[c-nsp] VSS out-of-band mgmt
Alasdair McWilliam
alasdairm at gmail.com
Tue Jul 14 13:33:01 EDT 2009
We have VSS deployed and it's management interface is on a mgmt-vrf.
So far everything that needs a source interface seems to work,
although I've not actually configured syslog yet, TACACS is now vrf
aware. You have to define a specific AAA server group. Eg:
tacacs-server host 1.1.1.1 key myacskey
tacacs-server directed-broadcast
ip tacacs source-interface VlanXYZ
Then:
aaa group server tacacs+ ACS-GROUP-NAME
server 1.1.1.1
ip vrf forwarding mgmt-vrf
!
aaa authentication login default group ACS-GROUP-NAME local-case
I will note that you have to define each server with the tacacs-server
command before you add it to the group otherwise it throws an error.
Al
On 13 Jul 2009, at 18:47, Buhrmaster, Gary wrote:
>> Yes, a "management" VRF will do exactly what you want :-)
>
> Perhaps things have improved, but at one time for the 6500
> platform certain functions could only be performed in the
> "native"(? is that the right word) context, and you needed
> to place all the rest of your traffic/interfaces in a VRF
> leaving the "native" context for management (sort of the
> reverse of your proposal, instead have a "Internet" VRF
> for everything except for management).
>
> Have the latest IOS versions eliminated those challenges
> on the 6500?
>
> Gary
More information about the cisco-nsp
mailing list