[c-nsp] VSS out-of-band mgmt
Holemans Wim
wim.holemans at ua.ac.be
Tue Jul 14 13:48:27 EDT 2009
Just implemented it based on an example I received yesterday ; we don't
deploy tacacs, so no problem there. Syslog doesn't work anymore for the
moment but I didn't check yet if it is vrf aware.
Thanks for everyone who answered my question. If I tried out the syslog
config, I'll share the result on this list.
Wim Holemans
-----Original Message-----
From: Alasdair McWilliam [mailto:alasdairm at gmail.com]
Sent: dinsdag 14 juli 2009 19:33
To: Buhrmaster, Gary
Cc: Holemans Wim; Cisco NSP
Subject: Re: [c-nsp] VSS out-of-band mgmt
We have VSS deployed and it's management interface is on a mgmt-vrf.
So far everything that needs a source interface seems to work,
although I've not actually configured syslog yet, TACACS is now vrf
aware. You have to define a specific AAA server group. Eg:
tacacs-server host 1.1.1.1 key myacskey
tacacs-server directed-broadcast
ip tacacs source-interface VlanXYZ
Then:
aaa group server tacacs+ ACS-GROUP-NAME
server 1.1.1.1
ip vrf forwarding mgmt-vrf
!
aaa authentication login default group ACS-GROUP-NAME local-case
I will note that you have to define each server with the tacacs-server
command before you add it to the group otherwise it throws an error.
Al
On 13 Jul 2009, at 18:47, Buhrmaster, Gary wrote:
>> Yes, a "management" VRF will do exactly what you want :-)
>
> Perhaps things have improved, but at one time for the 6500
> platform certain functions could only be performed in the
> "native"(? is that the right word) context, and you needed
> to place all the rest of your traffic/interfaces in a VRF
> leaving the "native" context for management (sort of the
> reverse of your proposal, instead have a "Internet" VRF
> for everything except for management).
>
> Have the latest IOS versions eliminated those challenges
> on the 6500?
>
> Gary
More information about the cisco-nsp
mailing list