MPLS Per VRF QOS

Our WAN cloud will be a mesh between 3 campuses. Our provider will provide Layer 2 transport services, 1Gbps, FIFO. At each campus I will be running 2821 for WAN edge.
All services will be converged onto this WAN, Voice, Video, Data.
At each campus runs 3750 or 6513 as Campus Core peering 2821's. Each campus will be running VRF-Lite. My goal is to become the MPLS service provider for the college. The 2821's are the PE devices and the Campus Core's are the CE devices. Example, Voice will have it's own VRF at each respective site, each vrf will learn routes from other voice vrf's from the 2821's. Currently the 2821's peer each other iBGP. I want to be able to allocate portions of bandwidth (1Gb) for each VRF on the WAN and queue the traffic within each VRF.

Hi,
You need to configure normal QoS, remark the triple play traffic (data voice video) in ingress interface on the switch and implement queuing and bandwidth reservation out the egress interface of the router.
Regards,
W.Amer

Similar Messages

  • SUP720 MPLS support only 700 routes per VRF?

    In following document i found that SUP720 supporting only 700 router per 1 VRF. Am i right?
    http://www.cisco.com/en/US/partner/products/hw/modules/ps4835/products_data_sheet09186a0080159856.html

    There is no such thing as a limit of 700 routes per VRF. What is described in this URL is that scalability testing has been performed with 1024 VRFs with 700 routes each (1024*700=716800 routes total).
    You could go way beyond 700 routes per VRF if you don't plan to provision that many VRFs.
    Let me know if I answered your question,

  • Per Tunnel QoS: NHRP-3-QOS_POLICY_APPLY_FAILED

    Hello,
    another day another problem :-)
    Since I got DMVPN Netzwork up and running for a few month now, the customer wishes to implement voice-over-ip, therefore I tryied to configure Per-Tunnel-QoS  in the DMVPN Network.
    The Policy Map on the Hub-Site is as followed:
    class-map match-all BULK-DATA match ip dscp af11  af12
    class-map match-all INTERACTIVE-VIDEO
    match ip dscp af41  af42
    class-map match-all VOICE
    match ip dscp ef
    class-map match-all SCAVENGER
    match ip dscp cs1
    class-map match-any INTERNETWORK-CONTROL
    match ip dscp cs6
    match access-group name IKEclass-map match-any CALL-SIGNALING
    match ip dscp cs3
    match ip dscp af31
    class-map match-all TRANSACTIONAL-DATA match ip dscp af21  af22
    policy-map voice
    class VOICE
        priority percent 18
    class INTERACTIVE-VIDEO
        priority percent 15
    class CALL-SIGNALING
        bandwidth percent 5
    class INTERNETWORK-CONTROL
        bandwidth percent 5
    class TRANSACTIONAL-DATA    bandwidth percent 27
        queue-limit 18 packets class BULK-DATA
        bandwidth percent 4
        queue-limit 3 packets class SCAVENGER
        bandwidth percent 1
        queue-limit 1 packets
    class class-default
        bandwidth percent 25
        queue-limit 16 packets
    The Hub and the Spokes are configured with the proper NHRP Group, but when checking the QoS State, the Spokes appair to be in the right NHRP Group but the QoS service policy is not applied.
    Hub#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incomplete
            N - NATed, L - Local, X - No Socket
            # Ent --> Number of NHRP entries with same NBMA peer
            NHS Status: E --> Expecting Replies, R --> Responding
            UpDn Time --> Up or Down Time for a Tunnel
    ==========================================================================
    Interface Tunnel1 is up/up, Addr. is 192.168.205.1, VRF ""
       Tunnel Src./Dest. addr: 2.2.2.1/MGRE, Tunnel VRF ""   Protocol/Transport: "multi-GRE/IP", Protect "Schmidt-Group"
       Interface State Control: Disabled
    Type:Hub, Total NBMA Peers (v4/v6): 1
    # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target  Network----- --------------- --------------- ----- -------- -----  -----------------
        1        1.1.1.1   192.168.205.2    UP 00:40:52    D   192.168.205.2/32NHRP group: voice
    Output QoS service-policy applied: none
    Crypto Session Details:--------------------------------------------------------------------------------
    Interface: Tunnel1Session: [0x8693F664]
      IKE SA: local 2.2.2.1/500 remote 1.1.1.1/500 Active
              Capabilities:D connid:2001 lifetime:23:19:07
      Crypto Session Status: UP-ACTIVE  fvrf: (none), Phase1_id: 1.1.1.1
      IPSEC FLOW: permit 47 host 2.2.2.1 host 1.1.1.1
            Active SAs: 2, origin: crypto map
            Inbound:  #pkts dec'ed 574 drop 0 life (KB/Sec) 4487723/1147        Outbound: #pkts enc'ed 560 drop 0 life (KB/Sec) 4487725/1147   Outbound SPI : 0xABF33617, transform : esp-256-aes esp-sha-hmac
        Socket State: Open
    Pending DMVPN Sessions:
    A debugging on QoS events results with the message:
    Oct 18 08:20:51.883: %NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS  policy voice mapped to NHRP
    group voice on interface Tunnel1, to tunnel 1.1.1.1  due to policy installation failure
    I'm greatfull for any suggestions or hints!
    Kind regards
    Thomas

