11-03-2014 06:17 PM - edited 03-12-2019 05:43 PM
This command works without any issues with ISE version 1.1 and 1.2:
ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
However, it does NOT work in ISE version 1.3. See below:
ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
% Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.
% Error: Error adding static route.
ciscoisedev/admin(config)#
Any ideas anyone?
11-04-2014 12:19 AM
This might be a dumb question as I have never seen this done before but what exactly are you trying to accomplish and why do you need a static route that points to the local host? :)
11-04-2014 02:26 AM
I guess you are not very familiar with Unix/Linux :-)
This static route will essentially null route traffics from 192.168.1.1
On Cisco IOS router, you have "ip route 192.168.1.1 255.255.255.255 null0"
On regular Linux system: ip route add blackhole 192.168.1.1
In other words, I do NOT want host 192.168.1.1 to be connected to the ISE
After all, ISE is based on CentOS linux right?
11-04-2014 09:30 AM
Yep, totally a Cisco guy and know enough in Linux to break things :) Now it makes sense what you are trying to do. You are basically killing the traffic sourced from ISE and going to 192.168.1.1. I just tested this on my ISE box (1.2) and it is indeed a valid option that appears to have been removed in 1.3
Yes, ISE is based on ADE-OS
Now, let me ask you one more question. Are you trying to restrict reachability to the ISE Admin GUI or the the stripped down version of the Unix shell? Or both?
11-04-2014 10:02 AM
both. I want to prevent the host 192.168.1.1 to communicate with the ISE.
In other words, I want to do the same thing like IOS router "null" route.
11-04-2014 10:27 AM
So it appears that there is no option to lock down access to the shell now that the command that you used to use is no longer valid. What is worse is that there isn't an option to create an ACL in the shell that you could attach to the interface. So I would recommend that you create a defect with Cisco TAC and get this re-added or request that ACL functionality is added.
For the GUI (in case you were not already aware of this), you can restrict access from Administration > Admin Access > Settings > Access > IP Access
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide