Per-VRF BGP Dampening

Does anyone know if it is possible to enable Per-VRF BGP Dampening? I have a router running 12.4(9)T and when I enable BGP dampening within an address-family, it is enabled under all routing contexts and within VPNV4.
Any ideas?
Jon

Hello Jon,
try to give the command only under the address-family of interest
it should be supported
Command Modes
>>Address family configuration
Router configuration
see
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp1.html#wp1012660
Sorry, I haven't seen you had already done. This may be a bug in your release.
As a workaround you could try to use a route-map like in this example:
Router(config)# router bgp 50000
Router(config-router)# address-family ipv4
Router(config-router-af)# bgp dampening route-map BLUE
Router(config-router-af)# end
Hope to help
Giuseppe

Similar Messages

  • Per VRF label

    Hi,
    Would like to know if per VRF label is supported on 7600 platform with SUP7203BXL?If yes can anybody share the config details

    Anup,
    It is currently supported via the following hidden command:
    [no] mpls label mode { vrf | all-vrfs } protocol bgp-vpnv4 { per-prefix|per-vrf}
    Regards,

  • Bandwidth allocation per vrf

    Hello,
    in my lab i have 3 sites each with 3 VRF's configured. A diagram ist attached. I like to configure fixed bandwidth for each vrf. the central vrf should have 768 kbps and the the other ones ones should have 256 kbps each.
    What are the options i have to achive this?
    Thanks a lot in advanced
    Alex

    Hi Alex
    Since you have already policed the bandwidth at the access, would there be any excess bandwidth that will leak from this policing.
    Besides, ideally you would configure your core with a standard llq+cbwfq config and give priority to voice. You will in production have multiple customers and you cant have sich a bandwidth restriction in place.
    Also, no you cannot police bw in core per vrf. But at the same time I can think of a non-conventional way of doing it by using TE but that is a very bad way of doing it.
    Sent from Cisco Technical Support Android App

  • Per-VRF TACACS config gets "Address already in use" error

    I have created a per-VRF TACACS config on a couple of network devices. I can ping the ACS servers through the VRF. TACACS makes the attempt to contact the servers, but the following message shows up in the log when I debug TACACS:
    *Mar 11 08:57:38 starts: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
    *Mar 11 08:57:38 starts: TAC+: TCP/IP open to x.x.x.x/49 failed -- Address already in use
    I can't find anything on CCO that references the "Address already in use" message.
    Has anyone run into this?

    Hmmm...no, the server group is still there. Did you see the other post which describes the bug ID? The link to the bug is:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl45701
    Do you get the IP address is in use log message?

  • Is possible to configure SLB per VRF??

    I have the Cat6500 with Sup720 and the IOS version 12.2(18)SXF8. From the documentation this software is SLB VRF-aware. But I can not configure SLB per VRF:-( I'm sending you the example of my configuration:
    ip vrf WEB
    rd 100:1
    ip slb probe WEB1 tcp
    port 443
    ip slb serverfarm WEB
    nat server
    probe WEB1
    real 212.67.72.228
    inservice
    real 212.67.72.244
    inservice
    ip slb vserver WEB-HTTPS
    virtual 212.67.72.150 tcp 443
    serverfarm WEB
    sticky 300 netmask 255.255.255.255
    advertise
    inservice
    interface vlan 30
    ip vrf forwarding WEB
    ip address 10.0.0.4 255.255.255.248
    interface vlan 10
    description Servery
    ip vrf forwarding WEB
    ip address 212.67.72.130 255.255.255.128
    interface gi0/1
    description Server WEB1
    switchport
    switchport access vlan 10
    switchport mode access
    no ip address
    spanning-tree portfast
    interface gi0/2
    switchport
    switchport access vlan 30
    switchport mode access
    no ip address
    spanning-tree portfast
    this configuration is functional without VRF, when I used the configuration with VRF - it is not functional:-(
    Can you help me? Thank you.
    Roman

    if the main server is up, the CSS will use it over the sorry_server.
    You can't tell the CSS not to use it if it is UP.
    Therefore, the only solution is to find a way to keep your main server down once it fails a keepalive.
    This can be done with a script that would issue the command 'suspend' once it detects the service missed a keepalive.
    The script can be a tcp keepalive script and instead of returning just a failure one the server is down, the script itself can generate the 'suspend' command.
    So, you then have time to sync your database and when ready you can do an 'active' under the service to start using it again.
    Gilles.

