Monthly Archives: August 2012

ACS 5.x Database Purge

I received an alert:

Purge is successful. The size of records present in view data base is 22.58 GB. The physical size of the view data base on the disk 96.1 GB. If you want to reduce the physical size of the view data base, run acsview-db-compress command from acs-config mode through command line.

Use the acsview-db-compress command to compress the view database file size. This command compresses the ACS View database by rebuilding each table in the database and release the unused space. As a result, the physical size of the database is reduced.

Ok so time to fix the database during a maintenance window.

acsadmin(config-acs)# acsview-db-compress
You chose to compress ACS View database. This operation will take more time if the size 
of the database is big. During this operation, ACS services will be stopped. Services will 
be started automatically when the compression is over. Do you want to continue (y/n)?  y

Please wait till ACS services come back after the view db is compressed. Refer ADE.log 
for more details about the view db compress.
admin#

How long to wait? Who knows – so I decided to jump in and run it to see how long….I pressed ‘y’ (as above) and waited. I could not find any command to show any status/progress indication – so I had to rely on nagios and the following command only.

 

admin# show application status acs

Application initializing...
Status is not yet available.
Please check again in a minute.

 

Yes ok – thanks Cisco!….. Anyway 3 hours 20 mins later:

 

admin# show application status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'adclient'                  running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

 

…so cleaning up about 75GB of whitespace in the database took about 3 hours… so you can expect about 25GB an hour perhaps. Plan your outage window accordingly.

MDS 9100 SAN OS with TACACS using Cisco ACS 5.x

I wanted the MDS switches to finally be added to TACACS so that the backup scripts can run with the TACACS login they have for the standard routers/switches. Here’s the code used (note that the fallback to local auth is also enabled if tacacs is unavailable):

tacacs+ enable
tacacs+ distribute
tacacs-server key whatevs-key
tacacs-server host 10.222.222.222
tacacs+ commit
aaa group server tacacs+ tacacs-group1
   server 10.222.222.222
aaa authentication login default group tacacs-group1 local
aaa accounting default group tacacs-group1 local

On Cisco ACS 5.x you need to add an option to the shell profile you use for TACACS. In my case I just added the attribute to the standard profile which gives ‘level 15’ privilege to passed authentications for other IOS devices.

Probably easier to show you in an image (below), but for MDS switches to work with ACS 5.x you need to add :

attribute  ->  shell:roles
requirement->  Optional
value      ->  network-admin

Image

Cisco OfficeExtend (OEAP) Firewall Rules

I remember I had some dramas getting the OfficeExtend APs initially set up, so here are the firewall rules you need to get the Cisco OfficeExtend access points (OEAP) working. The setup assumes you have a DMZ controller which will have mobility anchors into the internal or “Inside” controller.

Internet -> “DMZ” WLC
UDP 5246/5247   (for OEAP communication)

DMZ Controller <-> Inside Controller:
UDP 16666/16667 Bidirectional to “Inside” WLC and “DMZ” WLC
IP Protocol 97 Bidirectional to “Inside” WLC and “DMZ” WLC

DMZ Controller -> Inside Controller:
UDP 1812/1813 to RADIUS Server

Inside Network -> DMZ Controller:
TCP 80/443  (for http/https access)
TCP 22 (for SSH access)

If you have a Wireless Control System server (WCS) or Cisco NCS Prime -> DMZ Controller:
UDP 69  (for TFTP)
UDP 161 (for SNMP)

I spent some time a year or so back getting it going and it has been a good solution for extending the corporate wireless lans to wherever it is required. Obviously, security should be of concern so at least ensure you are securing the WLANs using certificates, RADIUS and AD authentication (WPA2 Enterprise) at minimum.

In my case the 602 model AP can provide 2 WLANs as well as a “Remote LAN” connection which I use to plug in a Cisco IP phone for those that want a hard phone coupled with the AP. Be careful of the remote lan port – it essentially is a port that is tunneled straight onto your inside network (which is why the phone works).

Google Blake Krone’s 602 AP review for more detail on the OEAP setup – he helped me out a lot and could not have done it without his assistance….thanks Blake!

Office Extend Setup

OfficeExtend setup – clear as mud now? :)