Database Replication


Database replication is a means of providing a more fault-tolerant network design. This section explains the process of database replication as well as the steps to configure database replication.

Understanding Database Replication

Database replication is a way for you to create a copy of the ACS database on one or more mirror systems. This process allows for the processing of authentication requests if the primary ACS goes down. You can schedule database replication, or you can perform immediate database replications. Another benefit to database replication is that the database is actually compressed before it is sent, and the secondary server has the capability to decompress the information after it has been received.

The following replication process is taken from the user guide for ACS. It details the communication between the primary and secondary ACS.

[3] The database replication process begins when the primary Cisco Secure ACS server compares the list of database components it is configured to replicate with the list of database components each secondary Cisco Secure ACS is configured to replicate. The primary Cisco Secure ACS only replicates those database components that it is configured to send and that the secondary Cisco Secure ACS is configured to receive. If the secondary Cisco Secure ACS is not configured to receive any of the components that the primary Cisco Secure ACS is configured to send, the database replication is aborted.

After the primary Cisco Secure ACS has determined which components to send to the secondary Cisco Secure ACS, the replication process continues on the primary Cisco Secure ACS as follows:

The primary Cisco Secure ACS stops its authentication and creates a copy of the Cisco Secure database components that it is configured to replicate. During this step, if AAA clients are configured properly, those that usually use the primary Cisco Secure ACS failover to another Cisco Secure ACS.

The primary Cisco Secure ACS resumes its authentication service. It also compresses and encrypts the copy of its database components for transmission to the secondary Cisco Secure ACS.

The primary Cisco Secure ACS transmits the compressed, encrypted copy of its database components to the secondary Cisco Secure ACS. This transmission occurs over a TCP connection, using port 2000. The TCP session uses an encrypted, Cisco-proprietary protocol.

After the preceding events on the primary Cisco Secure ACS, the database replication process continues on the secondary Cisco Secure ACS as follows:

The secondary Cisco Secure ACS receives the compressed, encrypted copy of the Cisco Secure database components on the primary Cisco Secure ACS. After transmission of the database components is complete, the secondary Cisco Secure ACS uncompresses the database components.

The secondary Cisco Secure ACS stops its authentication service and replaces its database components with the database components it received from the primary Cisco Secure ACS. During this step, if AAA clients are configured properly, those that usually use the secondary Cisco Secure ACS failover to another Cisco Secure ACS.

The secondary Cisco Secure ACS resumes its authentication service.

To clarify a few items for you, it is important to understand that only those components that the primary is configured to send and the secondary is configured to receive are replicated. The secondary can be configured to receive other components; however, if the primary isn't configured to send them, it won't send them. The primary can be configured to send other components, but if the secondary isn't configured to receive them, it won't receive them. So all that is actually replicated is what the primary is configured to send and what the secondary is configured to receive. This replication occurs as long as they agree on at least one component. If they do not agree, replication is aborted. Additionally, if nothing has changed on the primary server since the last replication, no reason to replicate exists.

Replication Versus Backup

The major difference between database replication and database backup is that database backup creates a backup file on the local drive. This can be copied to other forms of media, or to network shares, and can be used to recover a system that has failed. What database backup does not do is copy the database or portions of the database to other ACSs, known as secondary servers. By using replication, you can provide a redundant server configuration.

Configuring the Primary Server

Database replication is found in the System Configuration section of ACS. To configure the server for database replication, follow these steps:

Step 1.

Select System Configuration.

Step 2.

Select Cisco Secure Database Replication.

Step 3.

Select Send or Receive for any or all of the replication components:

- User and group database

- Network configuration device tables

- Distribution table

- Interface configuration

- Interface security settings

- Password validation settings

Step 4.

Next, for outbound replication, select the Scheduling of Outbound Replication options that you want to employ. Choose Manually, Automatically Triggered Cascade (meaning when the master receives information it is automatically copied to the others), Every __ minutes, or select a specific time using the grid provided.

Step 5.

Choose the Partner server(s) from the list of AAA servers in the left column of the partners section, and use the right arrow button to place them in the replication list to the right.

Step 6.

Because this is the primary server, you should not need to configure the Inbound Replication settings; however, a server in a cascade can accept incoming replication, as well as perform outbound replication. If you choose a specific time, select the times from the grid provided.

Step 7.

Select the Submit button, or to perform immediate replication, select the Replicate Now button.

Configuring a Secondary Server

The secondary server must be configured to receive the exact configuration that the primary server is sending.

To configure the secondary server for database replication, follow these steps:

Step 1.

From the System Configuration menu, select the Cisco Secure Database Replication link.

Step 2.

Select the Receive check box for each item you want to receive. These include user and group database, AAA servers and AAA clients tables, distribution table, interface configuration, interface security settings, and password validation settings. These should match the options that the primary ACS is sending.

Step 3.

Next, from the Inbound Replication section, choose to receive replication from any know Cisco Secure ACS or use the drop-down list to select a trusted server.

Step 4.

Select Submit.

NOTE

Keep in mind that replication can be initiated only by the primary server.


Immediate Replication

You can perform immediate replication from the primary ACS by selecting the Cisco Secure Database Replication link and then the Replicate Now button at the bottom of the configuration page. This performs an immediate replication.

Backing Up the Cisco Secure Database

Another important aspect of maintaining your ACS configuration is to perform frequent database backups of the ACS database. This section covers the steps needed to perform manual backups, schedule backups, cancel scheduled backups, and recover ACS from a backup.

Under the umbrella of database backup, you have the following options:

  • Perform a manual backup

  • Schedule a backup to take place at periodic intervals, or at a given time

  • Cancel a scheduled backup

  • Recover from a backup file

Database backups are performed from the System Configuration subsection ACS System Backup Setup. From this subsection, you can configure manual backups, which requires an administrator to force the backup process into effect or schedule a backup. If you decide to schedule a backup, you have a few options. You can back up based on an interval, the default being 60 minutes, or you can specify times to perform the database backup. To perform a backup, you must tell ACS where to store the backup file. The default location to store backup files in the directory is

C:\Program Files\CiscoSecure ACS v3.1\CSAuth\System Backups

This backup file is stored as a .dmp file. The file is named by date. For example, the file 21-Jul-2003 15-55-12.dmp was created at 3:55 on July 21st. Consider managing this directory if you have ACS perform automatic backups. This directory might get full fast. For this reason, you might want to keep files for a certain period of time or frequently back up this directory to external media.

Manual Backups

To perform a manual backup, select the ACS Backup link from the System Configuration section. From here, you simply need to select the Backup Now button to perform a manual backup.

Scheduled Backups

To schedule a backup, select the ACS Backup link from the System Configuration section. Choose one of the following options:

  • Every __ minutes

  • At specific times

If you elect to back up at a given time interval, enter an interval or accept the default of 60 minutes. If you choose to back up at specific times, use the time grid provided to select those times. Complete the configuration by selecting Submit.

You can manage the directory that backups are performed in by manipulating those options in the ACS interface. The default directory used for backup is C:\Program Files\CiscoSecure ACS v3.2\CSAuth\System Backups. No management is in place for this directory, so it can become very large, very quickly.

Canceling a Scheduled Backup

It is fairly simple to cancel a scheduled backup. Simply access the ACS Backup link from the System Configuration section and change from Every __ minutes, or At specific times, to Manual backup. This cancels any further scheduled backups.

Recovering ACS from a Backup file

If you want to recover ACS from a .dmp file, select the ACS Restore link from System Configuration, choose the directory that your backup files are stored in, choose the file you want to restore from, opt for restoring user and group database and/or Cisco Secure ACS system configuration, and select the Restore Now button.




Cisco Access Control Security(c) AAA Administrative Services
Cisco Access Control Security: AAA Administration Services
ISBN: 1587051249
EAN: 2147483647
Year: 2006
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net