Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Out-of-band management interface on 4500X

Each of the 4500X switches in our stack has a Fa1 interface next to the serial console port.  My understanding is that this is to be used for out-of-band management of the switch.  Here's the configuration of the interface:

interface FastEthernet1

vrf forwarding mgmtVrf

ip address 172.21.2.30 255.255.255.0

speed auto

duplex auto

end

     

The vrf configuration was default.  The only thing I changed was the ip address information.  My question relates to things like domain-lookup and TACACS.  I cannot seem to use this interface for those functions.  Even if I add the following global configuration to my switch:

ip domain-lookup source-interface Fa1

ip tacacs-server source-interface Fa1

the switch is unable to communicate with either the DNS servers reference by the ip name-server command or the TACACS+ servers reference in the tacacs server profile section.

In the case of TACACS, the following debug output is produced when I attempt to login using TACACS:

*Aug 29 10:24:58.874: TPLUS: Queuing AAA Authentication request 38 for processing

*Aug 29 10:24:58.874: TPLUS: processing authentication start request id 38

*Aug 29 10:24:58.874: TPLUS: Authentication start packet created for 38(sdavidso)

*Aug 29 10:24:58.874: TPLUS: Using server 172.19.40.31

*Aug 29 10:24:58.874: TPLUS(00000026)/0: Connect Error No route to host

*Aug 29 10:24:58.874: TPLUS: Choosing next server 172.19.40.32

*Aug 29 10:24:58.874: TPLUS(00000026)/0: Connect Error No route to host

*Aug 29 10:25:05.539: TPLUS: Queuing AAA Authentication request 38 for processing

*Aug 29 10:25:05.539: TPLUS: processing authentication start request id 38

*Aug 29 10:25:05.539: TPLUS: Authentication start packet created for 38(sdavidso)

*Aug 29 10:25:05.539: TPLUS: Using server 172.19.40.31

*Aug 29 10:25:05.539: TPLUS(00000026)/0: Connect Error No route to host

*Aug 29 10:25:05.539: TPLUS: Choosing next server 172.19.40.32

*Aug 29 10:25:05.539: TPLUS(00000026)/0: Connect Error No route to host

This output shows that I can ping the TACACS servers:

HQ-4500X-SW1#ping vrf mgmtVrf 172.19.40.31

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.40.31, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

HQ-4500X-SW1#ping vrf mgmtVrf 172.19.40.32

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.40.32, timeout is 2 seconds:

!!!!!

Is it deliberate that the Fa1 interface cannot be used for these types of functions or is there something I can do to my configuration to make this work?

Thanks,

Steven

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Out-of-band management interface on 4500X

Since you can reach the remote TACACS server I assume you created a default route for the mgmtVrf:

     ip route 0.0.0.0 0.0.0.0. vrf mgmtVrf

The other bit you may need to address is in config-sg-tacacs mode:

     ip vrf forwarding mgmtVrf

6 REPLIES
Hall of Fame Super Silver

Out-of-band management interface on 4500X

Since you can reach the remote TACACS server I assume you created a default route for the mgmtVrf:

     ip route 0.0.0.0 0.0.0.0. vrf mgmtVrf

The other bit you may need to address is in config-sg-tacacs mode:

     ip vrf forwarding mgmtVrf

New Member

Out-of-band management interface on 4500X

Marvin,


Thanks for the response.  I have the following route statement in my configuration which enables the device to communicate across L3:

ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 172.21.2.1

I'm not sure what you mean by config-sg-tacacs.  Is that supposed to be a global command in configuration mode or EXEC mode?  I cannot locate anything like that at the CLI.


Regards,

Steven

Hall of Fame Super Silver

Out-of-band management interface on 4500X

Sorry that was unclear.

When are are configuring the "aaa group server tacacs+", your prompt should change to indicate you are in the "config-sg-tacacs" (abbreviation for "configuration security group tacacs+") mode.

New Member

Re: Out-of-band management interface on 4500X

No worries.  It's not that you were unclear.  It's that I've been so incredibly lazy that I haven't stopped using the commands that Cisco says will be "deprecated soon".  Now here's my current configuration (as it relates to aaa authentication):

aaa new-model

!

!

aaa group server tacacs+ DEED

  ip vrf forwarding mgmtVrf

  ip tacacs source-interface FastEthernet1

!

aaa authentication login DEED group tacacs+ enable group tacacs+ local

aaa authentication enable default group tacacs+ enable

!

tacacs server fnb-acs-pri

  address ipv4 172.19.40.31

  key 7

!

tacacs server fnb-acs-sec

  address ipv4 172.19.40.32

  key 7

!

line vty 0 4

  exec-timeout 15 0

  password 7

  login authentication DEED

  length 0

  transport input ssh

This configuration doesn't work.  I still get the " No route to host" debug output.

New Member

Re: Out-of-band management interface on 4500X

Marvin,


I finally got this to work.  See below for the complete configuration I used which results in a successful login (and an addition prompt to enter enable mode).  I don't understand the difference between defining the servers under the server group mode vs. defining them with the "tacacs server " method but that seems to be one of the issues I was running up against.  aaa configuration on IOS is as clear as mud to me :-)  Thanks for you help.

aaa new-model

!

aaa group server tacacs+ DEED

server-private 172.19.40.32 key 7

server-private 172.19.40.31 key 7

ip vrf forwarding mgmtVrf

ip tacacs source-interface FastEthernet1

!

aaa authentication login default group DEED local

aaa authentication enable default group DEED

!

interface FastEthernet1

vrf forwarding mgmtVrf

ip address 172.21.2.30 255.255.255.0

speed auto

duplex auto

end

!

line vty 0 4

exec-timeout 15 0

password 7

login authentication DEED

length 0

transport input ssh

Hall of Fame Super Silver

Re: Out-of-band management interface on 4500X

Glad it helped, thanks for the rating.

AAA setup isn't so hard but Cisco made it a bit confusing with the new syntax - many folks' templates they've been using for a long time might still work but certain features such as the newer management VRF bits need to have everything in the new model to work properly.

Regards.

9656
Views
0
Helpful
6
Replies
CreatePlease to create content