Solved: Out-of-band management interface on 4500X

sdavids5670 · ‎08-29-2013

Each of the 4500X switches in our stack has a Fa1 interface next to the serial console port. My understanding is that this is to be used for out-of-band management of the switch. Here's the configuration of the interface:

interface FastEthernet1

vrf forwarding mgmtVrf

ip address 172.21.2.30 255.255.255.0

speed auto

duplex auto

end

The vrf configuration was default. The only thing I changed was the ip address information. My question relates to things like domain-lookup and TACACS. I cannot seem to use this interface for those functions. Even if I add the following global configuration to my switch:

ip domain-lookup source-interface Fa1

ip tacacs-server source-interface Fa1

the switch is unable to communicate with either the DNS servers reference by the ip name-server command or the TACACS+ servers reference in the tacacs server profile section.

In the case of TACACS, the following debug output is produced when I attempt to login using TACACS:

*Aug 29 10:24:58.874: TPLUS: Queuing AAA Authentication request 38 for processing

*Aug 29 10:24:58.874: TPLUS: processing authentication start request id 38

*Aug 29 10:24:58.874: TPLUS: Authentication start packet created for 38(sdavidso)

*Aug 29 10:24:58.874: TPLUS: Using server 172.19.40.31

*Aug 29 10:24:58.874: TPLUS(00000026)/0: Connect Error No route to host

*Aug 29 10:24:58.874: TPLUS: Choosing next server 172.19.40.32

*Aug 29 10:24:58.874: TPLUS(00000026)/0: Connect Error No route to host

*Aug 29 10:25:05.539: TPLUS: Queuing AAA Authentication request 38 for processing

*Aug 29 10:25:05.539: TPLUS: processing authentication start request id 38

*Aug 29 10:25:05.539: TPLUS: Authentication start packet created for 38(sdavidso)

*Aug 29 10:25:05.539: TPLUS: Using server 172.19.40.31

*Aug 29 10:25:05.539: TPLUS(00000026)/0: Connect Error No route to host

*Aug 29 10:25:05.539: TPLUS: Choosing next server 172.19.40.32

*Aug 29 10:25:05.539: TPLUS(00000026)/0: Connect Error No route to host

This output shows that I can ping the TACACS servers:

HQ-4500X-SW1#ping vrf mgmtVrf 172.19.40.31

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.40.31, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

HQ-4500X-SW1#ping vrf mgmtVrf 172.19.40.32

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.40.32, timeout is 2 seconds:

!!!!!

Is it deliberate that the Fa1 interface cannot be used for these types of functions or is there something I can do to my configuration to make this work?

Thanks,

Steven

Marvin Rhoads · ‎08-29-2013

Since you can reach the remote TACACS server I assume you created a default route for the mgmtVrf:

ip route 0.0.0.0 0.0.0.0. vrf mgmtVrf

The other bit you may need to address is in config-sg-tacacs mode:

ip vrf forwarding mgmtVrf

View solution in original post

Marvin Rhoads · ‎08-29-2013

Since you can reach the remote TACACS server I assume you created a default route for the mgmtVrf:

ip route 0.0.0.0 0.0.0.0. vrf mgmtVrf

The other bit you may need to address is in config-sg-tacacs mode:

ip vrf forwarding mgmtVrf

sdavids5670 · ‎08-29-2013

Marvin,

Thanks for the response. I have the following route statement in my configuration which enables the device to communicate across L3:

ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 172.21.2.1

I'm not sure what you mean by config-sg-tacacs. Is that supposed to be a global command in configuration mode or EXEC mode? I cannot locate anything like that at the CLI.

Regards,

Steven

Marvin Rhoads · ‎08-29-2013

Sorry that was unclear.

When are are configuring the "aaa group server tacacs+", your prompt should change to indicate you are in the "config-sg-tacacs" (abbreviation for "configuration security group tacacs+") mode.

sdavids5670 · ‎08-29-2013

No worries. It's not that you were unclear. It's that I've been so incredibly lazy that I haven't stopped using the commands that Cisco says will be "deprecated soon". Now here's my current configuration (as it relates to aaa authentication):

aaa new-model

!

aaa group server tacacs+ DEED

ip vrf forwarding mgmtVrf

ip tacacs source-interface FastEthernet1

!

aaa authentication login DEED group tacacs+ enable group tacacs+ local

aaa authentication enable default group tacacs+ enable

!

tacacs server fnb-acs-pri

address ipv4 172.19.40.31

key 7

!

tacacs server fnb-acs-sec

address ipv4 172.19.40.32

key 7

!

line vty 0 4

exec-timeout 15 0

password 7

login authentication DEED

length 0

transport input ssh

This configuration doesn't work. I still get the " No route to host" debug output.

sdavids5670 · ‎08-29-2013

Marvin,

I finally got this to work. See below for the complete configuration I used which results in a successful login (and an addition prompt to enter enable mode). I don't understand the difference between defining the servers under the server group mode vs. defining them with the "tacacs server " method but that seems to be one of the issues I was running up against. aaa configuration on IOS is as clear as mud to me :-) Thanks for you help.

aaa new-model

!

aaa group server tacacs+ DEED

server-private 172.19.40.32 key 7

server-private 172.19.40.31 key 7

ip vrf forwarding mgmtVrf

ip tacacs source-interface FastEthernet1

!

aaa authentication login default group DEED local

aaa authentication enable default group DEED

!

interface FastEthernet1

vrf forwarding mgmtVrf

ip address 172.21.2.30 255.255.255.0

speed auto

duplex auto

end

!

line vty 0 4

exec-timeout 15 0

password 7

login authentication DEED

length 0

transport input ssh

Marvin Rhoads · ‎08-29-2013

Glad it helped, thanks for the rating.

AAA setup isn't so hard but Cisco made it a bit confusing with the new syntax - many folks' templates they've been using for a long time might still work but certain features such as the newer management VRF bits need to have everything in the new model to work properly.

Regards.