04-18-2011 12:23 PM
Is there any real or theoretical limit to the number of roles, profiles, or policies that can be implemented?
We have a lot of very different user needs, but like to keep access locked down as much as possible because they're vendors or users that only need access to only a few IPs.
We're looking at 60-70 roles
Running 7.1 on 6500s
04-19-2011 05:53 AM
04-20-2011 09:52 AM
We run a SA6000 with approximately 350 roles with no issue. We rarely go over 300 users (some of the role are rarely used, and some probably obsolete). There are 354 role-mapping rules in our most heavily used realm. We've seen no issue with resource usage at all.
04-21-2011 01:21 PM
Wow thanks for the info.
Like I mentioned we have a lot of users, really vendors and support people not typical "users". So we like to lock them down only to the IPs they really need. But we don't lock down port. The access is so diverse that we can't really say or know what port level access users would need. It just varies too much.
And I'm working on the migration and finding I'm going to have to copy the same IP or network list into mulitple areas, (web, telnet, pulse, etc).
Is your setup the same? Am I missing something?
Seems like a single global area where I could say "This role gets access to these IPs over these ports" would work better.
04-21-2011 01:44 PM
Seems like what you would want to do is to give them Pulse or Network Connect access. I don't use Pulse yet, but I assume the configuration would be much the same.
If all of your 3rd party groups should get the same address range, DNS servers, etc., then create only one Network Connect role and set up a NC connection profile with the desired characteristics. Then set up a NC access list with detailed rules which allows each user what they need. Something like -
Resource Action Condition Notes (not in the configuration)
udp://*:53 allow user="*" Everyone gets DNS access and ping
tcp://192.168.1.1:* allow user="usera" User A gets all TCP ports to 192.168.1.1
tcp://192.168.2.0/24:* allow user="userb" User B gets all TCP and UDP ports to 192.168.2.0/24
*:* deny user="*" Final deny all just to make sure
You could use group membership or returned Radius attribute to set up the conditions. I return the Filter-Id attribute from Radius and use it to apply different access control lists to different sets of users.
Hope this is helpful.
04-22-2011 09:20 PM
No, there is no limit on the number of roles/resource policies you can create as far as the IVE device is coded.
From a *management* perspective, however, you can start to experience excessive loading times as you increase the roles/resource policies (around 300-500 is what I have heard; your mileage may vary, of course).