Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Vlan Access Lists

Hi,

I'm in the process of rolling out TACACS login authentication for some switches on our network. The management vlan on these switches is locked down using a vlan ACL on the core switch. when I add a permit tcp any <tacacs-server ip address> eq tacacs and permit udp any <tacacs-server ip address> eq tacacs to the ACL, I can't login to the switch using the TACACS credentials. However, when I add permit ip any <tacacs-server ip address>, I can log in using the TACACS credantials.

Can someone explain why this is the case?

Thanks,


Frank

  • LAN Switching and Routing
3 REPLIES
Cisco Employee

Re: Vlan Access Lists

Hello Frank,

One thing I would certainly verify is whether both queries and replies are allowed by your current VLAN access-map. Because a VLAN access-map disregards any traffic direction itself, you will have to enable both queries and replies in the ACL referenced by the VLAN access-map. In your example provided earlier, you enabled only your switch to contact the TACACS+ server but you did not indicate whether the traffic in the opposite direction was allowed.

The ACL should be of the form:

permit tcp any eq tacacs
permit udp any eq tacacs 
permit tcp eq tacacs any
permit udp eq tacacs  any

Second thing to verify is whether the "tacacs" port is correct in your case, i.e. whether all necessary ports have been enabled. You indicated that the TACACS+ starts working when you use the "ip" instead of "tcp/udp". That would indicate that the destination port may be incorrect, as the "ip" does not check of verify transport protocol ports.

Give it a try please.

Best regards,

Peter

New Member

Re: Vlan Access Lists

Hi Peter,

Thanks for the reply. I added a separate line to permit traffic in each direction and tacacs is using the default port (port 49), but the problem remains.

Regards,

Frank

Hall of Fame Super Blue

Re: Vlan Access Lists

Frank

Is there a chance you could log the following acl entry -

permit ip any ,

you would then see what additional ports (if any) it was using to allow the request.

Jon

254
Views
0
Helpful
3
Replies
This widget could not be displayed.