12-07-2009 08:01 AM - edited 03-06-2019 08:51 AM
I am trying to manage this switch WS-C3550-24PWR-SMI version 12.1(22)EA5 from a loopback within a vrf on the switch. I can see the connection htting the tacacs box but i get error below on the switch. Could it be a bug on the switch?
Loggs
7w4d: TAC+: Opening TCP/IP to 10.124.66.4/49 timeout=5
37w4d: TAC+: TCP/IP open to 10.124.66.4/49 failed -- Connection timed out; remote host not responding
Config
ip vrf TECHLAB-SWITCHES
rd 400:400
interface Vlan753
ip vrf forwarding tacaces
ip address 10.30.3.6 255.255.255.0
tacacs-server host 10.124.66.4
tacacs-server key Premier_League
ip tacacs source-interface Vlan753
tacacs-server host 10.104.66.4
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
12-07-2009 08:03 AM
also i can telnet from the vlan interface from within vrf to the tacaces server on port 49 successfully.
12-07-2009 10:17 AM
Hello Francisco,
if supported you should add the vrf vrf-name to tacacas host command:
tacacs-server host 10.124.66.4 vrf TECHLAB-SWITCHES
for example for NTP in vrf you need to add the vrf vrf-name to the standard command
Hope to help
Giuseppe
12-07-2009 10:37 AM
I dont have the vrf command available after the tacacs host IP below!!!
"tacacs-server host 10.124.66.4 [vrf]
12-07-2009 10:27 AM
francisco_1 wrote:
I am trying to manage this switch WS-C3550-24PWR-SMI version 12.1(22)EA5 from a loopback within a vrf on the switch. I can see the connection htting the tacacs box but i get error below on the switch. Could it be a bug on the switch?
Loggs
7w4d: TAC+: Opening TCP/IP to 10.124.66.4/49 timeout=5
37w4d: TAC+: TCP/IP open to 10.124.66.4/49 failed -- Connection timed out; remote host not respondingConfig
ip vrf TECHLAB-SWITCHES
rd 400:400interface Vlan753
ip vrf forwarding tacacesip address 10.30.3.6 255.255.255.0
tacacs-server host 10.124.66.4
tacacs-server key Premier_League
ip tacacs source-interface Vlan753tacacs-server host 10.104.66.4
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Per your config, the TACACS server is in the global routing table and Vlan 753 is in the TACACES VRF.
I'm not sure how you are leaking the routing table but if you are looking for 'Per VRF for TACACS+' implementation, this feature is not supported on 3xxx switches.
Please refer to this documentation: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
Regards
Edison.
12-07-2009 10:35 AM
I have a default route
ip route vrf TECHLAB-SWITCHES 0.0.0.0 0.0.0.0 10.30.3.1
12-07-2009 10:46 AM
But your vrf name under the Vlan is different:
interface Vlan753
ip vrf forwarding tacaces
ip address 10.30.3.6 255.255.255.0
Can you post the routing table output from GRT and VRF and also a ping output from Vlan 753 toward the TACACS server.
if you had access to the TACACS server, can you also post the ping output from there?
12-07-2009 10:52 AM
switch#sh ip route vrf TECHLAB-SWITCHES
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 18:51:48.211 GMT Mon Dec 7 2009
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.30.3.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.30.3.0 is directly connected, Vlan753
S* 0.0.0.0/0 [1/0] via 10.30.3.1
switch#sh ip route
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 18:52:08.171 GMT Mon Dec 7 2009
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.30.90.254 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
C 10.30.90.0 is directly connected, Vlan790
C 10.30.91.0 is directly connected, Vlan791
S* 0.0.0.0/0 [1/0] via 10.30.90.254
12-07-2009 01:10 PM
Your GRT and VRF table have different default gateways and this can be causing the problem.
BTW, if you upgrade to 12.2(44)SEx - you should be able to use Per VRF TACACS+ as I posted before.
The document should be updated to include 12.2SE support. I tested the commands on a switch here - I don't have any TACACS+ server so I couldn't duplicate your problem - but you should give a try.
Regards
Edison.
02-11-2013 09:53 AM
Hi guys i came across this problem , we can solve it by jusy adding vrf in the tacacs configuration eg if u have the tacacs server 10.0.0.1
======================================================
aaa group server tacacs+ JERRY ->put your tacacs server in a group name
server-private 10.0.0.1 ->mention ur tacacs server
ip vrf forwarding TOM -->the VRF name
======================================================
remaining is same except u put the group thingy
======================================================
aaa authentication login default group TEST local
aaa authentication login NO_AUTHEN local none
aaa authentication enable default group TEST enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group TEST local
aaa authorization exec NO_AUTHOR none
aaa authorization commands 1 default group TEST local
aaa authorization commands 1 NO_AUTHOR none
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 7 NO_AUTHOR none
aaa authorization commands 15 default group TEST local
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default
action-type start-stop
group tacacs+
group TEST
!
aaa accounting commands 1 default
action-type start-stop
group tacacs+
group TEST
12-04-2017 06:02 PM - edited 12-04-2017 06:22 PM
prior to this you have to create your vrf and vrf route and add it under the interface .
Below is your tacacs config with vrf:
config t
aaa new-model
aaa group server tacacs+ NetworkAdmins
server-private X.X.X.X.(tacacs ip address) key 0 cisco (tacacs key)
ip vrf forwarding mgmt (name of your vrf)
aaa authentication login Networking (AD GROUP) group NetworkAdmins ( tacas server group you just created) local
aaa authorization exec Networking group NetworkAdmins local
aaa accounting commands 15 Networking start-stop group NetworkAdmins
line vty 0 15
authorization exec Networking (AD group)
accounting commands 15 Networking
login authentication Networking
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: