Forum Discussion

Wintrode_61162's avatar
Icon for Nimbostratus rankNimbostratus
Mar 24, 2011

Is there a way to tie TACACS+ authentication traffic to mgmt IP/interface

So here is the basic problem:



Management interface configured with an IP and default gateway only.


Only a default route defined on TMM.


Everything is reachable from both networks (ie you can get to the tacacs servers from either network)



In this scenario tacacs+ traffic routes out the TMM route since it is lower cost than the mgmt route and they are both equally specific (



I want to tie the tacacs+ traffic to the management IP without having to create management host routes (or more specific network routes for fear of breaking something down the line) to the tacacs servers. Basically I want to define the "local ip" used for tacacs, akin to what you can do for syslog. Is this at all possible, or are the more specific routes required to make this work? Is there a way to associate an IP with the tacacs daemon?



Thanks for the help.


2 Replies

  • I haven't looked at this in a while, but I couldn't get source routing on auth stuff via the mgmt interface. Instead, I created nats on my mgmt network gateway so everything mgmt related (auth, dns, ntp, etc) was locally defined and thus preferred over any TMM route.
  • Gotcha. I had been speculating about doing that for another environment, but I'm not going to be able to do that in this instance.


    Can I create a separate route domain for my regular traffic and leave the default domain with the same gateway as the management network? How does TMM calculate route cost across route domains?