08-05-2022 12:07 PM
I have a 9800-L-F currently running 17.3.5b (though this was happening on 17.3.x as well). With either ip tacacs source-interface GigabitEthernet0 or ip tacacs source-interface GigabitEthernet0 vrf Mgmt-intf commands configured, the WLC still uses vlan266 as the tacacs source interface. It's as if the commands weren't configured at all. Other source-interface commands (radius, ssh) work as expected. Is this a known issue?
Solved! Go to Solution.
08-05-2022 02:28 PM
TACACS over Service Port supported only from 17.6.x onward
As of release 17.6, the following protocols are supported through the Service Port (SP): HTTP/HTTPs, SSH, NetFlow, NTP, SNMP, Syslog, RADIUS, and TACACS+
HTH
Rasika
*** Pls rate all useful responses ***
08-05-2022 12:58 PM
SVI of vlan266 is use as management interface in WLC ?
08-08-2022 12:05 PM
No. G0 is management.
08-05-2022 02:28 PM
TACACS over Service Port supported only from 17.6.x onward
As of release 17.6, the following protocols are supported through the Service Port (SP): HTTP/HTTPs, SSH, NetFlow, NTP, SNMP, Syslog, RADIUS, and TACACS+
HTH
Rasika
*** Pls rate all useful responses ***
08-08-2022 12:06 PM
Interesting that it would accept the configuration at all. Even a warning would have been useful.
Thanks for the clarification!
08-08-2022 01:28 PM - edited 08-08-2022 01:35 PM
Hi Tony,
I think there is a quick clarification. With 17.6.x you able to do those protocols using service port.(traffic will in/out via service port)
I think your original requirement is just to simply change the source interface for TACACS & still use the main trunk port connectivity for the communication. However, when you source TACACS traffic from the ServicePort IP address, still all outgoing traffic from 9800 will go via that trunk port, however incoming traffic to the service port IP address may not come via that trunk port (so create bit of asymetric flow)
Therefore better leave it completely via Trunk port (leave tacacs source as wlc mgt) or completely move it to via serviceport (which requires 17.6.x.)
HTH
Rasika
08-08-2022 03:10 PM
There are plenty of commands you'll find which literally have no effect even though you can configure them. They're left over from the base IOS-XE router code the 9800 was built on top of and they're gradually either adding support for the features or removing them from the CLI in each new release.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide