server? Are you talking about the forwarding of Events to the upstream ACS?
4) This is what i had in mind.
Thanks again
Roble
09-24-2009 07:02 AM
Hi Roble,
Sorry for the delay.
3) Correction
ACS A----> Partner B (Scheduled)
ACS B----> Partner C (Automatically triggered cascade)AAA-server A
ACS C----> AAA-server B Partner None (Manual)
AAA Server : It is the name of the ACS in the AAA Servers column under partners.
Regards,
~JG
09-25-2009 09:09 AM
Thanks for the reply Jagdeep that verifies my approach.
Roble
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: