It is well-known that 8090 product (ne40e/80e/5000e/cx600) can be authenticated and authorized by hwtacacs server located in mpls vpn as there are commands to associate hwtacacs-server and vpn-instance such as follows:
hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpn-instance-name ]
hwtacacs-server authorization ip-address [ port ] [ vpn-instance vpn-instance-name ]
But 8011 product (ne40/80) are earlier high-end routers which don’t support association of hwtacacs-server and vpn-instance, so we provide the following solution.
1. Choose two idle interfaces of LPU board, and connect them directly by cable or fiber.
ip address 22.214.171.124 255.255.255.252
ip binding vpn-instance hwtacacs
ip address 126.96.36.199 255.255.255.252
hwtacacs-server template test1
hwtacacs-server source-ip 188.8.131.52
2. Add the route to server ip 184.108.40.206/32, the next hop is 220.127.116.11, so server packets can be sent to vpn-instance.
ip route-static 18.104.22.168 255.255.255.255 22.214.171.124
As the above solution, the protocol packets to hwtacacs server will be sent out from ethernet0/0/0 and will come back from ethernet0/0/1, the packets are successfully imported to vpn-instance. ne40/80 can ping hwtacacs server directly according to public routing table and can be authenticated and authorized by hwtacacs server located in mpls vpn successfully.
1. This solution is only available for routing-mode LPU board but not available for switching-mode LPU, because the two looped interfaces of switching-mode LPU will learn mac-address from each other but they share the same mac-address.
2. This solution is also applicable for radius server located in vpn-instance.