Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
5
Helpful
1
Replies

Router AAA VRF

johnlloyd_13
Level 9
Level 9

‎05-27-2020 05:52 AM

hi,

i got a router which has AAA and MGMT interface using a VRF.

i noticed some routers has MGMT VRF configured but not under its AAA 'ip vrf forwarding'

i need to add the said command under AAA to generate/monitor logs in ISE.

my question is, will i get cutoff or lock out if i add the said command? and i'm able to ping though the ISE IP address via the MGMT VRF.

 

router#sh run | s aaa
aaa new-model
aaa group server tacacs+ SERVER1
 server 10.10.10.1
 ip vrf forwarding MGMT

 

Labels:
0 Helpful
1 Reply 1

barweiss45
Level 1
Level 1

‎05-27-2020 06:31 AM

I think you should be good expect I would add the source interface command to that aaa group. For example:

aaa group server tacacs+ SERVER1
 server-private <SERVER INFORMATION> key <TACACS KEY>
 ip vrf forwarding MGMT
 ip tacacs source-interface <INTERFACE YOU ARE USING FOR MGMT THAT IS ON THE MGMT VRF>
end

However, I would test on a lab device. Be sure that you validate that tacacs is working. You should see increments for received and transmitted packets to the tacacs server by running the "show tacacs" command. When I am doing anything like this 1)I use my configuration rollback settings (config term revert timer idle <minutes>) 2) never logged out of the my first session until tacacs is confirmed. 3) log into a new session to test tacacs. 4) use the "show tacacs" command.

HTH,

Barry

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card