Re: Vlan Access Lists

frank.mcdaid · ‎10-12-2010

Hi,

I'm in the process of rolling out TACACS login authentication for some switches on our network. The management vlan on these switches is locked down using a vlan ACL on the core switch. when I add a permit tcp any <tacacs-server ip address> eq tacacs and permit udp any <tacacs-server ip address> eq tacacs to the ACL, I can't login to the switch using the TACACS credentials. However, when I add permit ip any <tacacs-server ip address>, I can log in using the TACACS credantials.

Can someone explain why this is the case?

Thanks,

Frank

Peter Paluch · ‎10-12-2010

Hello Frank,

One thing I would certainly verify is whether both queries and replies are allowed by your current VLAN access-map. Because a VLAN access-map disregards any traffic direction itself, you will have to enable both queries and replies in the ACL referenced by the VLAN access-map. In your example provided earlier, you enabled only your switch to contact the TACACS+ server but you did not indicate whether the traffic in the opposite direction was allowed.

The ACL should be of the form:

permit tcp any eq tacacs
permit udp any eq tacacs
permit tcp eq tacacs any
permit udp eq tacacs any

Second thing to verify is whether the "tacacs" port is correct in your case, i.e. whether all necessary ports have been enabled. You indicated that the TACACS+ starts working when you use the "ip" instead of "tcp/udp". That would indicate that the destination port may be incorrect, as the "ip" does not check of verify transport protocol ports.

Give it a try please.

Best regards,

Peter

frank.mcdaid · ‎10-13-2010

Hi Peter,

Thanks for the reply. I added a separate line to permit traffic in each direction and tacacs is using the default port (port 49), but the problem remains.

Regards,

Frank

Jon Marshall · ‎10-14-2010

Frank

Is there a chance you could log the following acl entry -

permit ip any ,

you would then see what additional ports (if any) it was using to allow the request.

Jon