07-11-2024 01:21 AM
Hej
I am trying to configure Tacacs access to ASR9900 (7.11.1) series device through both default and mgmt vrf. Default will be the primary since it will be first in the aaa authentication order.
I would like the tacacs request from default to be created by the Loopback 0, but I figured that would mess with tacacs access through Mgmt vrf since all requests would be sent from loopback 0.
Is there a way to create a souce-interface per vrf for tacacs?
Other option I see is that I do not set a source-interface, but then the egress interfaces would send requests to the tacacs server instead of the loopback as I see it.
Regards
07-11-2024 03:22 AM
@oscardenizjensen wrote:Hej
I am trying to configure Tacacs access to ASR9900 (7.11.1) series device through both default and mgmt vrf. Default will be the primary since it will be first in the aaa authentication order.I would like the tacacs request from default to be created by the Loopback 0, but I figured that would mess with tacacs access through Mgmt vrf since all requests would be sent from loopback 0.
Is there a way to create a souce-interface per vrf for tacacs?
Other option I see is that I do not set a source-interface, but then the egress interfaces would send requests to the tacacs server instead of the loopback as I see it.
Regards
You need to leverage VRF-aware TACACS configuration. Start by setting the source interface to Loopback 0 for TACACS requests from the default VRF, ensuring that these requests use Loopback 0 as their source interface. For the management VRF, configure a different source interface specific to that VRF.
This approach allows you to maintain separate source interfaces for each VRF, preventing the management VRF requests from being affected by the default VRF configuration. By not setting a source interface, the egress interfaces would send requests to the TACACS server, but this might not align with your network design.
Therefore, configuring distinct source interfaces per VRF is a more effective solution to ensure proper TACACS functionality across both default and management VRFs.
07-11-2024 05:49 AM
Ahhhh the vrf command comes after you specify the interface. Normally you have to define vrf before specifying interface so I never tried it.
So it would look like this then right?
tacacs source-interface Loopback0
tacacs source-interface MgmtEth0/RP0/CPU0/0 vrf OOBM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide