Tacacs per VRF

Similar Messages

• Tacacs per vrf no supported on MLS C3750G

  HI,
  As i already know the tacacs per vrf not supported  for MLS C3750G and some other old versin of the IOS router or switch, but now i have 2 vrf routing tables configured in my switch is there any work around for this thing to work?? really aprreicated your inputs guys!!!

  Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.
  My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?
  I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.
  Thanks and sorry if I didn't make self clear at the beginning of my first post.

• Tacacs per vrf no supported on my router, does a gre tunnel would work?

  Hi,
  Basically the problem is that I am working with old routers, checked already on feature navigator an the following commands are not supported on the router to communicate to a TACACS server that resides on a vrf:
  Configuring Per VRF for TACACS+ Servers: Example
  The following output example shows that the group server tacacs1 has been configured for per VRF AAA services:
  aaa group server tacacs+ tacacs1
  server-private 10.1.1.1 port 19 key cisco
  ip vrf forwarding cisco
  ip tacacs source-interface Loopback0
  ip vrf cisco
  rd 100:1
  interface Loopback0
  ip address 10.0.0.2 255.0.0.0
  ip vrf forwarding cisco
  Basically I can not support all the above, however I was thinking of bypassing the command creating a GRE tunnel, I just need a confirmation if the following would work, if not I would appreciated that someone can point me into a better direction:
  ON BRANCH ROUTER:
  int l0
  ip add 1.1.1.1 255.255.255.0
  no shut
  int tun10
  ip add 2.2.2.1 255.255.255.0
  ip vrf forwarding cisco
  tun so l0
  tun dest [ip add of router directly connected to tacacs server]
  ip tacacs source-interface l0
  tacacs-server host 10.10.10.1
  tacacs-server key 7 cisco
  ON REMOTE ROUTER:
  int l0
  ip add 3.3.3.3 255.255.255.0
  no shut
  int tun10
  ip add 2.2.2.2 255.255.255.0
  ip vrf forwarding cisco
  tunn so l0
  tunn dest [ip add of branch router]
  Attached is some real information, the ip address of the real tacacs server is 10.20.30.61.

  Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.
  My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?
  I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.
  Thanks and sorry if I didn't make self clear at the beginning of my first post.

• Per-VRF TACACS config gets "Address already in use" error

  I have created a per-VRF TACACS config on a couple of network devices. I can ping the ACS servers through the VRF. TACACS makes the attempt to contact the servers, but the following message shows up in the log when I debug TACACS:
  *Mar 11 08:57:38 starts: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
  *Mar 11 08:57:38 starts: TAC+: TCP/IP open to x.x.x.x/49 failed -- Address already in use
  I can't find anything on CCO that references the "Address already in use" message.
  Has anyone run into this?

  Hmmm...no, the server group is still there. Did you see the other post which describes the bug ID? The link to the bug is:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl45701
  Do you get the IP address is in use log message?

• Per VRF Tacacs+ - not working

  I'm trying to configure per VRF tacacs+ on a 2901 running IOS 15.2(4)M2.
  I have the following configured:
  aaa new-model
  aaa group server tacacs+ MYGROUP
   server-private 1.2.3.4 key cisco
   ip vrf forwarding vpn_nms
   ip tacacs source-interface Loopback100
  aaa authentication login default local
  aaa authentication login MYGROUP group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group MYGROUP if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa session-id common
  ip cef
  ip vrf forwarding
  ip vrf vpn_nms
   rd 65XXX:3
  interface Loopback100
   description NMS LOOPBACK
   ip vrf forwarding vpn_nms
   ip address 10.10.10.10 255.255.255.255
  tacacs-server host 1.2.3.4
  tacacs-server directed-request
  tacacs-server key cisco
  line con 0
   privilege level 15
   logging synchronous
   login authentication MYGROUP
  line vty 0 4
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   login authentication MYGROUP
   length 0
   transport input all
  I know some of this config is redundant but I have been trying different things and getting nowhere.

  Hi,
  Your debug output shows time out to ACS server as below.
  Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
  Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
  Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
  Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
  Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
  Hope that helps
  Najaf
  Please rate when applicable or helpful !!!

• Per VRF Tacacs+ support on 3550EMI

  Trying to get Tacacs+ running on a 3550EMI switch running 12.1(22)EA3 (latest release), without much success due to wht appears to be lack of support for for Per VRF AAA/TACACS+ on the box.
  Checked elsewhere and looks like this feature is only available in some 12.2 and in 12.3T, but does anyone know if vrf-aware TACACS+ it is likely to appear on the 3550EMI or indeed on 12.1? Or does anyone know of a work around? (tried specifying a source-interface but this doesn't work)
  TIA

  This feature was introduced in 12.3(7)T. I guess its not supported on the Switch currently.

• Bandwidth allocation per vrf

  Hello,
  in my lab i have 3 sites each with 3 VRF's configured. A diagram ist attached. I like to configure fixed bandwidth for each vrf. the central vrf should have 768 kbps and the the other ones ones should have 256 kbps each.
  What are the options i have to achive this?
  Thanks a lot in advanced
  Alex

  Hi Alex
  Since you have already policed the bandwidth at the access, would there be any excess bandwidth that will leak from this policing.
  Besides, ideally you would configure your core with a standard llq+cbwfq config and give priority to voice. You will in production have multiple customers and you cant have sich a bandwidth restriction in place.
  Also, no you cannot police bw in core per vrf. But at the same time I can think of a non-conventional way of doing it by using TE but that is a very bad way of doing it.
  Sent from Cisco Technical Support Android App

• Is possible to configure SLB per VRF??

  I have the Cat6500 with Sup720 and the IOS version 12.2(18)SXF8. From the documentation this software is SLB VRF-aware. But I can not configure SLB per VRF:-( I'm sending you the example of my configuration:
  ip vrf WEB
  rd 100:1
  ip slb probe WEB1 tcp
  port 443
  ip slb serverfarm WEB
  nat server
  probe WEB1
  real 212.67.72.228
  inservice
  real 212.67.72.244
  inservice
  ip slb vserver WEB-HTTPS
  virtual 212.67.72.150 tcp 443
  serverfarm WEB
  sticky 300 netmask 255.255.255.255
  advertise
  inservice
  interface vlan 30
  ip vrf forwarding WEB
  ip address 10.0.0.4 255.255.255.248
  interface vlan 10
  description Servery
  ip vrf forwarding WEB
  ip address 212.67.72.130 255.255.255.128
  interface gi0/1
  description Server WEB1
  switchport
  switchport access vlan 10
  switchport mode access
  no ip address
  spanning-tree portfast
  interface gi0/2
  switchport
  switchport access vlan 30
  switchport mode access
  no ip address
  spanning-tree portfast
  this configuration is functional without VRF, when I used the configuration with VRF - it is not functional:-(
  Can you help me? Thank you.
  Roman

  if the main server is up, the CSS will use it over the sorry_server.
  You can't tell the CSS not to use it if it is UP.
  Therefore, the only solution is to find a way to keep your main server down once it fails a keepalive.
  This can be done with a script that would issue the command 'suspend' once it detects the service missed a keepalive.
  The script can be a tcp keepalive script and instead of returning just a failure one the server is down, the script itself can generate the 'suspend' command.
  So, you then have time to sync your database and when ready you can do an 'active' under the service to start using it again.
  Gilles.

• Tacacs Authentication - VRF ?

