cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12834
Views
0
Helpful
6
Replies

Out-of-band management interface on 4500X

sdavids5670
Level 2
Level 2

Each of the 4500X switches in our stack has a Fa1 interface next to the serial console port.  My understanding is that this is to be used for out-of-band management of the switch.  Here's the configuration of the interface:

interface FastEthernet1

vrf forwarding mgmtVrf

ip address 172.21.2.30 255.255.255.0

speed auto

duplex auto

end

     

The vrf configuration was default.  The only thing I changed was the ip address information.  My question relates to things like domain-lookup and TACACS.  I cannot seem to use this interface for those functions.  Even if I add the following global configuration to my switch:

ip domain-lookup source-interface Fa1

ip tacacs-server source-interface Fa1

the switch is unable to communicate with either the DNS servers reference by the ip name-server command or the TACACS+ servers reference in the tacacs server profile section.

In the case of TACACS, the following debug output is produced when I attempt to login using TACACS:

*Aug 29 10:24:58.874: TPLUS: Queuing AAA Authentication request 38 for processing

*Aug 29 10:24:58.874: TPLUS: processing authentication start request id 38

*Aug 29 10:24:58.874: TPLUS: Authentication start packet created for 38(sdavidso)

*Aug 29 10:24:58.874: TPLUS: Using server 172.19.40.31

*Aug 29 10:24:58.874: TPLUS(00000026)/0: Connect Error No route to host

*Aug 29 10:24:58.874: TPLUS: Choosing next server 172.19.40.32

*Aug 29 10:24:58.874: TPLUS(00000026)/0: Connect Error No route to host

*Aug 29 10:25:05.539: TPLUS: Queuing AAA Authentication request 38 for processing

*Aug 29 10:25:05.539: TPLUS: processing authentication start request id 38

*Aug 29 10:25:05.539: TPLUS: Authentication start packet created for 38(sdavidso)

*Aug 29 10:25:05.539: TPLUS: Using server 172.19.40.31

*Aug 29 10:25:05.539: TPLUS(00000026)/0: Connect Error No route to host

*Aug 29 10:25:05.539: TPLUS: Choosing next server 172.19.40.32

*Aug 29 10:25:05.539: TPLUS(00000026)/0: Connect Error No route to host

This output shows that I can ping the TACACS servers:

HQ-4500X-SW1#ping vrf mgmtVrf 172.19.40.31

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.40.31, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

HQ-4500X-SW1#ping vrf mgmtVrf 172.19.40.32

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.40.32, timeout is 2 seconds:

!!!!!

Is it deliberate that the Fa1 interface cannot be used for these types of functions or is there something I can do to my configuration to make this work?

Thanks,

Steven

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Since you can reach the remote TACACS server I assume you created a default route for the mgmtVrf:

     ip route 0.0.0.0 0.0.0.0. vrf mgmtVrf

The other bit you may need to address is in config-sg-tacacs mode:

     ip vrf forwarding mgmtVrf

View solution in original post

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

Since you can reach the remote TACACS server I assume you created a default route for the mgmtVrf:

     ip route 0.0.0.0 0.0.0.0. vrf mgmtVrf

The other bit you may need to address is in config-sg-tacacs mode:

     ip vrf forwarding mgmtVrf

Marvin,


Thanks for the response.  I have the following route statement in my configuration which enables the device to communicate across L3:

ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 172.21.2.1

I'm not sure what you mean by config-sg-tacacs.  Is that supposed to be a global command in configuration mode or EXEC mode?  I cannot locate anything like that at the CLI.


Regards,

Steven

Sorry that was unclear.

When are are configuring the "aaa group server tacacs+", your prompt should change to indicate you are in the "config-sg-tacacs" (abbreviation for "configuration security group tacacs+") mode.

No worries.  It's not that you were unclear.  It's that I've been so incredibly lazy that I haven't stopped using the commands that Cisco says will be "deprecated soon".  Now here's my current configuration (as it relates to aaa authentication):

aaa new-model

!

!

aaa group server tacacs+ DEED

  ip vrf forwarding mgmtVrf

  ip tacacs source-interface FastEthernet1

!

aaa authentication login DEED group tacacs+ enable group tacacs+ local

aaa authentication enable default group tacacs+ enable

!

tacacs server fnb-acs-pri

  address ipv4 172.19.40.31

  key 7

!

tacacs server fnb-acs-sec

  address ipv4 172.19.40.32

  key 7

!

line vty 0 4

  exec-timeout 15 0

  password 7

  login authentication DEED

  length 0

  transport input ssh

This configuration doesn't work.  I still get the " No route to host" debug output.

Marvin,


I finally got this to work.  See below for the complete configuration I used which results in a successful login (and an addition prompt to enter enable mode).  I don't understand the difference between defining the servers under the server group mode vs. defining them with the "tacacs server " method but that seems to be one of the issues I was running up against.  aaa configuration on IOS is as clear as mud to me :-)  Thanks for you help.

aaa new-model

!

aaa group server tacacs+ DEED

server-private 172.19.40.32 key 7

server-private 172.19.40.31 key 7

ip vrf forwarding mgmtVrf

ip tacacs source-interface FastEthernet1

!

aaa authentication login default group DEED local

aaa authentication enable default group DEED

!

interface FastEthernet1

vrf forwarding mgmtVrf

ip address 172.21.2.30 255.255.255.0

speed auto

duplex auto

end

!

line vty 0 4

exec-timeout 15 0

password 7

login authentication DEED

length 0

transport input ssh

Glad it helped, thanks for the rating.

AAA setup isn't so hard but Cisco made it a bit confusing with the new syntax - many folks' templates they've been using for a long time might still work but certain features such as the newer management VRF bits need to have everything in the new model to work properly.

Regards.

Review Cisco Networking for a $25 gift card