Cisco Ise 14 User Guide

							ip default-gateway
TodefineorsetadefaultgatewaywithanIPaddress,usetheipdefault-gatewaycommandinconfiguration
mode.
ipdefault-gatewayip-address
Todisablethisfunction,usethenoformofthiscommand.
noipdefault-gateway
Syntax DescriptionDefinesadefaultgatewaywithanIPaddress.default-gateway
IPaddressofthedefaultgateway.ip-address
Command DefaultDisabled.
Command ModesConfiguration(config)#
Usage GuidelinesIfyouentermorethanoneargumentornoargumentsatall,anerroroccurs.
Example
ise/admin(config)#ipdefault-gateway209.165.202.129ise/admin(config)#
Related CommandsDescriptionCommand
ipaddress
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
183
Cisco ISE CLI Commands in Configuration Mode
ip default-gateway 
						

							ip domain-name
TodefineadefaultdomainnamethattheCiscoISEserverusestocompletehostnames,usetheipdomain-name
commandinconfigurationmode.
ipdomain-namedomain-name
Todisablethisfunction,usethenoformofthiscommand.
noipdomain-name
Syntax DescriptionDefinesadefaultdomainname.domain-name
Defaultdomainnameusedtocompletethehostnames.Containsat
least2to64alphanumericcharacters.
domain-name
Command DefaultEnabled.
Command ModesConfiguration(config)#
Usage Guidelines
If'Ctrl-C'isissuedduringtheCLIconfigurationchangeof'ipdomain-name'command,incaseofip
domain-namechangethesystemmayendupinastatewheresomeapplicationcomponentshavetheold
domain-nameandsomecomponentsusethenewdomain-name.
ThiswillbringtheCiscoISEnodeintoanon-workingstate.Theworkaroundforthisistoissueanother
'ipdomain-name'configurationCLItosetthedomainnametothedesiredvalue.
Note
Ifyouentermoreorfewerarguments,anerroroccurs.
IfyouupdatethedomainnamefortheCiscoISEserverwiththiscommand,itdisplaysthefollowingwarning
message:Warning:Updatingthedomainnamewillcauseanycertificateusingtheolddomainnametobecomeinvalid.Therefore,anewself-signedcertificateusingthenewdomain
namewillbegeneratednowforusewithHTTPs/EAP.IfCA-signedcertificateswereusedonthisnode,pleaseimportthemwiththecorrectdomainname.Inaddition,ifthisISEnodewillbejoininganewActiveDirectorydomain,pleaseleaveyourcurrentActiveDirectorydomainbeforeproceeding.
Example
ise/admin(config)#ipdomain-namecisco.comise/admin(config)#
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
184
Cisco ISE CLI Commands in Configuration Mode
ip domain-name 
						

							Related CommandsDescriptionCommand
ipname-server
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
185
Cisco ISE CLI Commands in Configuration Mode
ip domain-name 
						

							ip host
Toassociateahostaliasandfullyqualifieddomainname(FQDN)stringtoanethernetinterfacesuchaseth1,
eth2,andeth3otherthaneth0,usetheiphostcommandinglobalconfigurationmode.
WhenCiscoISEprocessesanauthorizationprofileredirectURL,itreplacestheIPaddresswiththeFQDN
oftheCiscoISEnode.
iphost[ipv4-address|ipv6-address][host-alias|FQDN-string]
ToremovetheassociationofhostaliasandFQDN,usethenoformofthiscommand.
noiphost[ipv4-address|ipv6-address][host-alias|FQDN-string]
Syntax DescriptionIPv4addressofthenetworkinterface.ipv4-address
IPv6addressofthenetworkinterface.ipv6-address
Hostaliasisthenamethatyouassigntothenetworkinterface.host-alias
Fullyqualifieddomainname(FQDN)ofthenetworkinterface.FQDN-string
IfyouhavethePrimaryAdministrationNode(PAN)auto-failoverconfigurationenabled,disableitbefore
youchangethehostaliasandFQDNofanethernetinterface.YoucanenablethePANauto-failover
configurationafterthehostaliasandFQDNconfigurationiscomplete.
IfyouhavethePANauto-failoverconfigurationenabledinyourdeployment,thefollowingmessageappears:
PANAutoFailoverisenabled,thisoperationisnotallowed!PleasedisablePANAuto-failoverfirst.
Command DefaultNodefaultbehaviororvalues.
Command ModesConfiguration(config)#
Usage GuidelinesSupportedIPv6addressformatsinclude:
•Fullnotation:Eightgroupsoffourhexadecimaldigitsseparatedbycolons.Forexample,
2001:0db8:85a3:0000:0000:8a2e:0370:7334
•Shortenednotation:Excludeleadingzerosinagroup;replacegroupsofzeroswithtwoconsecutive
colons.Forexample:2001:db8:85a3::8a2e:370:7334
•Dotted-quadnotation(IPv4-mappedandIPv4compatible-IPv6addresses):Forexample,::ffff:192.0.2.128
Usetheiphostcommandtoaddhostaliasandfullyqualifieddomainname(FQDN)stringforanIPaddress
mapping.ItisusedtofindoutthematchingFQDNforethernetinterfacessuchaseth1,eth2,andeth3.Use
theshowrunning-configcommandtoviewthehostaliasdefinitions.
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
186
Cisco ISE CLI Commands in Configuration Mode
ip host 
						

							YoucanprovideeitherthehostaliasortheFQDNstring,orboth.Ifyouprovideboththevalues,thehost
aliasmustmatchthefirstcomponentoftheFQDNstring.IfyouprovideonlytheFQDNstring,CiscoISE
replacestheIPaddressintheURLwiththeFQDN.Ifyouprovideonlythehostalias,CiscoISEcombines
thehostaliaswiththeconfiguredIPdomainnametoformacompleteFQDN,andreplacestheIPaddressof
thenetworkinterfaceintheURLwiththeFQDN.
Example 1
ise/admin(config)#iphost172.21.79.96ise1ise1.cisco.comHostaliaswasmodified.YoumustrestartISEforchangetotakeeffect.DoyouwanttorestartISEnow?(yes/no)yesStoppingISEMonitoring&TroubleshootingLogProcessor...StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEApplicationServer...StoppingISEProfilerDB...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEDatabaseprocesses...StartingISEDatabaseprocesses...StoppingISEDatabaseprocesses...StartingISEDatabaseprocesses...StartingISEMonitoring&TroubleshootingSessionDatabase...StartingISEProfilerDB...StartingISEApplicationServer...StartingISEMonitoring&TroubleshootingLogCollector...StartingISEMonitoring&TroubleshootingLogProcessor...Note:ISEProcessesareinitializing.Use'showapplicationstatusise'CLItoverifyallprocessesareinrunningstate.ise/admin(config)#
Example 2
ise/admin(config)#ipv6host2001:db8:cc00:1::1ise1ise1.cisco.comHostaliaswasmodified.YoumustrestartISEforchangetotakeeffect.DoyouwanttorestartISEnow?(yes/no)yesStoppingISEMonitoring&TroubleshootingLogProcessor...StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEApplicationServer...StoppingISEProfilerDB...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEDatabaseprocesses...StartingISEDatabaseprocesses...StoppingISEDatabaseprocesses...StartingISEDatabaseprocesses...StartingISEMonitoring&TroubleshootingSessionDatabase...StartingISEProfilerDB...StartingISEApplicationServer...StartingISEMonitoring&TroubleshootingLogCollector...StartingISEMonitoring&TroubleshootingLogProcessor...Note:ISEProcessesareinitializing.Use'showapplicationstatusise'CLItoverifyallprocessesareinrunningstate.ise/admin(config)#
Related CommandsDescriptionCommand
ipdomain-name
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
187
Cisco ISE CLI Commands in Configuration Mode
ip host 
						

							ip name-server
TosettheDomainNameServer(DNS)foruseduringaDNSquery,usetheipname-servercommandin
configurationmode.YoucanconfigureonetofourDNSservers.
ipname-serverip-address{ip-address*}
Todisablethisfunction,usethenoformofthiscommand.
noipname-serverip-address{ip-address*}
Usingthenoformofthiscommandremovesallnameserversfromtheconfiguration.Usingthenoform
ofthiscommandandoneoftheIPnamesremovesonlythatnameserver.
Note
Syntax DescriptionConfiguresIPaddressesofnameserver(s)touse.name-server
Addressofanameserver.ip-address
(Optional).IPaddressesofadditionalnameservers.
YoucanconfigurethreeIPv4addressesandoneIPv6address
inthenameserver.
Note
ip-address*
IfyouhavetheprimaryAdministrationnode(PAN)auto-failoverconfigurationenabledinyourdeployment,
removeitbeforeyouruntheipname-servercommandandenableitafteryouconfiguretheDNSserver(s).
Command DefaultNodefaultbehaviororvalues.
Command ModesConfiguration(config)#
Usage GuidelinesThefirstnameserverthatisaddedwiththeipname-servercommandoccupiesthefirstpositionandthe
systemusesthatserverfirsttoresolvetheIPaddresses.
YoucanaddnameserverstothesystemusingIPv4orIPv6addresses.YoucanconfigureonetothreeIPv4
addressesthroughasinglecommand.Ifyouhavealreadyconfiguredthesystemwithfournameservers,you
mustremoveatleastoneservertoaddadditionalnameservers.
Toplaceanameserverinthefirstpositionsothatthesubsystemusesitfirst,youmustremoveallname
serverswiththenoformofthiscommandbeforeyouproceed.
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
188
Cisco ISE CLI Commands in Configuration Mode
ip name-server 
						

							IfyoumodifiedthissettingforADconnectivity,youmustrestartCiscoISEforthechangestotakeeffect.
Also,ensurethatallDNSserversconfiguredinCiscoISEareabletoresolveallrelevantADDNSrecords.
IftheconfiguredADjoinpointsarenotcorrectlyresolvedaftertheDNSsettingsarechanged,youmust
manuallyperformtheLeaveoperationandre-jointheADjoinpoint.
Note
IfyouhavethePANauto-failoverconfigurationenabledinyourdeployment,thefollowingmessageappears:
PANAutoFailoverisenabled,thisoperationisnotallowed!PleasedisablePANAuto-failoverfirst.
Example 1
ise/admin(config)#ipname-server?PrimaryDNSserverIPaddressDNSserver2IPaddressDNSserver3IPaddressIPv6DNSserveraddressise/admin(config)#ipname-server
Example 2
YoucanseethefollowingoutputafteryouconfiguretheIPnameserver.
ise/admin#showrun|inname-serveripname-server171.70.168.183171.68.226.12064.102.6.247ipname-server3201:db8:0:20:f41d:eee:7e66:4ebaise/admin#
Example 3
ise/admin(config)#ipname-server?ipname-server10.126.107.12010.126.107.10710.106.230.244DNSServerwasmodified.IfyoumodifiedthissettingforADconnectivity,youmustrestartISEforthechangetotakeeffect.DoyouwanttorestartISEnow?(yes/no)
Related CommandsDescriptionCommand
ipdomain-name
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
189
Cisco ISE CLI Commands in Configuration Mode
ip name-server 
						

							ip route
Toconfigurethestaticroutes,usetheiproutecommandinconfigurationmode.Toremovestaticroutes,use
thenoformofthiscommand.
iprouteprefixmaskgatewayip-address
noiprouteprefixmask
Syntax DescriptionIProuteprefixforthedestination.prefix
Prefixmaskforthedestination.mask
IPaddressofthenexthopthatcanbeusedtoreachthatnetwork.ip-address
Command DefaultNodefaultbehaviororvalues.
Command ModesConfiguration(config)#
Usage GuidelinesStaticroutesaremanuallyconfigured,whichmakestheminflexible(theycannotdynamicallyadapttonetwork
topologychanges),butextremelystable.Staticroutesoptimizebandwidthutilization,becausenorouting
updatesneedtobesenttomaintainthem.Theyalsomakeiteasytoenforceroutingpolicy.
WhiletheiproutecommandcanbeusedtodefinestaticroutesonindividualCiscoISEnode,thiscommand
isenhancedtodefineadefaultrouteforeachinterfaceandreducetheeffectsofasymmetricalIPforwarding,
whichisinherentinmulti-interfaceIPnodes.
Whenasingledefaultrouteisconfiguredonamulti-interfacenode,allIPtrafficreceivedfromanyofthe
node'sIPinterfacesisroutedtothenexthopofthedefaultgatewaythatproducesasymmetricalIPforwarding.
ConfiguringmultipledefaultroutesontheCiscoISEnodeeliminatestheeffectsofasymmetricforwarding.
Thefollowingexampledescribeshowtoconfiguremultipledefaultroutes:
ConsiderthefollowinginterfaceconfigurationonCiscoISEnodeeth0,eth1,eth2,andeth3interfaces
respectively:
ISEInterfaceIPNetworkGateway192.168.114.10192.168.114.0192.168.114.1192.168.115.10192.168.115.0192.168.115.1192.168.116.10192.168.116.0192.168.116.1192.168.117.10192.168.117.0192.168.117.1
Theiproutecommandisusedheretodefinedefaultroutesforeachinterface.
ise/admin(config)#iproute0.0.0.00.0.0.0192.168.114.1ise/admin(config)#iproute0.0.0.00.0.0.0192.168.115.1ise/admin(config)#iproute0.0.0.00.0.0.0192.168.116.1ise/admin(config)#iproute0.0.0.00.0.0.0192.168.117.1ise/admin(config)#ipdefault-gateway192.168.118.1
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
190
Cisco ISE CLI Commands in Configuration Mode
ip route 
						

							The"ipdefault-gateway"shownaboveistherouteoflastresortforallinterfaces.Note
Theshowiproutecommanddisplaystheoutputofthestaticroutescreatedusingtheiproutecommand
(defaultroutesandnon-defaultroutes)andsystemcreatedroutesincludingtheoneconfiguredusing"ipdefault
gateway"command.Itdisplaystheoutgoinginterfaceforeachoftheroutes.
WhenyouchangetheIPaddressofaninterfaceandifanystaticroutebecomesunreachableduetoan
unreachablegateway,thestaticroutegetsdeletedfromtherunningconfiguration.Theconsoledisplays
theroutethathasbecomeunreachable.
Note
Example 2
ise/admin(config)#iproute192.168.0.0255.255.0.0gateway172.23.90.2ise/admin(config)#
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
191
Cisco ISE CLI Commands in Configuration Mode
ip route 
						

							kron occurrence
ToscheduleoneormoreCommandSchedulercommandstorunataspecificdateandtimeorarecurring
level,usethekronoccurrencecommandinconfigurationmode.Todeletethisschedule,usethenoformof
thiscommand.
kronoccurrenceoccurrence-name
Syntax DescriptionSchedulesCommandSchedulercommands.occurrence
Nameoftheoccurrence.Supportsupto80alphanumericcharacters.
(SeethefollowingnoteandSyntaxDescription.)
occurrence-name
Afteryouentertheoccurrence-nameinthekronoccurrencecommand,youentertheconfig-Occurrence
configurationsubmode(seethefollowingSyntaxDescription).
Note
Syntax DescriptionIdentifiesthattheoccurrenceistorunataspecifiedcalendardate
andtime.Usage:at[hh:mm][day-of-week|day-of-month|month
day-of-month].
at
EXECcommand.AllowsyoutoperformanyEXECcommandsin
thismode.
do
Exitsthekron-occurrenceconfigurationsubmodeandreturnsyouto
EXECmode.
end
Exitsthekron-occurrenceconfigurationmode.exit
Negatesthecommandinthismode.
Threekeywordsareavailable:
•at—Usage:at[hh:mm][day-of-week|day-of-month|month
day-of-month].
•policy-list—Specifiesapolicylisttoberunbytheoccurrence.
Supportsupto80alphanumericcharacters.
•recurring—Executionofthepolicylistsshouldberepeated.
no
SpecifiesaCommandSchedulerpolicylisttoberunbythe
occurrence.
policy-list
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
192
Cisco ISE CLI Commands in Configuration Mode
kron occurrence