Yes, which is what I'm trying to do, but the technical HOW to do it is the problem.

Well, it will depends on how your environment works. This is difficult to give you a direction whithout knowing you network.  I´ll tell you how my environment works. We have an unique network for management and our devices has one interface (loopback or  int vlan) on this nework. Then we have firewall filtering who (network) can get access to this mgmt network and of course, TACACS.

   We have VRF everywhere, so, one VRF is dadicated to carrie management traffic from site to Data Center. VRF is really nice as it segregates traffic from the begining to the end.

 On the mgmt network you can allow only HTTPS, TACACS, Syslog, SSH and others mgmt protocols and dont give access to the internet from this mgmt network.

 We also use some kind of VDI to get access using HTTPS or SSH. This way, the connection doesn´t start from admin machine but from a controlled environment.  The admin machine serves only as a terminal to access this VDI environment.

  This can go on and on depending on how complex is your environment and how secure you want to be.

 

That makes sense. So the users would use that vEdge as a hop into the management 512 subnet. Being able to route leak between 512 and 10 on that vEdge will be what I will look at next, though I may be back here. Thanks for this.

Sure. np.

The key is that we use OMP to get the TACACS reachability all the way to (cloud) vEdge and drop it off on the service interface
... aka on the same subnet as VPN512 which vManage is sitting on.
Traffic will flow through "local vEdge -> over Overlay (internet) -> hits the (cloud) vEdge and will terminate on the controller
Controller in turn will initiate a TACACS session & will be carried over the overlay

I think I understand. So by putting the cloud vEdge's VPN10 in the same subnet as the controller's VPN512, it will be able to communicate with everyone on that subnet despite being in a different VPN (once the VPN10 users cross the tunnels and get to that vEdge). Nice! I just tested that and I was able to ping vManage's VPN512 address from VPN10 on the vEdge.

 

Am I understanding this correctly?

Awesome. Just configured it and it worked. Thanks a ton for your help!

Example as seen on the router/controllers

The definition of VPN 512 or VPN 1 are local to the router in question.
It is the subnet that should be the same on vManage and vEdge.
The subnet in below example: 10.0.4.0/27 (across vManage (VPN 512) and vEdge (service VPN - VPN 1)


# vManange
vpn-vman-01-aws-west-2# show interface | include 512
IF IF TCP
ADMIN OPER ENCAP SPEED MSS RX TX
VPN INTERFACE IP ADDRESS STATUS STATUS TYPE PORT TYPE MTU HWADDR MBPS DUPLEX ADJUST UPTIME PACKETS PACKETS

512 eth0 10.0.4.5/27 Up Up null mgmt - 02:e4:0b:14:19:e3 - - - - 61061 40



# (Cloud)-vEdge
vpn-vedge-01-aws-west-2# show interface | include ge0/0
1 ge0/0 10.0.4.30/27 Up Up null service 1500 02:7f:d3:44:3e:65 10 full 1420 15:00:42:49 21660 21666