No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ--How NE40&80 to be authenticated and authorized by hwtacacs server located in mpls vpn

Publication Date:  2012-07-27 Views:  3 Downloads:  0
Issue Description
Q:
How ne40/80 to be authenticated and authorized by hwtacacs server located in mpls vpn?
Alarm Information
Null.
Handling Process
A:

It is well-known that 8090 product (ne40e/80e/5000e/cx600) can be authenticated and authorized by hwtacacs server located in mpls vpn as there are commands to associate hwtacacs-server and vpn-instance such as follows:
hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpn-instance-name ]
hwtacacs-server authorization  ip-address [ port ] [ vpn-instance vpn-instance-name ]

But 8011 product (ne40/80) are earlier high-end routers which don’t support association of hwtacacs-server and vpn-instance, so we provide the following solution.

1. Choose two idle interfaces of LPU board, and connect them directly by cable or fiber.
#
interface ethernet0/0/0      
 ip address 111.0.0.1 255.255.255.252   
#
interface ethernet0/0/1                 
 ip binding vpn-instance hwtacacs
 ip address 111.0.0.2 255.255.255.252
#
hwtacacs-server template test1
 hwtacacs-server source-ip 111.0.0.1
#
 
2. Add the route to server ip 160.1.1.100/32, the next hop is 111.0.0.2, so server packets can be sent to vpn-instance.
#
ip route-static  160.1.1.100 255.255.255.255 111.0.0.2
#

As the above solution, the protocol packets to hwtacacs server will be sent out from ethernet0/0/0 and will come back from ethernet0/0/1, the packets are successfully imported to vpn-instance. ne40/80 can ping hwtacacs server directly according to public routing table and can be authenticated and authorized by hwtacacs server located in mpls vpn successfully.

Root Cause
Null.
Suggestions

1. This solution is only available for routing-mode LPU board but not available for switching-mode LPU, because the two looped interfaces of switching-mode LPU will learn mac-address from each other but they share the same mac-address.
2. This solution is also applicable for radius server located in vpn-instance.

END