I'm in the process of rolling out TACACS login authentication for some switches on our network. The management vlan on these switches is locked down using a vlan ACL on the core switch. when I add a permit tcp any <tacacs-server ip address> eq tacacs and permit udp any <tacacs-server ip address> eq tacacs to the ACL, I can't login to the switch using the TACACS credentials. However, when I add permit ip any <tacacs-server ip address>, I can log in using the TACACS credantials.
One thing I would certainly verify is whether both queries and replies are allowed by your current VLAN access-map. Because a VLAN access-map disregards any traffic direction itself, you will have to enable both queries and replies in the ACL referenced by the VLAN access-map. In your example provided earlier, you enabled only your switch to contact the TACACS+ server but you did not indicate whether the traffic in the opposite direction was allowed.
The ACL should be of the form:
permit tcp any eq tacacs permit udp any eq tacacs permit tcp eq tacacs any permit udp eq tacacs any
Second thing to verify is whether the "tacacs" port is correct in your case, i.e. whether all necessary ports have been enabled. You indicated that the TACACS+ starts working when you use the "ip" instead of "tcp/udp". That would indicate that the destination port may be incorrect, as the "ip" does not check of verify transport protocol ports.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...