Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE version 1.3 and static route not working

This command works without any issues with ISE version 1.1 and 1.2:

ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1

 

However, it does NOT work in ISE version 1.3.  See below:

ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
% Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.

% Error: Error adding static route.
ciscoisedev/admin(config)#

 

Any ideas anyone?

 

5 REPLIES
Cisco Employee

This might be a dumb question

This might be a dumb question as I have never seen this done before but what exactly are you trying to accomplish and why do you need a static route that points to the local host? :)

Thank you for rating helpful posts!
New Member

I guess you are not very

I guess you are not very familiar with Unix/Linux :-)

 

This static route will essentially null route traffics from 192.168.1.1

 

On Cisco IOS router, you have "ip route 192.168.1.1 255.255.255.255 null0"

 

On regular Linux system:  ip route add blackhole 192.168.1.1

 

In other words, I do NOT want host 192.168.1.1 to be connected to the ISE

 

After all, ISE is based on CentOS linux right?

Cisco Employee

Yep, totally a Cisco guy and

Yep, totally a Cisco guy and know enough in Linux to break things :) Now it makes sense what you are trying to do. You are basically killing the traffic sourced from ISE and going to 192.168.1.1. I just tested this on my ISE box (1.2) and it is indeed a valid option that appears to have been removed in 1.3

Yes, ISE is based on ADE-OS

Now, let me ask you one more question. Are you trying to restrict reachability to the ISE Admin GUI or the the stripped down version of the Unix shell? Or both?

Thank you for rating helpful posts!
New Member

both.  I want to prevent the

both.  I want to prevent the host 192.168.1.1 to communicate with the ISE.

In other words, I want to do the same thing like IOS router "null" route.

Cisco Employee

So it appears that there is

So it appears that there is no option to lock down access to the shell now that the command that you used to use is no longer valid. What is worse is that there isn't an option to create an ACL in the shell that you could attach to the interface. So I would recommend that you create a defect with Cisco TAC and get this re-added or request that ACL functionality is added. 

For the GUI (in case you were not already aware of this), you can restrict access from Administration > Admin Access > Settings > Access > IP Access

 

Thank you for rating helpful posts!
397
Views
0
Helpful
5
Replies
CreatePlease to create content