Tacacs per vrf no supported on my router, does a gre tunnel would work?
Hi,
Basically the problem is that I am working with old routers, checked already on feature navigator an the following commands are not supported on the router to communicate to a TACACS server that resides on a vrf:
Configuring Per VRF for TACACS+ Servers: Example
The following output example shows that the group server tacacs1 has been configured for per VRF AAA services:
aaa group server tacacs+ tacacs1
server-private 10.1.1.1 port 19 key cisco
ip vrf forwarding cisco
ip tacacs source-interface Loopback0
ip vrf cisco
rd 100:1
interface Loopback0
ip address 10.0.0.2 255.0.0.0
ip vrf forwarding cisco
Basically I can not support all the above, however I was thinking of bypassing the command creating a GRE tunnel, I just need a confirmation if the following would work, if not I would appreciated that someone can point me into a better direction:
ON BRANCH ROUTER:
int l0
ip add 1.1.1.1 255.255.255.0
no shut
int tun10
ip add 2.2.2.1 255.255.255.0
ip vrf forwarding cisco
tun so l0
tun dest [ip add of router directly connected to tacacs server]
ip tacacs source-interface l0
tacacs-server host 10.10.10.1
tacacs-server key 7 cisco
ON REMOTE ROUTER:
int l0
ip add 3.3.3.3 255.255.255.0
no shut
int tun10
ip add 2.2.2.2 255.255.255.0
ip vrf forwarding cisco
tunn so l0
tunn dest [ip add of branch router]
Attached is some real information, the ip address of the real tacacs server is 10.20.30.61.
Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.
My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?
I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.
Thanks and sorry if I didn't make self clear at the beginning of my first post.
Similar Messages
-
Tacacs per vrf no supported on MLS C3750G
HI,
As i already know the tacacs per vrf not supported for MLS C3750G and some other old versin of the IOS router or switch, but now i have 2 vrf routing tables configured in my switch is there any work around for this thing to work?? really aprreicated your inputs guys!!!Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.
My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?
I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.
Thanks and sorry if I didn't make self clear at the beginning of my first post. -
Gooday
Im trying to configure tacacs per Vrf but no luck, i been using docs from cisco, can somebody help me if my config is correct?
here is my current config
aaa group server tacacs+ tacacs1
server-private 183.x.x.x key 7 XXXXXX
ip vrf forwarding NMS
ip tacacs source-interface Vlan89
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
ip vrf NMS
description OOB NMS VRF
rd 110:100
interface Vlan89
description to DIA monitoring
ip vrf forwarding NMS
ip address 183.109.191.11 255.255.255.0
end
ip vrf NMS
thanksthanks Carlos,
I followed your suggestion, i think there will be only change in the aaa authentication statement,
I'm very careful on changing the aaa statement, and don't want to change it without your expert advice, the router is located in different country and no one will reboot if i lost the connection
The first "password" prompt you get is for the local enable password? We might need to enable "Debug aaa authentication" and "debug tacacs" and recreate the issue.
ans: yes, first it will ask for the local password
below is the debug
AAA Authentication debugging is on
crt-tw1-602#
*Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f
*Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
*Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
*Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
*Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
*Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
crt-tw1-602#
crt-tw1-602#debug tacacs
TACACS access control debugging is on
crt-tw1-602#
*Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
*Jan 18 00:41:44: TPLUS: processing authentication start request id 133
*Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
*Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
*Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
*Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
*Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
*Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
*Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
*Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
*Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
*Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
*Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
*Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
*Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
*Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
crt-tw1-602#
crt-tw1-602#
AAA Authentication debugging is on
crt-tw1-602#
*Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f
*Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
*Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
*Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
*Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
*Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
crt-tw1-602#
crt-tw1-602#debug tacacs
TACACS access control debugging is on
crt-tw1-602#
*Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
*Jan 18 00:41:44: TPLUS: processing authentication start request id 133
*Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
*Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
*Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
*Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
*Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
*Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
*Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
*Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
*Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
*Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
*Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
*Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
*Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
*Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
crt-tw1-602#
crt-tw1-602# -
Ip route command in GRE tunnel
Hi Everyone,
I have setup GRE Lab between Routers R1 and R3.
R1 is connected to R2 using OSPF and R2 is connected to R3 using OSPF.
I config GRE tunnel interface on R1 and R3.
R1 has internal subnet say 100.x.x.x.x to share with R3.
R3 has internal Lan subnet say 101.x.x.x.x to share with R1.
Interesting traffic to pass through GRE tunnel is subnets 100.x.x.x. and 101.x.x.x.x.
R1 tunnel config
R1# sh run int tunnel 0
Building configuration...
Current configuration : 168 bytes
interface Tunnel0
ip address 13.13.13.1 255.255.255.0
keepalive 3
cdp enable
tunnel source Loopback0
tunnel destination 20.0.0.1
tunnel path-mtu-discovery
R3 Tunnel config
R3#sh run int tunnel 0
Building configuration...
Current configuration : 158 bytes
interface Tunnel0
ip address 13.13.13.3 255.255.255.0
keepalive 3 1
tunnel source Loopback0
tunnel destination 10.0.0.1
tunnel path-mtu-discovery
So my question is instead of using Routing protocols to advertise the Lan subnets from R1 and R3 can i use static routes?
for example
If i can use static routes say on R1
ip route 101.101.101.101 255.255.255 ?
what should be next hop IP here ?
tunnel interface of R3 Router or physical interface of R3 that connects to R2?
Then same way i can use static routes on R3 right ?
Thanks
MaheshHello Mahesh,
You can use IP address as long as Tunnel IP addresses on both sides are in the same subnet. So in your case you can use
ip route 101.101.101.101 255.255.255 13.13.13.3
Or you can use the tunnel interface
ip route 101.101.101.101 255.255.255 Tunnel0
Although I have seen issues in some cases when the interface name is used instead of tunnel IP.
Please rate this post if helpful.
THanks
Shaml -
Per VRF Tacacs+ support on 3550EMI
Trying to get Tacacs+ running on a 3550EMI switch running 12.1(22)EA3 (latest release), without much success due to wht appears to be lack of support for for Per VRF AAA/TACACS+ on the box.
Checked elsewhere and looks like this feature is only available in some 12.2 and in 12.3T, but does anyone know if vrf-aware TACACS+ it is likely to appear on the 3550EMI or indeed on 12.1? Or does anyone know of a work around? (tried specifying a source-interface but this doesn't work)
TIAThis feature was introduced in 12.3(7)T. I guess its not supported on the Switch currently.
-
SUP720 MPLS support only 700 routes per VRF?
In following document i found that SUP720 supporting only 700 router per 1 VRF. Am i right?
http://www.cisco.com/en/US/partner/products/hw/modules/ps4835/products_data_sheet09186a0080159856.htmlThere is no such thing as a limit of 700 routes per VRF. What is described in this URL is that scalability testing has been performed with 1024 VRFs with 700 routes each (1024*700=716800 routes total).
You could go way beyond 700 routes per VRF if you don't plan to provision that many VRFs.
Let me know if I answered your question, -
Per-VRF TACACS config gets "Address already in use" error
I have created a per-VRF TACACS config on a couple of network devices. I can ping the ACS servers through the VRF. TACACS makes the attempt to contact the servers, but the following message shows up in the log when I debug TACACS:
*Mar 11 08:57:38 starts: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
*Mar 11 08:57:38 starts: TAC+: TCP/IP open to x.x.x.x/49 failed -- Address already in use
I can't find anything on CCO that references the "Address already in use" message.
Has anyone run into this?Hmmm...no, the server group is still there. Did you see the other post which describes the bug ID? The link to the bug is:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl45701
Do you get the IP address is in use log message? -
Per VRF label or Per route label
Folks,
A few weeks back I saw on some study group somewhere that im on a decent conversation on the downfalls of per vrf labels (juniper) compared to per route label (cisco). Now per route label obviously has its limitations in label consumption but per vrf label threw up a few issues - one of which was something to do with sub optimal routing. Anyone know any downfalls of using per vrf label space?Rob,
One of the disadvantages of per VRF label scheme is that it requires an IP lookup on the edge router. This is due to the fact that if the label is shared among all CEs on a given PE, an IP lookup needs to be done in the VRF to determine which CE we should send the label to.
Another disavantage would be that you couldn't support CsC using a per VRF label since an IP table lookup is required on the PE, which breaks the end to end LSP.
On the other hand, you are absolutely right about the increase resources comsumption when a per route label scheme is used. This affects some vendors more than others though.
Hope this helps, -
Per VRF Tacacs+ - not working
I'm trying to configure per VRF tacacs+ on a 2901 running IOS 15.2(4)M2.
I have the following configured:
aaa new-model
aaa group server tacacs+ MYGROUP
server-private 1.2.3.4 key cisco
ip vrf forwarding vpn_nms
ip tacacs source-interface Loopback100
aaa authentication login default local
aaa authentication login MYGROUP group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group MYGROUP if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
ip cef
ip vrf forwarding
ip vrf vpn_nms
rd 65XXX:3
interface Loopback100
description NMS LOOPBACK
ip vrf forwarding vpn_nms
ip address 10.10.10.10 255.255.255.255
tacacs-server host 1.2.3.4
tacacs-server directed-request
tacacs-server key cisco
line con 0
privilege level 15
logging synchronous
login authentication MYGROUP
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication MYGROUP
length 0
transport input all
I know some of this config is redundant but I have been trying different things and getting nowhere.Hi,
Your debug output shows time out to ACS server as below.
Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
Hope that helps
Najaf
Please rate when applicable or helpful !!! -
Does anyone know if it is possible to enable Per-VRF BGP Dampening? I have a router running 12.4(9)T and when I enable BGP dampening within an address-family, it is enabled under all routing contexts and within VPNV4.
Any ideas?
JonHello Jon,
try to give the command only under the address-family of interest
it should be supported
Command Modes
>>Address family configuration
Router configuration
see
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp1.html#wp1012660
Sorry, I haven't seen you had already done. This may be a bug in your release.
As a workaround you could try to use a route-map like in this example:
Router(config)# router bgp 50000
Router(config-router)# address-family ipv4
Router(config-router-af)# bgp dampening route-map BLUE
Router(config-router-af)# end
Hope to help
Giuseppe -
Hello,
in my lab i have 3 sites each with 3 VRF's configured. A diagram ist attached. I like to configure fixed bandwidth for each vrf. the central vrf should have 768 kbps and the the other ones ones should have 256 kbps each.
What are the options i have to achive this?
Thanks a lot in advanced
AlexHi Alex
Since you have already policed the bandwidth at the access, would there be any excess bandwidth that will leak from this policing.
Besides, ideally you would configure your core with a standard llq+cbwfq config and give priority to voice. You will in production have multiple customers and you cant have sich a bandwidth restriction in place.
Also, no you cannot police bw in core per vrf. But at the same time I can think of a non-conventional way of doing it by using TE but that is a very bad way of doing it.
Sent from Cisco Technical Support Android App -
Tacacs Authentication - VRF ?
Hi !
Our Management LAN for accessing the switch is reachable through a VRF.
I tried to configure TACACS+ for User Authentication - by specifying "ip tacacs source-interface vlxxx".
This vlxxx is member of this Managment-VRF.
But the switch does NOT send any TACACS request through that particular VRF.
Could you plz help me ?
thx
HansI'm having the same issue with a router running: c2800nm-advipservicesk9-mz.124-15.T1.bin
The config is as follows:
aaa new-model
aaa group server tacacs+ TACACSGROUP
server-private 10.1.2.49 port 49 key 7 143A070718xxxxx26616572000156
ip vrf forwarding XXXX-General
ip tacacs source-interface GigabitEthernet0/0.9
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
ip vrf XXXX-General
rd 1:10
route-target export 1:10
route-target import 1:10
ip vrf XXXX-Guest
rd 1:30
route-target export 1:30
route-target import 1:30
ip vrf XXXX-Voice
rd 1:20
route-target export 1:20
route-target import 1:20
interface GigabitEthernet0/0
description port21-switch(10.27.1.30)-trunk
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding XXXX-General
ip address 10.27.1.1 255.255.0.0
interface GigabitEthernet0/0.2
encapsulation dot1Q 172
ip vrf forwarding XXXX-Guest
ip address 172.16.27.1 255.255.255.0
interface GigabitEthernet0/0.9
encapsulation dot1Q 9
ip vrf forwarding XXXX-General
ip address 10.235.30.1 255.255.255.0
h323-gateway voip bind srcaddr 10.235.30.1
interface Serial0/0/0:1
description Sprint MPLS
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
service-policy output WAN-INGRESS
interface Serial0/0/0:1.301 point-to-point
ip vrf forwarding XXXX-General
ip address 10.150.1.1 255.255.255.240
frame-relay interface-dlci 301
interface Serial0/0/0:1.401 point-to-point
ip vrf forwarding XXXX-Voice
ip address 10.151.1.1 255.255.255.240
frame-relay interface-dlci 401
interface Serial0/0/0:1.501 point-to-point
ip vrf forwarding XXXX-Guest
ip address 10.152.1.1 255.255.255.240
frame-relay interface-dlci 501
router eigrp 100
no auto-summary
address-family ipv4 vrf XXXX-Voice
auto-summary
autonomous-system 20
exit-address-family
address-family ipv4 vrf XXXX-Guest
network 172.16.0.0
auto-summary
autonomous-system 30
exit-address-family
address-family ipv4 vrf XXXX-General
redistribute bgp 65001 metric 10000 100 255 1 1500
network 10.27.0.0 0.0.255.255
no auto-summary
autonomous-system 2
exit-address-family
router bgp 65001
no synchronization
bgp log-neighbor-changes
no auto-summary
address-family ipv4 vrf XXXX-Voice
neighbor 10.151.1.2 remote-as 1803
neighbor 10.151.1.2 password 7 153E0xxxxx3627
neighbor 10.151.1.2 version 4
neighbor 10.151.1.2 activate
no synchronization
exit-address-family
address-family ipv4 vrf XXXX-Guest
neighbor 10.152.1.2 remote-as 1803
neighbor 10.152.1.2 password 7 1062001xxx318180138
neighbor 10.152.1.2 version 4
neighbor 10.152.1.2 activate
no synchronization
exit-address-family
address-family ipv4 vrf XXXX-General
neighbor 10.150.1.2 remote-as 1803
neighbor 10.150.1.2 password 7 07232xxxx41816031719
neighbor 10.150.1.2 version 4
neighbor 10.150.1.2 activate
no synchronization
network 10.27.0.0 mask 255.255.0.0
network 10.235.30.0 mask 255.255.255.0
exit-address-family
ip tacacs source-interface GigabitEthernet0/0.9
tacacs-server host 10.1.2.49
tacacs-server directed-request
tacacs-server key 7 080Cxxxxxxxxxx
Any insight would be great.
