Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
3
Replies

Internal Interface Bridging for ISE

Avinash N.
Cisco Employee
Cisco Employee

‎07-30-2019 01:12 AM - edited ‎07-30-2019 01:49 AM

Hi Experts, 

  I am looking for some explanation on the below setup if this is indeed expected or as per design.

 

While running some tests on ISE I tested on a VM as well as a physical device and verified that the interface shows as UP if it has an IP address configured on it IRRESPECTIVE of whether it is actually physically connected to a device or not. How do we troubleshoot if the NIC is actually connected or not if it shows as up all the time with an IP address configured?

 

Secondly Configuring an IP address on this non-connected NIC still allows the ISE to listen to all services on this IP. Why should it listen to services when the NIC is not connected. Are we trying to emulate a loopback functionality here with a physical NIC instead of a logical one?

 

Finally, consider this scenario

 

ISE has 2 NICS NIC1-10.0.0.1/24 NIC2 20.20.20.20/32. NOTE that NIC2 is not physically connected to anything and there is no NIC bonding configured

I force all my routers to reach 20.20.20.20 (for TACACS+) with a specific route pointing to 10.0.0.1 (ISE m0) and the ISE internally sends this traffic to 20.20.20.20 . All packets are sourced with the IP 20.20.20.20 but the MAC address is still that of NIC1. So isnt it possible for this traffic to be considered as spoofed since multiple IPs are using the same MAC?

 

I have my lab setup so if you need any more information on this please let me know and I can provide the info .

 

Thanks

Avinash

 

0 Helpful
3 Replies 3

Surendra
Cisco Employee
Cisco Employee

‎07-30-2019 02:09 AM

Hey Avin,

The first question is interesting. Ideally it should not. I would love to have a look at your setup. The second question, could be because of the routes configured on your ISE. Remember that ISE will send out packets from the interface it received them on and alos considering the fact that ISE DG must have been set to your m0. I’m pretty sure a similar issue would happen on a PC where you have 2 NICs and packets destined for one interface are received on another assuming that the other interface does not have a route to the destination and a DG set to the NIC on which the packet was received. However, I haven’t tested this myself so I could be wrong as well. It’s kind of similar to how it works on a router to be honest. There can be multiple source IP addresses sent from a NIC with the same mac address, that does not mean that it is spoofed or something (for example a router’s NIC routing packets from different source IPs). I know that you know this already but having the same MAC address for different source IP address is not always spoofing.
0 Helpful

Avinash N.
Cisco Employee
Cisco Employee
In response to Surendra

‎07-30-2019 02:14 AM

True I agree but where im coming from is considering this is more of a security server i thought routing functionality is not really internally required. Considering there's no option to configure loopback interface im thinking the thought process could have been along those lines.

I've got just one default route though no other routes per se. point is why listen to services when the NIC is not really up?
0 Helpful

Surendra
Cisco Employee
Cisco Employee
In response to Avinash N.

‎07-30-2019 02:23 AM

That’s the interesting part. If it is doing that, this needs to be a defect. And also obviously the scenario you have mentioned would not happen if ISE marked that interface down in the first place.
0 Helpful
Customers Also Viewed These Support Documents