  • Per VRF Tacacs+ - not working

    I'm trying to configure per VRF tacacs+ on a 2901 running IOS 15.2(4)M2.
    I have the following configured:
    aaa new-model
    aaa group server tacacs+ MYGROUP
     server-private 1.2.3.4 key cisco
     ip vrf forwarding vpn_nms
     ip tacacs source-interface Loopback100
    aaa authentication login default local
    aaa authentication login MYGROUP group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group MYGROUP if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa session-id common
    ip cef
    ip vrf forwarding
    ip vrf vpn_nms
     rd 65XXX:3
    interface Loopback100
     description NMS LOOPBACK
     ip vrf forwarding vpn_nms
     ip address 10.10.10.10 255.255.255.255
    tacacs-server host 1.2.3.4
    tacacs-server directed-request
    tacacs-server key cisco
    line con 0
     privilege level 15
     logging synchronous
     login authentication MYGROUP
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     login authentication MYGROUP
     length 0
     transport input all
    I know some of this config is redundant but I have been trying different things and getting nowhere.

    Hi,
    Your debug output shows time out to ACS server as below.
    Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
    Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
    Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
    Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
    Hope that helps
    Najaf
    Please rate when applicable or helpful !!!

  • BGP dampening

    Hi,
    I have to check if in Cisco 7200 router there are bgp session flapping without charging the cpu and I had an idea using the bgp dampening command.
    Now, if someone used it, if this command introduces cpu load.
    Thank you.
    Regards.
    Paolo

    bgp route dampening is not so cpu intensive.
    once the route is dampened, it depends on a simple property, the ReuseLimit, in conjunction with the HalfLife of the suppression, to begin advertising the route again.
    this is not too cpu intensive to worry about, unless you had thousands of routes to dampen.

  • Per VRF Tacacs+ support on 3550EMI

    Trying to get Tacacs+ running on a 3550EMI switch running 12.1(22)EA3 (latest release), without much success due to wht appears to be lack of support for for Per VRF AAA/TACACS+ on the box.
    Checked elsewhere and looks like this feature is only available in some 12.2 and in 12.3T, but does anyone know if vrf-aware TACACS+ it is likely to appear on the 3550EMI or indeed on 12.1? Or does anyone know of a work around? (tried specifying a source-interface but this doesn't work)
    TIA

    This feature was introduced in 12.3(7)T. I guess its not supported on the Switch currently.

  • Tacacs per VRF

    Gooday
    Im trying to configure tacacs per Vrf but no luck, i been using docs from cisco, can somebody help me if my config is correct?
    here is my current config
    aaa group server tacacs+ tacacs1
    server-private 183.x.x.x key 7 XXXXXX
    ip vrf forwarding NMS
    ip tacacs source-interface Vlan89
    aaa authentication login default group tacacs+ enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization commands 0 default group tacacs+ none
    aaa authorization commands 1 default group tacacs+ none
    aaa authorization commands 15 default group tacacs+ none
    ip vrf NMS
    description OOB NMS VRF
    rd 110:100
    interface Vlan89
    description to DIA monitoring
    ip vrf forwarding NMS
    ip address 183.109.191.11 255.255.255.0
    end
    ip vrf NMS
    thanks

    thanks Carlos,
    I followed your suggestion, i think there will be only change in the aaa authentication statement,
    I'm very careful on changing the aaa statement, and don't want to change it without your expert advice, the router is located in different country and no one will reboot if i lost the connection
    The first "password" prompt you get is for the local enable password? We might need to enable "Debug aaa authentication" and "debug tacacs" and recreate the issue.
    ans: yes, first it will ask for the local password
    below is the debug
    AAA Authentication debugging is on
    crt-tw1-602#
    *Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f 
    *Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
    *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
    *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
    *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
    *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
    *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
    *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
    *Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
    *Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
    *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
    *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
    *Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
    *Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
    *Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
    *Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
    *Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
    *Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
    *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
    *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
    *Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
    *Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
    *Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
    crt-tw1-602#
    crt-tw1-602#debug tacacs
    TACACS access control debugging is on
    crt-tw1-602#
    *Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
    *Jan 18 00:41:44: TPLUS: processing authentication start request id 133
    *Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
    *Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
    *Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
    *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
    *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
    *Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
    *Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
    *Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
    *Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
    *Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
    *Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
    *Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
    *Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
    *Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
    *Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
    *Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
    *Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
    *Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
    *Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
    *Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
    *Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
    *Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
    *Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
    *Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
    *Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
    *Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
    *Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
    *Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
    *Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
    *Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
    *Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
    *Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
    *Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
    *Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
    *Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
    *Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
    *Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
    *Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
    *Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
    *Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
    crt-tw1-602#
    crt-tw1-602#
    AAA Authentication debugging is on
    crt-tw1-602#
    *Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f 
    *Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
    *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
    *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
    *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
    *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
    *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
    *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
    *Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
    *Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
    *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
    *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
    *Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
    *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
    *Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
    *Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
    *Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
    *Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
    *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
    *Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
    *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
    *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
    *Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
    *Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
    *Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
    *Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
    crt-tw1-602#
    crt-tw1-602#debug tacacs
    TACACS access control debugging is on
    crt-tw1-602#
    *Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
    *Jan 18 00:41:44: TPLUS: processing authentication start request id 133
    *Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
    *Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
    *Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
    *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
    *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
    *Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
    *Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
    *Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
    *Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
    *Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
    *Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
    *Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
    *Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
    *Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
    *Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
    *Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
    *Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
    *Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
    *Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
    *Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
    *Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
    *Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
    *Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
    *Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
    *Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
    *Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
    *Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
    *Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
    *Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
    *Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
    *Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
    *Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
    *Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
    *Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
    *Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
    *Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
    *Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
    *Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
    *Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
    *Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
    crt-tw1-602#
    crt-tw1-602#

