DCNM 11 no remote authentication works in 172.17./16 or 172.18./16 network
I run into a big problem with DCNM 11.
Situation: I have two bare metal servers installed with DCNM as native-HA. Both have IP addresses for eth0 (management) and eth1 (Switch Management).
DCNM1 eth0 has 10.10.11.1/24 DCNM2 eth0 has 10.10.11.2/24 DCNM VIP has 10.10.11.3/24
Our Radius Server has 172.17.0.100/16
Problem: If I configure the AAA Radius Server and test the authentication, no packets are leaving the DCNM. If I configure LDAP (10.10.20.1/24), packets are leaving DCNM.
DCNM has two virtual network adapters named "docker0" and "docker_gwbridge". IP Address of "docker0" is 172.17.0.1/16. This is the reason, why my radius request are not going out of the DCNM. It is routed internally. Does anyone have a solution for that problem? It would be nice, if you can configure both networks in setup,too.
DCNM routing table: Destination Gateway Genmask Flags Metric Ref Use Iface default gateway 0.0.0.0 UG 0 0 0 eth0 10.10.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.10.99.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 link-local 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 link-local 0.0.0.0 255.255.0.0 U 1007 0 0 eth1 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker_gwbridge
As workaround, I configured a script in both servers to add a host route. This works for me, but a general solution will be preferred. Configure the route only with "route add...." will add a temporary route. After rebooting the server, the route is deleted. This is why I add the route int the script.
[root@dcnm01 ~]# vi /etc/rc.local insert: "/sbin/ip route add 172.17.0.100/32 via 10.10.11.254 dev eth0" [root@dcnm01 ~]# chmod +x /etc/rc.d/rc.local
[root@dcnm02 ~]# vi /etc/rc.local insert: "/sbin/ip route add 172.17.0.100/32 via 10.10.11.254 dev eth0" [root@dcnm02 ~]# chmod +x /etc/rc.d/rc.local
Community Live- ISR1100X-4G and ISR1100X-6G Platform Overview and Architecture
(Live event - Tuesday, 23 March, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)-
This event will have place on Tuesday 23rd, March 2021 at 10:00 hrs PDT&...
Cisco Secure Network Access is helping IT to bridge the gap between what is essential to the business and what the network delivers and to build the next-generation campus network for an unplugged and uninterrupted experience.
Learn more about how these w...
(view in My Videos)
Community Live- New Additions to the Catalyst 8000 Family
(Live event - Tuesday, 23 February, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)-
This event had place on Tuesday 23rd, February 2021 at 10:00 hrs PDT...
Community Live-ISR1100X-4G and ISR1100X-6G Platform Overview and Architecture
This event had place on Tuesday 23rd, February 2021 at 10hrs PDT
Designed for an intent-based network, the Cisco Catalyst 8000 Edge Platforms family offers ...
To participate in this event, please use the button to ask your questions
New Additions to the Catalyst 8000 Family
This forum is a chance to clarify all your questions related to the Catalyst 8k Family!
Designed for an intent-based network, the Ci...