  Hi !
  Our Management LAN for accessing the switch is reachable through a VRF.
  I tried to configure TACACS+ for User Authentication - by specifying "ip tacacs source-interface vlxxx".
  This vlxxx is member of this Managment-VRF.
  But the switch does NOT send any TACACS request through that particular VRF.
  Could you plz help me ?
  thx
  Hans

  I'm having the same issue with a router running: c2800nm-advipservicesk9-mz.124-15.T1.bin
  The config is as follows:
  aaa new-model
  aaa group server tacacs+ TACACSGROUP
  server-private 10.1.2.49 port 49 key 7 143A070718xxxxx26616572000156
  ip vrf forwarding XXXX-General
  ip tacacs source-interface GigabitEthernet0/0.9
  aaa authentication login default group tacacs+ local
  aaa accounting exec default start-stop group tacacs+
  ip vrf XXXX-General
  rd 1:10
  route-target export 1:10
  route-target import 1:10
  ip vrf XXXX-Guest
  rd 1:30
  route-target export 1:30
  route-target import 1:30
  ip vrf XXXX-Voice
  rd 1:20
  route-target export 1:20
  route-target import 1:20
  interface GigabitEthernet0/0
  description port21-switch(10.27.1.30)-trunk
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0/0.1
  encapsulation dot1Q 1 native
  ip vrf forwarding XXXX-General
  ip address 10.27.1.1 255.255.0.0
  interface GigabitEthernet0/0.2
  encapsulation dot1Q 172
  ip vrf forwarding XXXX-Guest
  ip address 172.16.27.1 255.255.255.0
  interface GigabitEthernet0/0.9
  encapsulation dot1Q 9
  ip vrf forwarding XXXX-General
  ip address 10.235.30.1 255.255.255.0
  h323-gateway voip bind srcaddr 10.235.30.1
  interface Serial0/0/0:1
  description Sprint MPLS
  no ip address
  encapsulation frame-relay
  frame-relay lmi-type ansi
  service-policy output WAN-INGRESS
  interface Serial0/0/0:1.301 point-to-point
  ip vrf forwarding XXXX-General
  ip address 10.150.1.1 255.255.255.240
  frame-relay interface-dlci 301
  interface Serial0/0/0:1.401 point-to-point
  ip vrf forwarding XXXX-Voice
  ip address 10.151.1.1 255.255.255.240
  frame-relay interface-dlci 401
  interface Serial0/0/0:1.501 point-to-point
  ip vrf forwarding XXXX-Guest
  ip address 10.152.1.1 255.255.255.240
  frame-relay interface-dlci 501
  router eigrp 100
  no auto-summary
  address-family ipv4 vrf XXXX-Voice
  auto-summary
  autonomous-system 20
  exit-address-family
  address-family ipv4 vrf XXXX-Guest
  network 172.16.0.0
  auto-summary
  autonomous-system 30
  exit-address-family
  address-family ipv4 vrf XXXX-General
  redistribute bgp 65001 metric 10000 100 255 1 1500
  network 10.27.0.0 0.0.255.255
  no auto-summary
  autonomous-system 2
  exit-address-family
  router bgp 65001
  no synchronization
  bgp log-neighbor-changes
  no auto-summary
  address-family ipv4 vrf XXXX-Voice
  neighbor 10.151.1.2 remote-as 1803
  neighbor 10.151.1.2 password 7 153E0xxxxx3627
  neighbor 10.151.1.2 version 4
  neighbor 10.151.1.2 activate
  no synchronization
  exit-address-family
  address-family ipv4 vrf XXXX-Guest
  neighbor 10.152.1.2 remote-as 1803
  neighbor 10.152.1.2 password 7 1062001xxx318180138
  neighbor 10.152.1.2 version 4
  neighbor 10.152.1.2 activate
  no synchronization
  exit-address-family
  address-family ipv4 vrf XXXX-General
  neighbor 10.150.1.2 remote-as 1803
  neighbor 10.150.1.2 password 7 07232xxxx41816031719
  neighbor 10.150.1.2 version 4
  neighbor 10.150.1.2 activate
  no synchronization
  network 10.27.0.0 mask 255.255.0.0
  network 10.235.30.0 mask 255.255.255.0
  exit-address-family
  ip tacacs source-interface GigabitEthernet0/0.9
  tacacs-server host 10.1.2.49
  tacacs-server directed-request
  tacacs-server key 7 080Cxxxxxxxxxx
  Any insight would be great.
  [email protected]
  Chris Serafin