  • Tacacs per vrf no supported on my router, does a gre tunnel would work?

    Hi,
    Basically the problem is that I am working with old routers, checked already on feature navigator an the following commands are not supported on the router to communicate to a TACACS server that resides on a vrf:
    Configuring Per VRF for TACACS+ Servers: Example
    The following output example shows that the group server tacacs1 has been configured for per VRF AAA services:
    aaa group server tacacs+ tacacs1
    server-private 10.1.1.1 port 19 key cisco
    ip vrf forwarding cisco
    ip tacacs source-interface Loopback0
    ip vrf cisco
    rd 100:1
    interface Loopback0
    ip address 10.0.0.2 255.0.0.0
    ip vrf forwarding cisco
    Basically I can not support all the above, however I was thinking of bypassing the command creating a GRE tunnel, I just need a confirmation if the following would work, if not I would appreciated that someone can point me into a better direction:
    ON BRANCH ROUTER:
    int l0
    ip add 1.1.1.1 255.255.255.0
    no shut
    int tun10
    ip add 2.2.2.1 255.255.255.0
    ip vrf forwarding cisco
    tun so l0
    tun dest [ip add of router directly connected to tacacs server]
    ip tacacs source-interface l0
    tacacs-server host 10.10.10.1
    tacacs-server key 7 cisco
    ON REMOTE ROUTER:
    int l0
    ip add 3.3.3.3 255.255.255.0
    no shut
    int tun10
    ip add 2.2.2.2 255.255.255.0
    ip vrf forwarding cisco
    tunn so l0
    tunn dest [ip add of branch router]
    Attached is some real information, the ip address of the real tacacs server is 10.20.30.61.

    Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.
    My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?
    I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.
    Thanks and sorry if I didn't make self clear at the beginning of my first post.

  • SUP720 MPLS support only 700 routes per VRF?

    In following document i found that SUP720 supporting only 700 router per 1 VRF. Am i right?
    http://www.cisco.com/en/US/partner/products/hw/modules/ps4835/products_data_sheet09186a0080159856.html

    There is no such thing as a limit of 700 routes per VRF. What is described in this URL is that scalability testing has been performed with 1024 VRFs with 700 routes each (1024*700=716800 routes total).
    You could go way beyond 700 routes per VRF if you don't plan to provision that many VRFs.
    Let me know if I answered your question,

  • Tacacs per vrf no supported on MLS C3750G

    HI,
    As i already know the tacacs per vrf not supported  for MLS C3750G and some other old versin of the IOS router or switch, but now i have 2 vrf routing tables configured in my switch is there any work around for this thing to work?? really aprreicated your inputs guys!!!

    Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.
    My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?
    I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.
    Thanks and sorry if I didn't make self clear at the beginning of my first post.

  • Per VRF label or Per route label

    Folks,
    A few weeks back I saw on some study group somewhere that im on a decent conversation on the downfalls of per vrf labels (juniper) compared to per route label (cisco). Now per route label obviously has its limitations in label consumption but per vrf label threw up a few issues - one of which was something to do with sub optimal routing. Anyone know any downfalls of using per vrf label space?