    I have the same problem. I found this info, it might be related to your problem. For me, I only have one spoke on my QoS/DMVPN Hub tunnel. However, I am running MPLS-VPN, multiple Hub tunnels connecting to multiple spokes so the policy could be see all spokes connected to my router, not just the hub tunnel.
    https://cisco-images.test.edgekey.net/en/US/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_rel_notes_book_pdf.pdf
    CSCts62082
    Symptoms: Router generates the following message:%NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS policy 10M-shape mapped
    to NHRP group xx on interface Tunnelxx, to tunnel x.x.x.x due to policy
    installation failureConditions: This symptom is observed when “per-tunnel” QoS is applied and there are more than
    nine DMVPN spokes. (Up to eight spokes, with QoS applied is fine.)
    Workaround: There is no workaround.

  • Per-Tunnel QoS on a DMVPN Tunnel Not Working.

    Hello, I am trying to get per-Tunnel QoS working on one of my Hub tunnels, and believe to have the configurations correctly, but when I do "show ip nhrp group-map" I get NONE. I am running a MPLS-VPN network and this router has multiple DMVPN Tunnels with different VRFs. I am not running QoS on the other tunnels.
    router#show ip nhrp group-map
    Interface: Tunnel1
    NHRP group: testgroup
      QoS policy: test-QoS
      Tunnels using the QoS policy: None
    here is my config
    interface Tunnel1
    ip vrf forwarding test
    ip address 172.16.1.1 255.255.255.240
    no ip redirects
    ip mtu 1376
    ip nhrp authentication test
    ip nhrp map multicast dynamic
    ip nhrp map group testgroup service-policy output TEST-QoS
    ip nhrp network-id #####
    ip tcp adjust-mss 1200
    load-interval 30
    tunnel source Loopback1
    tunnel mode gre multipoint
    tunnel key #####
    tunnel vrf test_internet
    tunnel protection ipsec profile IPSECPROFILE shared
    Router Version
    (C7200-ADVENTERPRISEK9-M), Version 15.0(1)M3
    I understand that I could do qos pre-classify in the tunnel and then do a service policy on the physical interface, but the question I have is why does it say " Tunnels using the QoS policy: None " when I configured a qos policy on the tunnel interface? Is this a bug?
    Thank you for your help!

    Ray,
    There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
    Also coexistance of other service-policy etc etc.
    The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
    M.

