@oscardenizjensen wrote:
Hej
I am trying to configure Tacacs access to ASR9900 (7.11.1) series device through both default and mgmt vrf. Default will be the primary since it will be first in the aaa authentication order.
I would like the tacacs request from default to be created by the Loopback 0, but I figured that would mess with tacacs access through Mgmt vrf since all requests would be sent from loopback 0.
Is there a way to create a souce-interface per vrf for tacacs?
Other option I see is that I do not set a source-interface, but then the egress interfaces would send requests to the tacacs server instead of the loopback as I see it.
Regards
You need to leverage VRF-aware TACACS configuration. Start by setting the source interface to Loopback 0 for TACACS requests from the default VRF, ensuring that these requests use Loopback 0 as their source interface. For the management VRF, configure a different source interface specific to that VRF.
This approach allows you to maintain separate source interfaces for each VRF, preventing the management VRF requests from being affected by the default VRF configuration. By not setting a source interface, the egress interfaces would send requests to the TACACS server, but this might not align with your network design.
Therefore, configuring distinct source interfaces per VRF is a more effective solution to ensure proper TACACS functionality across both default and management VRFs.