    Rob,
    One of the disadvantages of per VRF label scheme is that it requires an IP lookup on the edge router. This is due to the fact that if the label is shared among all CEs on a given PE, an IP lookup needs to be done in the VRF to determine which CE we should send the label to.
    Another disavantage would be that you couldn't support CsC using a per VRF label since an IP table lookup is required on the PE, which breaks the end to end LSP.
    On the other hand, you are absolutely right about the increase resources comsumption when a per route label scheme is used. This affects some vendors more than others though.
    Hope this helps,

  • Do you need a cisco router at remote sites when using VRF BGP?

    Hello.....
    If you could refer to the attached document and read the following... I need to know if a CISCO router is required for each of the sites.   OR does the ISP (Provider) provide the only required Router in the private cloud?
    We want to replace the Cisco 891 with a PepLink but I don't know if we can do that.  Can anyone jump in and help me understand?
    When we hear about VRF, its almost synonymous to MPLS VPN. Virtual Routing and Forwarding is commonly used by Service Providers to provide services within an MPLS cloud with multiple customers. The most interesting feature of this is that, VRF allows creation of multiple routing tables within a single router. This means that overlapping use of IP addresses from different customers is possible. Some enterprises use VRF to seggrate their services like VOIP, wireless, geographical location and other varieties.

    Whether you can replace the 891 device with another device boils down to a single question: Do you need to run BGP with the Service Provider in order to use their service. If you need to run a routing protocol with your service provider, your service is likely a L3VPN (IP VPN) solution ( i.e. you inject your site's routes into the providers L3VPN session, they use MP-BGP+VRF for segmentation within their network).
    If, however, they just drop you a L2 connection and provide L2 emulated services ( e.g. L2VPN or VPLS ) across their network, then your device can be whatever you want it to be.
    From your device's perspective, it is not VRF aware. That is, it does not know about how the service provider segments your service from another customers. In the L3VPN case, your device is routing-protocol aware. In the L2VPN case, your device is not routing protocol aware and does not need to form adjacency with the service provider's equipment.
    HTH.
    Rate if helpful.

  • NX-OS vrf bgp local-as interaction with L3vpn

    I use standard MPLS BGP-L3vpn to forward traffic between VRFs on Nexus 7k routers.  All of my VRFs are within the same BGP process, so have the same local-as.
    I'd like to bring-up an eBGP session from one VRF to a carrier, but the carriers requires that they peer with a specific BGP ASN (call it "65432").  It doesn't look like NX-OS supports the "router bgp 1234, vrf VRF1 neighbor w.x.y.z local-as 65432" command.  However, it does appear to support "router bgp 1234, vrf VRF1, local-as 65432".  
    My limited understanding is that this would prepend "65432" onto all routes advertised to all VRF1 neighbors?  And that all neighbors defined under VRF1 on this router would learn routes from me with as-path "^65432 1234 ..."?
    If so, would this have any affect on routes exchanged with other VRFs using import/export rd? 

    It's tricky given that BGP's AD is always going to beat out EIGRP's all other things being equal. Most of the things you can do with BGP route-maps involve making one BGP route preferred over another.
    You could inject the preferred path as a static route (AD = 1) to the firewall using an ip sla operation and having the static route track that. Once the ip sla operation fails, the static route is withdrawn and then the BGP-learned route (AD = 20) will take precedence.

Maybe you are looking for

  • Thunderbolt or MiniDisplay Port?

    So I'm wanting to get an HDMI hook up for my Macbook, so I can hook up almost anywhere I go. While searching for a MiniDisplay Port adapter, I came across a Thunderbolt to HDMI adapter. So my question is, which is better? I know Thunderbolt is suppos

  • Macbook Pro not displaying 1080p on my monitor anymore after 10.8.4.

    Hey,  My Macbook Pro 8,2 15" early 2011 unibody does not display on my BENQ g2420hd screen anymore.  I am using a thunderbolt to HDMI cable and it used to work fine.  I have tried my macbook pro with the same lead through a different screen and that

  • WILL this code run and please explain

    package onlinetest; public class Animal { public static void main(String[] args) { Animal cat=new Animal(); Plz explain the concept if the code runs, how come jvm is handling by creating a object of the same class in itself. It seems to be a loop...?

  • HT4235 im in recovery mode i want to save all my data from this device(ipod touch) how can i do so?

    HeLp... im in recovery mode and I want to download all of my content from my device to my home computer....How do i do this???

  • Problem installing lightroom

    I purchased the LR5 software license today, and when I try to install the program, it get 99% done, the the following error Please advise how I can correct this installation. Thanks Jerry