Just implemented it based on an example I received yesterday ; we don't deploy tacacs, so no problem there. Syslog doesn't work anymore for the moment but I didn't check yet if it is vrf aware.
Thanks for everyone who answered my question. If I tried out the syslog config, I'll share the result on this list. Wim Holemans -----Original Message----- From: Alasdair McWilliam [mailto:alasda...@gmail.com] Sent: dinsdag 14 juli 2009 19:33 To: Buhrmaster, Gary Cc: Holemans Wim; Cisco NSP Subject: Re: [c-nsp] VSS out-of-band mgmt We have VSS deployed and it's management interface is on a mgmt-vrf. So far everything that needs a source interface seems to work, although I've not actually configured syslog yet, TACACS is now vrf aware. You have to define a specific AAA server group. Eg: tacacs-server host 1.1.1.1 key myacskey tacacs-server directed-broadcast ip tacacs source-interface VlanXYZ Then: aaa group server tacacs+ ACS-GROUP-NAME server 1.1.1.1 ip vrf forwarding mgmt-vrf ! aaa authentication login default group ACS-GROUP-NAME local-case I will note that you have to define each server with the tacacs-server command before you add it to the group otherwise it throws an error. Al On 13 Jul 2009, at 18:47, Buhrmaster, Gary wrote: >> Yes, a "management" VRF will do exactly what you want :-) > > Perhaps things have improved, but at one time for the 6500 > platform certain functions could only be performed in the > "native"(? is that the right word) context, and you needed > to place all the rest of your traffic/interfaces in a VRF > leaving the "native" context for management (sort of the > reverse of your proposal, instead have a "Internet" VRF > for everything except for management). > > Have the latest IOS versions eliminated those challenges > on the 6500? > > Gary _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/