?
Solved

ACS 5.4 Base License "500" Reached Max # of IP Addresses in Network Devices: (used IP Ranges)

Posted on 2014-01-17
2
Medium Priority
?
1,199 Views
Last Modified: 2014-01-23
We recently came to realize that we have maxed out our base license for IP addresses in Network Devices. We made the mistake of using "IP Ranges" for all of our Network Devices and AAA Clients, which according to what I've read is the quickest way to deplete the Base License Devices quickly.

What are some work around ideas, which don't count against the 500 Base License? Is using the "Default Network Device" under Network Resources in ACS 5.4, for AAA clients that haven't been defined in ACS, along with specifying specific 'unknown' location, the only solution that doesn't count against the 500 base device limit?

The way we are set-up now, is that we use TACACS+/RADIUS sourced loopbacks and common Managment VLAN, L3 SVI for TACACS+ remote access,  and for Radius 802.1X authentication implemented on switch ports for PC's. We are still in the rollout phase of 802.1X, and looking at a way to modify our ACS to still allow authentication for dot1x and also allow remote access to all our network devices (all Cisco).
 
Also, on our routers and main L3 access switches (which has typically one or two other L3/L2 access switches hanging off of it) we source the TACACS+/RADIUS server from a loopback, and use a common Management VLAN L3 SVI to source the TACACS+/RADIUS servers (Same ACS server IPs) on all of our ES modules and tail end Cisco 3750/3560 access switches. The question is, would this be considered optimal or should we use loopbacks for sourcing on all L3 switches? Does it really matter if sourced from a loopback or L3 SVI? And is it best practice to seperate your source interface on devices for your TACACS+ and RADIUS servers, such as loopback 0 for RADIUS and loopback 1 for TACACS+? Someone mentioned that to me as a better practice, but unclear if it really matters in the grand scheme of things. We haven't seen any issues in our network setup, with using the same source interface for both TACACS+ and RADIUS server.
0
Comment
Question by:laake9999
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 46

Accepted Solution

by:
Craig Beck earned 750 total points
ID: 39791163
Each AAA client counts as 1 off the licence count.  There is nothing you can do to fool this.

You don't have to use a Loopback to source RADIUS/TACACS.  It's more important to use Loopbacks for routing, for example, where you want the interface which handles routing updates to be always up.  With the RADIUS/TACACS source it is fine to source the traffic from your management SVI or L3 interface if you want to.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 750 total points
ID: 39791536
The licence is based on unique ip address as stated. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256. There is unlimited licence but really limited by hardware performance eventually.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_config.html#wpxref68935

Loopback is also chosen for security routes on those dedicated mgmt and main routing stated in the article. It shared a well-protected TACACS+ server accessed only from the router's loopback interface address block offers more security of user and enable accounts. http://www.ciscopress.com/articles/article.asp?p=27137
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question