  • Per VRF label

    Hi,
    Would like to know if per VRF label is supported on 7600 platform with SUP7203BXL?If yes can anybody share the config details

    Anup,
    It is currently supported via the following hidden command:
    [no] mpls label mode { vrf | all-vrfs } protocol bgp-vpnv4 { per-prefix|per-vrf}
    Regards,

  • Bandwidth allocation per vrf

    Hello,
    in my lab i have 3 sites each with 3 VRF's configured. A diagram ist attached. I like to configure fixed bandwidth for each vrf. the central vrf should have 768 kbps and the the other ones ones should have 256 kbps each.
    What are the options i have to achive this?
    Thanks a lot in advanced
    Alex

    Hi Alex
    Since you have already policed the bandwidth at the access, would there be any excess bandwidth that will leak from this policing.
    Besides, ideally you would configure your core with a standard llq+cbwfq config and give priority to voice. You will in production have multiple customers and you cant have sich a bandwidth restriction in place.
    Also, no you cannot police bw in core per vrf. But at the same time I can think of a non-conventional way of doing it by using TE but that is a very bad way of doing it.
    Sent from Cisco Technical Support Android App

  • Per-VRF TACACS config gets "Address already in use" error

    I have created a per-VRF TACACS config on a couple of network devices. I can ping the ACS servers through the VRF. TACACS makes the attempt to contact the servers, but the following message shows up in the log when I debug TACACS:
    *Mar 11 08:57:38 starts: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
    *Mar 11 08:57:38 starts: TAC+: TCP/IP open to x.x.x.x/49 failed -- Address already in use
    I can't find anything on CCO that references the "Address already in use" message.
    Has anyone run into this?

    Hmmm...no, the server group is still there. Did you see the other post which describes the bug ID? The link to the bug is:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl45701
    Do you get the IP address is in use log message?

  • Is possible to configure SLB per VRF??

    I have the Cat6500 with Sup720 and the IOS version 12.2(18)SXF8. From the documentation this software is SLB VRF-aware. But I can not configure SLB per VRF:-( I'm sending you the example of my configuration:
    ip vrf WEB
    rd 100:1
    ip slb probe WEB1 tcp
    port 443
    ip slb serverfarm WEB
    nat server
    probe WEB1
    real 212.67.72.228
    inservice
    real 212.67.72.244
    inservice
    ip slb vserver WEB-HTTPS
    virtual 212.67.72.150 tcp 443
    serverfarm WEB
    sticky 300 netmask 255.255.255.255
    advertise
    inservice
    interface vlan 30
    ip vrf forwarding WEB
    ip address 10.0.0.4 255.255.255.248
    interface vlan 10
    description Servery
    ip vrf forwarding WEB
    ip address 212.67.72.130 255.255.255.128
    interface gi0/1
    description Server WEB1
    switchport
    switchport access vlan 10
    switchport mode access
    no ip address
    spanning-tree portfast
    interface gi0/2
    switchport
    switchport access vlan 30
    switchport mode access
    no ip address
    spanning-tree portfast
    this configuration is functional without VRF, when I used the configuration with VRF - it is not functional:-(
    Can you help me? Thank you.
    Roman

    if the main server is up, the CSS will use it over the sorry_server.
    You can't tell the CSS not to use it if it is UP.
    Therefore, the only solution is to find a way to keep your main server down once it fails a keepalive.
    This can be done with a script that would issue the command 'suspend' once it detects the service missed a keepalive.
    The script can be a tcp keepalive script and instead of returning just a failure one the server is down, the script itself can generate the 'suspend' command.
    So, you then have time to sync your database and when ready you can do an 'active' under the service to start using it again.
    Gilles.

  • Per VRF Tacacs+ - not working

    I'm trying to configure per VRF tacacs+ on a 2901 running IOS 15.2(4)M2.
    I have the following configured:
    aaa new-model
    aaa group server tacacs+ MYGROUP
     server-private 1.2.3.4 key cisco
     ip vrf forwarding vpn_nms
     ip tacacs source-interface Loopback100
    aaa authentication login default local
    aaa authentication login MYGROUP group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group MYGROUP if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa session-id common
    ip cef
    ip vrf forwarding
    ip vrf vpn_nms
     rd 65XXX:3
    interface Loopback100
     description NMS LOOPBACK
     ip vrf forwarding vpn_nms
     ip address 10.10.10.10 255.255.255.255
    tacacs-server host 1.2.3.4
    tacacs-server directed-request
    tacacs-server key cisco
    line con 0
     privilege level 15
     logging synchronous
     login authentication MYGROUP
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     login authentication MYGROUP
     length 0
     transport input all
    I know some of this config is redundant but I have been trying different things and getting nowhere.

