cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
5
Replies

Any limitation for ISE nodes to send CoA request other than Gi0 interface ?

Parag Mahajan
Cisco Employee
Cisco Employee

Hi All,

I am working on customer where there is requirement that Management traffic should be segregated from Production traffic(radius traffic)..To accommodate requirement we have configured PSN as below

PSN1- Gi0- A.B.C.D. IP- Management Traffic

PSN1- Gi1- W.X.Y.Z IP- Production Traffic (radius traffic)

Configured Static route to management subnet using IP and default route for all other traffic using W.X.Y.Z IP.

Authc and Authz working as expected. But what we are seeing when PSN send CoA request to switch its send using A.B.C.D. IP.

According to me, it should send using IP W.X.Y.Z IP. Is there any limitation for ISE nodes to send CoA request other than Gi0 interface.

Does anyone knows any setting to send CoA request using Gi1 Interface. We are on 2.2P3

1 Accepted Solution

Accepted Solutions

CoA should not be hard coded to GE0.  Expectation is that CoA will be sent based on the routing table for the target IP of the NAD.  If there is not a more-specific route to NAD IP, it should rely on global default route based on 'ip default-gateway' setting.  For symmetrical traffic, 'ip route 0.0.0.0 0.0.0.0 gateway <ip>' is used, but global default will decide outbound interface if no specific route.

If the above is not the behavior seen, then suggest open TAC case to reproduce and determine if defect needs to be opened.

Craig

View solution in original post

5 Replies 5

Craig Hyps
Advocate
Advocate

You should set the ip default gateway to be GE1, not just a default route (ip route 0 0 ge1_next_hop).

Yes this how we setup as you mentioned. The real question is why PSN is sending CoA with Gi0 IP ? 

How CoA triggered?

CoA getting triggered by Profiling changes setup as CoA type reauth in profiling

CoA should not be hard coded to GE0.  Expectation is that CoA will be sent based on the routing table for the target IP of the NAD.  If there is not a more-specific route to NAD IP, it should rely on global default route based on 'ip default-gateway' setting.  For symmetrical traffic, 'ip route 0.0.0.0 0.0.0.0 gateway <ip>' is used, but global default will decide outbound interface if no specific route.

If the above is not the behavior seen, then suggest open TAC case to reproduce and determine if defect needs to be opened.

Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers