07-18-2007 09:30 AM - edited 03-03-2019 05:55 PM
I posted this under LAN as well, but didn't get a response. Maybe someone here can help me out:
I have a 4948 switch w/L-3 software. Am using VRFs to segment the traffic for two different entities. Am having problems getting the router management stuff (TACACS+, NTP, logging, SNMP, etc.) working.
All of these things are configured to originate from Loopback 0 (ip tacacs source-interface Loopback0, for example). I have also assigned Loopback 0 to one of the VRFs. Yet I can't get these things to work.
Do I have to select one VRF as the "master" VRF or something like that?
Here's the relevant config snippets from this box (names changed to protect the innocent). Note that the management servers are across the MetroE connections, not on the local LAN:
=================
ip vrf Main_VRF
rd 64512:1
!
ip vrf Second_VRF
rd 64514:1
!
ip vrf select
!
interface Loopback0
ip vrf forwarding Main_VRF
ip address 192.168.150.81 255.255.255.255
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 534,536
switchport mode trunk
bandwidth 250000
speed nonegotiate
tx-queue 1
shape 100 mbps
!
!
interface Vlan3
desc Local LAN in main VRF
ip vrf forwarding Main_VRF
ip address 172.19.48.5 255.255.240.0
ip helper-address 10.30.252.31
ip helper-address 10.30.254.31
no ip redirects
!
interface Vlan534
description MetroEthernet WAN to Site 1
bandwidth 100000
ip vrf forwarding Main_VRF
ip address 192.168.93.126 255.255.255.252
!
interface Vlan536
description MetroEthernet WAN to Site 2
bandwidth 100000
ip vrf forwarding Second_VRF
ip address 192.168.69.250 255.255.255.252
router eigrp 64512
passive-interface Vlan3
no auto-summary
!
address-family ipv4 vrf Main_VRF
network 192.168.93.0
network 192.168.150.0
no auto-summary
autonomous-system 64512
exit-address-family
!
router eigrp 64514
no auto-summary
!
address-family ipv4 vrf Second_VRF
network 192.168.69.0
no auto-summary
autonomous-system 64514
exit-address-family
!
no ip http server
!
ip tacacs source-interface Loopback0
!
!
logging source-interface Loopback0
===============
Help/advice would be appreciated.
07-18-2007 10:21 AM
Hi,
How is your router management servers (TACACS+, NTP, logging, SNMP, etc.) connected to the switch and how are they routed to it, and is their IPs pingable (within the Main_VRF VRF).
HTH,
Mohammed Mahmoud.
07-18-2007 11:32 AM
All of the servers are located on the far side of the MetroEthernet VLAN 534, multiple hops away.
You can ping all of these servers within the VRF, with or without sourcing the pings from the loopback address.
Thx.
07-19-2007 06:30 AM
It looks like a routing issue, check if the routers have routes to reach each others loop back addresses....
07-19-2007 07:14 AM
Not a routing issue, you probably didn't see my last reply:
"You can ping all of these servers within the VRF, with or without sourcing the pings from the loopback address."
All of the routing is fine, it's just these management protocols don't work.
I'm assuming there has to be some global command that says router-originated traffic (like a TACACS request) has to be within one VRF or another, but I can't find that command in any of the guides.
07-24-2007 10:37 PM
Do you have to use a VRF for your management stuff? Admittedly, I've only used VRF-Lite a little bit. However, from my past experience, some management functions don't work over VRF. I think TACACS is one of them. Unless Cisco fixed this...
10-06-2007 11:21 AM
Hi, mchoo2005 is correct, vrf specific ACS is not supported. I am told by the TAC that it is planned (at least for 6500) 2nd quarter 2008, very poor. We also have problems with TFTP and NTP in vrf instances.
Have you tried using these management functions in the global routing table i.e. not in a vrf?
Good luck.
10-08-2007 08:45 AM
Hi all
I have worked on VRF quite a bit now in many of the boxes like Catalyst 3800, Catalyst 6500 and Cisco 7206. As per my experience it works well but you need a proper IOS code running in these boxes, so you might need to check the cisco featureset tool properly.
For now I can give you some commands which I have tried to get these management stuff successfully work
Tacacs
aaa new-model
aaa group server tacacs+ tacacs1 (You can use any other name in place of tacacs1 but be sure to use the same even below)
server-private (IP adresss) port 49 timeout 10 key (your key)
server-private (IP adresss) port 49 timeout 10 key 7 (your key)
ip vrf forwarding (name of the VRF, which consists of your loopback)
ip tacacs source-interface Loopback0
aaa authentication login default group tacacs1 line
aaa authentication enable default group tacacs1 enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs1 if-authenticated
aaa authorization commands 0 default group tacacs1 if-authenticated
aaa authorization commands 1 default group tacacs1 if-authenticated
aaa authorization commands 15 default group tacacs1 if-authenticated
aaa authorization network default group tacacs1 if-authenticated
aaa authorization reverse-access default group tacacs1 if-authenticated
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs1
aaa accounting commands 0 default start-stop group tacacs1
aaa accounting commands 1 default start-stop group tacacs1
aaa accounting commands 15 default start-stop group tacacs1
aaa accounting network default start-stop group tacacs1
aaa accounting connection default start-stop group tacacs1
aaa accounting system default vrf (name of the VRF as above) start-stop group tacacs1
aaa session-id common
VRF specific NTP commands
ntp server vrf (vrf-name) (NTP server IP address)
ntp server vrf (vrf-name) (NTP server IP address) prefer
VRF specific SNMP commands
snmp-server host (IP address) vrf (vrf-name)
VRF specific Logging commands [You cant specify vrf source interface in Logging]
logging (host IP address) vrf (vrf-name)
logging (host IP address) vrf (vrf-name)
There are also some VRF specific multicast commands while specifying rendezvous points, if somebody needs it let me know.
Above commands are a little different sometimes in some boxes, just might need a little tweeking
Thanks
Suvf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide