Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2773
Views
5
Helpful
6
Replies

cni-podman1 & cni-podman2 on ISE version 3.1 patch-3

adamscottmaster2013
Level 3
Level 3

‎06-07-2022 02:06 PM

What is the purpose of these interfaces on the ISE 3.1 patch-3 running on SNS-3615?  What happened if you decide to use and route 169.254.2.0/24 and 169.254.4.0/24 in your network?

 

cni-podman1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 169.254.2.1 netmask 255.255.255.0 broadcast 169.254.2.255
inet6 fe80::70e4:f7ff:fe36:527e prefixlen 64 scopeid 0x20<link>
ether 72:e4:f7:36:52:7e txqueuelen 1000 (Ethernet)
RX packets 9497 bytes 6243324 (5.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11051 bytes 4164585 (3.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

 

cni-podman2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 169.254.4.1 netmask 255.255.255.0 broadcast 169.254.4.255
inet6 fd00::1:8:1 prefixlen 112 scopeid 0x0<global>
inet6 fe80::a83d:bdff:fe2b:aea5 prefixlen 64 scopeid 0x20<link>
ether aa:3d:bd:2b:ae:a5 txqueuelen 1000 (Ethernet)
RX packets 61554 bytes 68751530 (65.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 66445 bytes 71082098 (67.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

0 Helpful
6 Replies 6

ahollifield
VIP
VIP

‎06-07-2022 02:35 PM

169.254. is not valid ipv4 space.  It is reserved and should not be used outside of link local traffic. https://en.wikipedia.org/wiki/Reserved_IP_addresses

0 Helpful

joeo31763
Level 1
Level 1

‎06-08-2022 05:17 AM

I noticed these addresses yesterday when I did sh ip route while I was in the cli on my servers. I was trouble shooting why i could not ssh into these VM servers 3.1. What are they used for?

 

Joe

0 Helpful

ahollifield
VIP
VIP
In response to joeo31763

‎06-08-2022 05:32 AM

I *think* it is Redhat's (ISE is based on RHEL) networking stack: https://www.redhat.com/sysadmin/podman-new-network-stack

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎06-08-2022 05:29 PM

A CNI is a Container Network Interface. It is a commonly used plugin for Kubernetes and other container environments like Docker for communication to/from the containers.

The ISE application uses Docker containers for some specific services, so the CNIs are likely for communication between those containers and the database or other parts of the ISE application.

peter-souren
Level 1
Level 1

‎07-02-2024 04:51 AM - edited ‎07-02-2024 04:53 AM

How can there be (internal?) SYNFlood on a cni-podman2 interface ?! What is sending this traffic ? ISE version 3.2

petersouren_0-1719921032602.png

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to peter-souren

‎07-02-2024 03:09 PM

There are multiple services that run in containers and various bugs related to SynFlood if you search the Bug Search tool.
https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&kw=ise%20synflood&bt=custV&sb=anfr

If you are not running the latest patch (patch 6, at this time), that should be your first step. If the alarms continue, open a TAC case to investigate further.

0 Helpful
Customers Also Viewed These Support Documents