Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Tacacs in VRF

I am trying to manage this switch WS-C3550-24PWR-SMI version 12.1(22)EA5 from a loopback within a vrf on the switch.  I can see the connection htting the tacacs box but i get error below on the switch. Could it be a bug on the switch?

Loggs

7w4d: TAC+: Opening TCP/IP to 10.124.66.4/49 timeout=5
37w4d: TAC+: TCP/IP open to 10.124.66.4/49 failed -- Connection timed out; remote host not responding

Config

ip vrf TECHLAB-SWITCHES
rd 400:400

interface Vlan753
ip vrf forwarding tacaces

ip address 10.30.3.6 255.255.255.0

tacacs-server host 10.124.66.4
tacacs-server key Premier_League
ip tacacs source-interface Vlan753

tacacs-server host 10.104.66.4

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

9 REPLIES

Re: Tacacs in VRF

also i can telnet from the vlan interface from within vrf to the tacaces server on port 49 successfully.

Hall of Fame Super Silver

Re: Tacacs in VRF

Hello Francisco,

if supported you should add the vrf vrf-name to tacacas host command:

tacacs-server host 10.124.66.4 vrf TECHLAB-SWITCHES

for example for NTP in vrf you need to add the vrf vrf-name to the standard command

Hope to help

Giuseppe

Re: Tacacs in VRF

I dont have the vrf command available after the tacacs host IP below!!!

"tacacs-server host 10.124.66.4 [vrf]

Hall of Fame Super Bronze

Re: Tacacs in VRF

francisco_1 wrote:

I am trying to manage this switch WS-C3550-24PWR-SMI version 12.1(22)EA5 from a loopback within a vrf on the switch.  I can see the connection htting the tacacs box but i get error below on the switch. Could it be a bug on the switch?

Loggs

7w4d: TAC+: Opening TCP/IP to 10.124.66.4/49 timeout=5
37w4d: TAC+: TCP/IP open to 10.124.66.4/49 failed -- Connection timed out; remote host not responding

Config

ip vrf TECHLAB-SWITCHES
rd 400:400

interface Vlan753
ip vrf forwarding tacaces

ip address 10.30.3.6 255.255.255.0

tacacs-server host 10.124.66.4
tacacs-server key Premier_League
ip tacacs source-interface Vlan753

tacacs-server host 10.104.66.4

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Per your config, the TACACS server is in the global routing table and Vlan 753 is in the TACACES VRF.

I'm not sure how you are leaking the routing table but if you are looking for 'Per VRF for TACACS+' implementation, this feature is not supported on 3xxx switches.

Please refer to this documentation: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html

Regards

Edison.

Re: Tacacs in VRF

I have a default route

ip route vrf TECHLAB-SWITCHES 0.0.0.0 0.0.0.0 10.30.3.1

Hall of Fame Super Bronze

Re: Tacacs in VRF

But your vrf name under the Vlan is different:

interface Vlan753
ip vrf forwarding tacaces
ip address 10.30.3.6 255.255.255.0

Can you post the routing table output from GRT and VRF and also a ping output from Vlan 753 toward the TACACS server.

if you had access to the TACACS server, can you also post the ping output from there?

Re: Tacacs in VRF

switch#sh ip route vrf TECHLAB-SWITCHES
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 18:51:48.211 GMT Mon Dec 7 2009

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 10.30.3.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.30.3.0 is directly connected, Vlan753
S*   0.0.0.0/0 [1/0] via 10.30.3.1

switch#sh ip route
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 18:52:08.171 GMT Mon Dec 7 2009

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 10.30.90.254 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.30.90.0 is directly connected, Vlan790
C       10.30.91.0 is directly connected, Vlan791
S*   0.0.0.0/0 [1/0] via 10.30.90.254

Hall of Fame Super Bronze

Re: Tacacs in VRF

Your GRT and VRF table have different default gateways and this can be causing the problem.

BTW, if you upgrade to 12.2(44)SEx - you should be able to use Per VRF TACACS+ as I posted before.

The document should be updated to include 12.2SE support. I tested the commands on a switch here - I don't have any TACACS+ server so I couldn't duplicate your problem - but you should give a try.

Regards

Edison.

New Member

Tacacs in VRF

Hi guys i came across this problem , we can solve it by jusy adding vrf in the tacacs configuration eg if u have the tacacs server 10.0.0.1

======================================================

aaa group server tacacs+ JERRY ->put your tacacs server  in a group name

server-private 10.0.0.1 ->mention ur tacacs server

ip vrf forwarding TOM -->the VRF name

======================================================

remaining is same except u put the group thingy

======================================================

aaa authentication login default group TEST local

aaa authentication login NO_AUTHEN local none

aaa authentication enable default group TEST enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group TEST local

aaa authorization exec NO_AUTHOR none

aaa authorization commands 1 default group TEST local

aaa authorization commands 1 NO_AUTHOR none

aaa authorization commands 7 default group tacacs+ local

aaa authorization commands 7 NO_AUTHOR none

aaa authorization commands 15 default group TEST local

aaa authorization commands 15 NO_AUTHOR none

aaa accounting exec default

action-type start-stop

group tacacs+

group TEST

!

aaa accounting commands 1 default

action-type start-stop

group tacacs+

group TEST

8957
Views
0
Helpful
9
Replies
CreatePlease login to create content