cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1683
Views
0
Helpful
2
Replies

Nexus 7k TACACS+ multiple VDC's

Dave Mumford
Level 1
Level 1

Hi ,

Currently our DC Nexus 7K's use local authentication, we want to move this to TACACS+. We have done this with our Nexus 5k's without issue.

 

Some background , we use mgmt0 for remote OOB access via the internet, when connecting internally we connect to a standard SVI interface. When we changed the Nexus 5k's to TACACS+ we can successfully connect via OOB (mgmt0) or internally via an SVI using TACACS+. This does confuse me a bit as the mgmt0 interface is in managament VRF and SVI in the default vrf , and routing to TACACS+ server in management vrf is via  a default route towards our firewall/internet , but must be using the default vrf for routing to the TACACS server (we have no route-leaking configured between vrfs)

 

Anyhow main problem is on the N7Ks. We have 4 vdc's , Admin , Prod , OTV and DMZ. OOB access is via mgmt0 interface in admin vdc (same network as used in N5k's) where we have to switchto vdc's. Internal access is via SVI's. When implementing TACACS+ on a vdc (have only done this on prod vdc) TACACS+ works fine from internal to the SVI, but access via OOB no longer works via the local username configured and also neither via TACACS user/password. In Cisco documentation it says "All AAA configuration and operations are local to the virtual device context (VDC)," Only reason I can think this isnt working is because the TACACS+ server is not reachable from mgmt0 management VRF.

 

So my question is is what I am trying to achieve possible on N7K with multiple vdc's using mgmt0 via OOB and SVI internally connecting using TACACS+ ?

 

We are running version 7.3.0.DX.1.. soon to be upgraded to latest 7.3.4.D1.1

Any help appreciated.

 

Thanks,

Dave.

2 Replies 2

Nico.Sauerbrey
Level 1
Level 1

can u do:

sh run tacacs+

there should be something like this in the output:

ip tacacs source-interface mgmt0

 

(this forces to use mgmt0-interface to communicate with the tacacs+-server)


do you have a mgmt0 configured on each vdc, or just on admin vdc?
try this to find out:

(login to admin-vdc)
switchto vdc prod
sh run int mgmt0

 

Hi Nico,

 

We currently only use MGMT0 in admin vdc , and access this from the internet , then have to do switchto / switchback to jump between vdcs.

 

There is no tacacs+ configuration in the admin vdc , so were expecting our local username / password to continue to work when accessing mgmt0 via internet.

 

Only prod vdc was configured for TACACS+, when configured TACACS worked for this vdc but stopped access to ADMIN vdc. Config pretty much standard as detailed below:

 

feature tacacs+

 

ip tacacs source-interface vlan111

 

tacacs-server host 1.1.1.1 key 0 password timeout 5
tacacs-server host 1.1.1.2 key 0 password timeout 5

 

aaa group server tacacs+ ACS-GROUP
server 1.1.1.1
server 1.1.1.2

 

aaa authentication login default group ACS-GROUP
aaa authorization config-commands default group ACS-GROUP local
aaa authorization commands default group ACS-GROUP local
aaa accounting default group ACS-GROUP
aaa authentication login error-enable

 

 

Review Cisco Networking for a $25 gift card