vrf-lite & router management

Unanswered Question
Jul 18th, 2007

I posted this under LAN as well, but didn't get a response. Maybe someone here can help me out:

I have a 4948 switch w/L-3 software. Am using VRFs to segment the traffic for two different entities. Am having problems getting the router management stuff (TACACS+, NTP, logging, SNMP, etc.) working.

All of these things are configured to originate from Loopback 0 (ip tacacs source-interface Loopback0, for example). I have also assigned Loopback 0 to one of the VRFs. Yet I can't get these things to work.

Do I have to select one VRF as the "master" VRF or something like that?

Here's the relevant config snippets from this box (names changed to protect the innocent). Note that the management servers are across the MetroE connections, not on the local LAN:

=================

ip vrf Main_VRF

rd 64512:1

!

ip vrf Second_VRF

rd 64514:1

!

ip vrf select

!

interface Loopback0

ip vrf forwarding Main_VRF

ip address 192.168.150.81 255.255.255.255

interface GigabitEthernet1/48

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 534,536

switchport mode trunk

bandwidth 250000

speed nonegotiate

tx-queue 1

shape 100 mbps

!

!

interface Vlan3

desc Local LAN in main VRF

ip vrf forwarding Main_VRF

ip address 172.19.48.5 255.255.240.0

ip helper-address 10.30.252.31

ip helper-address 10.30.254.31

no ip redirects

!

interface Vlan534

description MetroEthernet WAN to Site 1

bandwidth 100000

ip vrf forwarding Main_VRF

ip address 192.168.93.126 255.255.255.252

!

interface Vlan536

description MetroEthernet WAN to Site 2

bandwidth 100000

ip vrf forwarding Second_VRF

ip address 192.168.69.250 255.255.255.252

router eigrp 64512

passive-interface Vlan3

no auto-summary

!

address-family ipv4 vrf Main_VRF

network 192.168.93.0

network 192.168.150.0

no auto-summary

autonomous-system 64512

exit-address-family

!

router eigrp 64514

no auto-summary

!

address-family ipv4 vrf Second_VRF

network 192.168.69.0

no auto-summary

autonomous-system 64514

exit-address-family

!

no ip http server

!

ip tacacs source-interface Loopback0

!

!

logging source-interface Loopback0

===============

Help/advice would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mohammedmahmoud Wed, 07/18/2007 - 10:21

Hi,

How is your router management servers (TACACS+, NTP, logging, SNMP, etc.) connected to the switch and how are they routed to it, and is their IPs pingable (within the Main_VRF VRF).

HTH,

Mohammed Mahmoud.

p-dionne Wed, 07/18/2007 - 11:32

All of the servers are located on the far side of the MetroEthernet VLAN 534, multiple hops away.

You can ping all of these servers within the VRF, with or without sourcing the pings from the loopback address.

Thx.

p-dionne Thu, 07/19/2007 - 07:14

Not a routing issue, you probably didn't see my last reply:

"You can ping all of these servers within the VRF, with or without sourcing the pings from the loopback address."

All of the routing is fine, it's just these management protocols don't work.

I'm assuming there has to be some global command that says router-originated traffic (like a TACACS request) has to be within one VRF or another, but I can't find that command in any of the guides.

mchoo2005 Tue, 07/24/2007 - 22:37

Do you have to use a VRF for your management stuff? Admittedly, I've only used VRF-Lite a little bit. However, from my past experience, some management functions don't work over VRF. I think TACACS is one of them. Unless Cisco fixed this...

paulhowlett_2 Sat, 10/06/2007 - 11:21

Hi, mchoo2005 is correct, vrf specific ACS is not supported. I am told by the TAC that it is planned (at least for 6500) 2nd quarter 2008, very poor. We also have problems with TFTP and NTP in vrf instances.

Have you tried using these management functions in the global routing table i.e. not in a vrf?

Good luck.

Hi all

I have worked on VRF quite a bit now in many of the boxes like Catalyst 3800, Catalyst 6500 and Cisco 7206. As per my experience it works well but you need a proper IOS code running in these boxes, so you might need to check the cisco featureset tool properly.

For now I can give you some commands which I have tried to get these management stuff successfully work

Tacacs

aaa new-model

aaa group server tacacs+ tacacs1 (You can use any other name in place of tacacs1 but be sure to use the same even below)

server-private (IP adresss) port 49 timeout 10 key (your key)

server-private (IP adresss) port 49 timeout 10 key 7 (your key)

ip vrf forwarding (name of the VRF, which consists of your loopback)

ip tacacs source-interface Loopback0

aaa authentication login default group tacacs1 line

aaa authentication enable default group tacacs1 enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs1 if-authenticated

aaa authorization commands 0 default group tacacs1 if-authenticated

aaa authorization commands 1 default group tacacs1 if-authenticated

aaa authorization commands 15 default group tacacs1 if-authenticated

aaa authorization network default group tacacs1 if-authenticated

aaa authorization reverse-access default group tacacs1 if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs1

aaa accounting commands 0 default start-stop group tacacs1

aaa accounting commands 1 default start-stop group tacacs1

aaa accounting commands 15 default start-stop group tacacs1

aaa accounting network default start-stop group tacacs1

aaa accounting connection default start-stop group tacacs1

aaa accounting system default vrf (name of the VRF as above) start-stop group tacacs1

aaa session-id common

VRF specific NTP commands

ntp server vrf (vrf-name) (NTP server IP address)

ntp server vrf (vrf-name) (NTP server IP address) prefer

VRF specific SNMP commands

snmp-server host (IP address) vrf (vrf-name)

VRF specific Logging commands [You cant specify vrf source interface in Logging]

logging (host IP address) vrf (vrf-name)

logging (host IP address) vrf (vrf-name)

There are also some VRF specific multicast commands while specifying rendezvous points, if somebody needs it let me know.

Above commands are a little different sometimes in some boxes, just might need a little tweeking

Thanks

Suvf

Actions

This Discussion