Hi Kyle, You say, you noticed three models for user access: AAA New-Model; local user and TACACS, but there are actually only 2: AAA and Local USer. With Local User, you create user accounts on the device itself using the: "username xxx password yyy" command. You can create multiple such user accounts for different users and when a user tries to login, their credentials need to match one of the user accounts created on the device. But the problem with this approach is scalability, it will become a giant PIA to create all those user accounts on all your devices. Thats where AAA is helpful. AAA allows you to authenticate from a centralized server which will hold the user account information, and when a user tries to login to a device the username and password provided by the user is sent to this centralized server and once authenticated the user is granted access. The centralized server is the TACACS server and TACACS is the protocol used for communication between the device and the TACACS server. (RADIUS is another protocol similar to TACACS. TACACS is Cisco proprietary and Radius is standardized.) Check this out its a pretty good explanation on how AAA works: http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/ . I'm running SSH on my routers, so I had to enable "AAA New-Model" but it appears that AAA New-Model is a local user, so what's the difference between it and the VTY user.... You don't necessarily have to be running AAA for SSH. For SSH, you need to provide username and password when logging in as compared to telnet where you can do with just the password. So you could be running SSH with just the local user account configured on the device. Also, If I'm using AAA New Model, does that mean I'm using the TACACs protocol? No, You can use the local user account or you could be using RADIUS (which is another authentication protocol similar to TACACS), depends on how you configure the AAA authentication statement. Hope that helps. Cheers, Subhish
... View more
Hi, I am setting up a lab exercise and came across this unusual problem when implementing the lab... The lab is for a simple illustration of STP and its a simple setup with 3 switches: Switch1(3560), Switch2(3550) and Switch3(3560 PoE) connected in a full mesh that looks like a triangle.. I have not made any configurations, all switch ports are in access mode and am using cross-over cables to connect the switches to each other. The switch ports are auto-negotiating to 100/full. The problem is: Switch2 has the lowest MAC and becomes the Root Bridge and this is acknowledged by Switch3. But Switch1 has a higher MAC than Switch2, and it still claims to be the Root Bridge. Because of this there is a loop and I get a flapping MAC address message. I tried forcing the root priority values on Switch1 and Switch2, so as to make Switch2 the root, but that does not work and am having the same issue. I also noticed that Switch1 was not receiving any BPDU messages, only sending them. Switch2 is reciveing and sending BPDU messages, and is correctly neglecting the Switch1 BPDU claims to be root. I replaced Switch1 with a 4948 switch, and STP works correctly. I don't know if the problem is with the physical switch itself or if there is some configuration on 3560 switches that I am unaware of. Appreciate your replies. Thanks.
... View more