[email protected]
Chris Serafin -
Hi,
Would like to know if per VRF label is supported on 7600 platform with SUP7203BXL?If yes can anybody share the config detailsAnup,
It is currently supported via the following hidden command:
[no] mpls label mode { vrf | all-vrfs } protocol bgp-vpnv4 { per-prefix|per-vrf}
Regards, -
I have a new Linksys router. When I load the accompanying CD it informs me that it supports OS 10.5.8 or later, OS 10.6.1 or later, and OS 10.7 or later. I am running 10.9.2, which apparently isn't supported by this Router. Any suggestions?
No they should be agnostic about what is behind them, but as to support for IP6, or whether any computers or tablets can use AC... and hasn't Apple's own units sometimes stop being supported with new Mac and new versions of OS X? seems so.
I said above, why would anyone install any kind of software to use a router? although Netgear's GEnie is or was installed on my systems that adds a nice way to log in and manage the router, so I have to take that back a notch.
Support for modems and ISPs is a concern, my modem is not certified fully with DOCSIS 3.0 or FIOS.
Look around and you can find routers having trouble with some network services like Airplay, printing and scanning, the software bundled with router.
However, ethernet chips, and the driver, can be a factor. Problems with Intel networking chip and high bandwidth streaming and not being able to handle the load when used by wifi euipment like notebooks and other devices.
I have only seen the LARGE number of complaints on MacBook forums about wifi issues to suspect something is wrong but not sure what. And those are people that depend on wifi I assume, though some could use their Thunderbolt equipped Mac to use ethernet to get around the problems. And I am seeing the same thing with some Windows users and maybe they all have common Intel chips???
MacBook Pro constantly losing wireless connectivity
I use Windows 8.1 primarily. I also don't know enough or as much to know "Why is the sky blue" either.
Just pass along this example:
If you're setting up a new PC for the first time, check if your router is fully compatible with Windows. Because of the new networking features in Windows (8.1), some older network routers aren't fully compatible and can cause problems. For a list of routers that are compatible with Windows 8.1 and Windows RT 8.1, go to the Windows Compatibility Center.
Anyone remember when 10.4.0 had so many issues with LAN that it could not be used, work on fix was going on and wasn't complete until 10.4.2/4.3 (and first time we got a new full 10.4.3 DVD because customers needed a reliable system. -
Does ACE-30 support multicast in routed mode?
We currently have ACE20's, which only support multicast in bridge mode.
Was wondering if it's the same on ACE30's, or if Cisco finally implemented support for mcast in routed mode.
thx
KevinCould you please confirm if this applies to both ACE20 & ACE30, or just ACE20?
If both, when does Cisco plan on supporting mcast in routed mode?
thx
Kevin
Maybe you are looking for
-
WHEN RYING TO OPEN GETTING MESSAGE PLATFORM VERSION 8.0, MIN VERSION 7D MAX VERSION 7D
''duplicate of https://support.mozilla.com/en-US/questions/903944'' WHEN I TRY TO OPEN FIREFOX AS AN INTERNET BROWSER I GET A MESSAGE PLATOFORM VERSION 8.0 NO COMPATIBABLEW WITH MIN VERSION 7.D MAX VERSION 7.D
-
Third party accounting Dear All, We are facing a problem in third party scenario. PR is created through Sales order, with Account assignment category u201CZu201D and item category u201Csu201D We have created new Account assignment category u201CZu20
-
File format invalid when opening a word document
Hi there, I have been sent a batch of Word and PDF documents, which when I try and open on my Macbook they all come up with the message 'The file format is invalid'. I have previously been sent word and PDF files, and had no problem opening them. I
-
Can I extend my Apple Care?
My apple care is about 2.5 years old and is about to expire. Is there a way to extend Apple Care for 'X' number of years?
-
Error on selecting member in calculation manager
I get the error when I want to select a member in a formula in Calculation Manager.