    Hi,
    Your debug output shows time out to ACS server as below.
    Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
    Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
    Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
    Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
    Hope that helps
    Najaf
    Please rate when applicable or helpful !!!

  • DMVPN Design: Multi-Hub, Router Per-Tunnel QoS

    Some DMVPN questions:
    1) A site I've worked with has about 7 hubs and 5 spokes. This looks at best a bit odd to me. The Cisco design docs all have at most 2 hub sites. Is more than 2 DMVPN hub sites a good idea / bad idea? Pros / cons / drawbacks? I've googled this topic heavily, found little.
    2) If two sites are DMVPN hub sites that have NHRP map statements for  each other, can they both be doing the Per-Tunnel QoS feature to get some QoS shaping towards each other?
    3) What is recommended for DMVPN QoS in general? And for a spoke site where the hub site is doing the Per-Tunnel QoS? Just put some QoS on the physical link?

    Ray,
    There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
    Also coexistance of other service-policy etc etc.
    The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
    M.

  • Per-VRF BGP Dampening

    Does anyone know if it is possible to enable Per-VRF BGP Dampening? I have a router running 12.4(9)T and when I enable BGP dampening within an address-family, it is enabled under all routing contexts and within VPNV4.
    Any ideas?
    Jon

    Hello Jon,
    try to give the command only under the address-family of interest
    it should be supported
    Command Modes
    >>Address family configuration
    Router configuration
    see
    http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp1.html#wp1012660
    Sorry, I haven't seen you had already done. This may be a bug in your release.
    As a workaround you could try to use a route-map like in this example:
    Router(config)# router bgp 50000
    Router(config-router)# address-family ipv4
    Router(config-router-af)# bgp dampening route-map BLUE
    Router(config-router-af)# end
    Hope to help
    Giuseppe

  • For encrypted flows, how does the MPLS do the QOS?

    After encrypting the data, send them to MPLS, how does the MPLS do the QOS?

    Hi,
    the IPSec standard mandates, that the ToS Byte from the original header is copied to the new IPSec header. So if your IP packets are already marked everything is straight forward - MPLS does not make any difference. For the MPLS network it will be just marked IP packets and the marking is copied to the MPLS experimental bits. QoS policies within an MPLS core only use experimental bits only.
    Regards, Martin

  • Per user QoS Policy in ASA

    is there a way to configure per user QoS Policy in ASA?
    I need this because to configure ssl vpn users to have different bandwidth

    Hi,
    Please can you explain me how "per SSL VPN group basis" is going to work.
    For my requirement that per group policy is also OK. Then it is needed to configure bandwidth limiters per group policy.
    thanks & regards
    Chandana

  • Per VRF Tacacs+ support on 3550EMI

    Trying to get Tacacs+ running on a 3550EMI switch running 12.1(22)EA3 (latest release), without much success due to wht appears to be lack of support for for Per VRF AAA/TACACS+ on the box.
    Checked elsewhere and looks like this feature is only available in some 12.2 and in 12.3T, but does anyone know if vrf-aware TACACS+ it is likely to appear on the 3550EMI or indeed on 12.1? Or does anyone know of a work around? (tried specifying a source-interface but this doesn't work)
    TIA

    This feature was introduced in 12.3(7)T. I guess its not supported on the Switch currently.

