Solved: Default gateways? How do they work? How many may we have on ISE?

Gioacchino · ‎02-08-2024

Hi,

I read few discussions on manipulating the routing table of ISE, especially when some servers, like RADIUS, are reachable out of a different interface. For such cases, somebody suggested to use static routes and even a second default gateway.

As ar as I know any routing table should have only one default gateway, because it's used when all the other route lookup fail.
How does the default gateway work in ISE?

In our case, we even three default gateways!

TIA, Gio

Aref Alsouqi · ‎02-08-2024

All the routes that you add with the "ip default-gateway" and "ip route" will end up in the same routing table and will be managed by the same routing engine. The default gateway is the last resort and will be used if there is no other more specific static route added.

For instance in the example of the multiple remote guest subnets I gave before, if the traffic should come say from a 192.168.1.0/24 subnet, the route that will be used in that case would be the one defined in the "ip default-gateway".

View solution in original post

Aref Alsouqi · ‎02-08-2024

The default-gateway entry applies to all interfaces as a last resort, however, the individual default routes (ip route) apply to each interface based on the config. From the link I shared previously:

Cisco Identity Services Engine CLI Reference Guide, Release 3.2 - Cisco ISE CLI Commands in Configuration Mode [Cisco Identity Services Engine] - Cisco

View solution in original post

MHM Cisco World · ‎02-08-2024

we talking about ISE not NAD?
if Yes what is your platform is it on-prem ?

MHM

Gioacchino · ‎02-08-2024

It's SNS-3615-K9

Yes, ISE, I wouldn't know how a NAD might be involved here.

The URL of the page is

https://<IP address of the ISE>/admin/#pulloutLandingPage?pulloutView=cisco/ise/features/visibility/matrixviews/views/DevicesMatrixView

ahollifield · ‎02-08-2024

AFAIK you can only have one default gateway in ISE. If you need to control certain traffic to flow out of different ISE node interfaces, you need to use static routes on the CLI.

https://cisco.com/c/en/us/products/collateral/security/identity-services-engine/secure-network-server-3615-3655-3695-eol.html

Gioacchino · ‎02-08-2024

Thanks @ahollifield ,

the thing is that I do see multiple def gw, out of different interfaces

ise/admin# show ip route

Destination      Gateway          Iface
-----------      -------          -----
default          A.B.C.33         eth0
A.B.C.32/28      0.0.0.0          eth0
default          A.B.C.65         eth2
A.B.C.64/28      0.0.0.0          eth2
default          E.F.G.14         eth4
E.F.G.0/28       0.0.0.0          eth4
169.254.0.0/24   0.0.0.0          docker0
169.254.2.0/24   0.0.0.0          br-de46dd6617b7
ise/admin#

So, I don't know how a routing engine can work configured this way...

Gio

Gioacchino · ‎02-08-2024

@ahollifield, thanks for sharing the EOX for the ISE physical appliance

MHM Cisco World · ‎02-08-2024

If ISE have many interface and one use as defualt gateway' if we ping to other interface which one ISE will use for echo-reply?

It by defualt use same interface the ping come from but if we have issue with this defualt behaive we can add defualt gateway in both interface to make sure that the echo-reply always returns using same interface.

MHM

Gioacchino · ‎02-08-2024

@MHM Cisco World, so if I understand correctly, basically you are saying that extra default routes are used to route "statefully" the reply for incoming traffic from specific interfaces? And, in the configuration, how do you matter-of-factly achieve that?

Gio

Aref Alsouqi · ‎02-08-2024

Hi Gio, as Adam @ahollifield mentioned you can only have one default gateway configured in ISE "ip default-gateway ...",. If you only have this command applied then ISE will use that default gateway to reach any remote subnet. However, if you have multiple interfaces and you want some traffic to go out of a different interface than the one the default gateway points to, then in that case you can define multiple default routes.

For instance, say you ISE is deployed in a region, and in that region you have multiple sites where you have some guest users that would be redirected to a guest portal, and you want the guest traffic to be served by a dedicated interface in ISE. In that case you can define a default route pointing to a L3 downstream device connected to ISE guest interface or you can define some specific routes still pointing to that downstream device.

Personally I always configure specific routes in those cases, for example, if the remote guest subnets/pools are say 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24, I usually configure three static routes one for each subnet, and I will also leave the default gateway "ip default-gateway ..." configured.

That will allow ISE to use those specific routes to go back to the remote guest users out of the guest interface on which the traffic was received on, and at the same time it will still allow ISE to use the default gateway as a last resort for anything else.

Please take a look at this doc for more info about ISE routing:

Cisco Identity Services Engine CLI Reference Guide, Release 3.2 - Cisco ISE CLI Commands in Configuration Mode [Cisco Identity Services Engine] - Cisco

Gioacchino · ‎02-08-2024

Hi @Aref Alsouqi ,

this is what I see in the running config

ise/admin# show running-config | inc def
ip default-gateway A.B.C.33

Hence, I wonder why the other default gws are there.

Gio

Gioacchino · ‎02-08-2024

Ok, now I get it, sorry for the confusion

ise/admin# sh running-config | inc gateway
ip default-gateway A.B.C.33
--
ip route 0.0.0.0 0.0.0.0 gateway E.F.G.14
ip route 0.0.0.0 0.0.0.0 gateway A.B.C.65

I always considered

ip route 0.0.0.0 0.0.0.0 gw

and

ip default-gateway gw

sort of equivalent. I have always seen the default-gateway on L2 switches for the management interface.

Now on ISE, I see that both can be used.
Just to be sure, can we say that Cisco ISE uses the two statements in a particular way, or it just follows the rules that any router/L3 device follows?
I'd like to know if for many years I had a biased knowledge of the topic.
Gio

Aref Alsouqi · ‎02-08-2024

ISE will use the default route E.F.G.14 for the traffic that will be received on the interface eth4 and A.B.C.65 for the traffic that will be received on eth2. All other traffic will be routed via the A.B.C.33 (eth0).

Gioacchino · ‎02-08-2024

Indeed, @Aref Alsouqi .

Whay I would like to understand if this is a customized use of the two statements "ip route 0/0" and "ip default-gateway" or it all falls with the standards for routing engines (or better end-hosts)

MHM Cisco World · ‎02-08-2024

https://www.cisco.com/c/en/us/support/docsFor ISE İ don't found any doc. About using both, and @Aref Alsouqi mention before when we have different subnet not use static route for 0.0.0.0 and defualt gateway

But I read in one cisco doc.

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/16448-default.html

That the IP route 0.0.0.0 is preferred over defualt gateway and if there are more than one IP route 0.0.0.0 there will be load balance.

So use default gateway (even if multi) not static route 0.0.0.0

MHM

Gioacchino · ‎02-08-2024

So use default gateway (even if multi) not static route 0.0.0.0

Unfortunately, I don't have a non-production instance of ISE to test multiple ip-default-gateway statements.But as @Aref Alsouqi , the outcome of both the statements is an enrty in the routing table. I wouldn't know what makes different one entry, generated by ip default-gateway, and the one generated by ip route 0/0.

Gio