• Per-VRF BGP Dampening

  Does anyone know if it is possible to enable Per-VRF BGP Dampening? I have a router running 12.4(9)T and when I enable BGP dampening within an address-family, it is enabled under all routing contexts and within VPNV4.
  Any ideas?
  Jon

  Hello Jon,
  try to give the command only under the address-family of interest
  it should be supported
  Command Modes
  >>Address family configuration
  Router configuration
  see
  http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp1.html#wp1012660
  Sorry, I haven't seen you had already done. This may be a bug in your release.
  As a workaround you could try to use a route-map like in this example:
  Router(config)# router bgp 50000
  Router(config-router)# address-family ipv4
  Router(config-router-af)# bgp dampening route-map BLUE
  Router(config-router-af)# end
  Hope to help
  Giuseppe

• SUP720 MPLS support only 700 routes per VRF?

  In following document i found that SUP720 supporting only 700 router per 1 VRF. Am i right?
  http://www.cisco.com/en/US/partner/products/hw/modules/ps4835/products_data_sheet09186a0080159856.html

  There is no such thing as a limit of 700 routes per VRF. What is described in this URL is that scalability testing has been performed with 1024 VRFs with 700 routes each (1024*700=716800 routes total).
  You could go way beyond 700 routes per VRF if you don't plan to provision that many VRFs.
  Let me know if I answered your question,

• Per VRF label or Per route label

  Folks,
  A few weeks back I saw on some study group somewhere that im on a decent conversation on the downfalls of per vrf labels (juniper) compared to per route label (cisco). Now per route label obviously has its limitations in label consumption but per vrf label threw up a few issues - one of which was something to do with sub optimal routing. Anyone know any downfalls of using per vrf label space?

  Rob,
  One of the disadvantages of per VRF label scheme is that it requires an IP lookup on the edge router. This is due to the fact that if the label is shared among all CEs on a given PE, an IP lookup needs to be done in the VRF to determine which CE we should send the label to.
  Another disavantage would be that you couldn't support CsC using a per VRF label since an IP table lookup is required on the PE, which breaks the end to end LSP.
  On the other hand, you are absolutely right about the increase resources comsumption when a per route label scheme is used. This affects some vendors more than others though.
  Hope this helps,

• Per VRF label

  Hi,
  Would like to know if per VRF label is supported on 7600 platform with SUP7203BXL?If yes can anybody share the config details

  Anup,
  It is currently supported via the following hidden command:
  [no] mpls label mode { vrf | all-vrfs } protocol bgp-vpnv4 { per-prefix|per-vrf}
  Regards,

• Maximum number of routes per vrf on SUP720-3BXL

  Hello,
  What are the limits for max number of routes in one vrf on SUP720-3BXL? Thanks for answers.

  Davor,
  The datasheet refers to 1024 VRFs with 700 routes each (tested numbers) but this is just an example as you could, in principal, have any combination of # VRFs * routes/VRF that would equal 700K routes (i.e. 2 VRF * 350K routes or 1 VRF * 700K routes).
  I say in principal because I have never seen a customer requesting the support for that many routes and have never tested it either.
  http://www.cisco.com/en/US/products/hw/modules/ps4835/products_data_sheet09186a0080159856.html
  Hope this helps,

• Maximum number of interfaces per vrf

  hi, is there a limit or maximum number of interface / sub-interface which I could associate to a single vrf? The box is Cisco 10000..thanks..

  Hi,
  The limit is the max number of (sub)interfaces or idb the box can handle.
  HTH
  Laurent.