  • Tacacs per VRF

    Gooday
    Im trying to configure tacacs per Vrf but no luck, i been using docs from cisco, can somebody help me if my config is correct?
    here is my current config
    aaa group server tacacs+ tacacs1
    server-private 183.x.x.x key 7 XXXXXX
    ip vrf forwarding NMS
    ip tacacs source-interface Vlan89
    aaa authentication login default group tacacs+ enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization commands 0 default group tacacs+ none
    aaa authorization commands 1 default group tacacs+ none
    aaa authorization commands 15 default group tacacs+ none
    ip vrf NMS
    description OOB NMS VRF
    rd 110:100
    interface Vlan89
    description to DIA monitoring
    ip vrf forwarding NMS
    ip address 183.109.191.11 255.255.255.0
    end
    ip vrf NMS
    thanks

    thanks Carlos,
    I followed your suggestion, i think there will be only change in the aaa authentication statement,
    I'm very careful on changing the aaa statement, and don't want to change it without your expert advice, the router is located in different country and no one will reboot if i lost the connection
    The first "password" prompt you get is for the local enable password? We might need to enable "Debug aaa authentication" and "debug tacacs" and recreate the issue.
    ans: yes, first it will ask for the local password
    below is the debug
    AAA Authentication debugging is on
    crt-tw1-602#
    *Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f 
    *Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
    *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
    *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
    *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
    *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
    *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
    *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
    *Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
    *Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
    *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
    *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
    *Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
    *Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
    *Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
    *Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
    *Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
    *Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
    *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
    *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
    *Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
    *Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
    *Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
    crt-tw1-602#
    crt-tw1-602#debug tacacs
    TACACS access control debugging is on
    crt-tw1-602#
    *Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
    *Jan 18 00:41:44: TPLUS: processing authentication start request id 133
    *Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
    *Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
    *Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
    *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
    *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
    *Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
    *Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
    *Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
    *Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
    *Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
    *Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
    *Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
    *Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
    *Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
    *Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
    *Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
    *Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
    *Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
    *Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
    *Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
    *Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
    *Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
    *Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
    *Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
    *Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
    *Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
    *Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
    *Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
    *Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
    *Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
    *Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
    *Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
    *Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
    *Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
    *Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
    *Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
    *Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
    *Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
    *Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
    *Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
    crt-tw1-602#
    crt-tw1-602#
    AAA Authentication debugging is on
    crt-tw1-602#
    *Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f 
    *Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
    *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
    *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
    *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
    *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
    *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
    *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
    *Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
    *Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
    *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
    *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
    *Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
    *Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
    *Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
    *Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
    *Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
    *Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
    *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
    *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
    *Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
    *Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
    *Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
    crt-tw1-602#
    crt-tw1-602#debug tacacs
    TACACS access control debugging is on
    crt-tw1-602#
    *Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
    *Jan 18 00:41:44: TPLUS: processing authentication start request id 133
    *Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
    *Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
    *Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
    *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
    *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
    *Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
    *Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
    *Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
    *Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
    *Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
    *Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
    *Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
    *Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
    *Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
    *Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
    *Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
    *Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
    *Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
    *Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
    *Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
    *Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
    *Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
    *Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
    *Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
    *Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
    *Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
    *Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
    *Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
    *Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
    *Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
    *Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
    *Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
    *Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
    *Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
    *Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
    *Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
    *Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
    *Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
    *Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
    *Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
    crt-tw1-602#
    crt-tw1-602#

Maybe you are looking for

  • My iPhone 4s keeps telling me my password is incorrect when I try to use the app store, but it's definitely NOT incorrect.

    When I try to update apps in the app store from my iPhone 4s, it says the password is incorrect. I'm positive it's correct. I even went through yesterday and changed my passwords just in case (I have two apple ids - they now both have the exact same

  • Add users to group with file

    So I am following power-shell script that I see online. I am trying to add 2 users (as a test for now) from a csv file into an AD group. The AD group name is "IMAllow" I created a file called AddUsersToGroup.ps1 that I am running on windows power-she

  • Accented characters in LR for mac.

    Hi all: I'm having problems with pictures with "accented characters" in the name. I can work with these pictures, no question mark is shown, and LR can show where the actual file is located. The problem is as following: if I try to sync a folder, the

  • How parentSandboxBridge and childSandboxBridge works?

    Hello, I am new to as3 and air development. I have created one app in adobe air for Android (using Flash CS 5.5). I am loading externally stored pages (swf) into my app. The last page which is assessment needs to send the score to the main app when u

  • Transferring images and videos from Nokia 5800 to ...

    Hello, I have been using Nokia PC Suite for years and now decided to jump onto OVI suite because the Nokia PC Suite was not able (mysteriously) to move picture and videos to my pc using USB cable. I gave up and started using OVI suite, which (how biz