Solved: Re: Load Balancing

BK_CiscoUser · ‎06-24-2019

If ISE is installed behind a load balancer, with the load balancer as the default gateway, will the source IP of the device be still kept?

Arne Bier · ‎06-24-2019

short answer is yes, if the load balancer is not doing Source NAT'ing.

If the load balancer is doing Source NATing, then it's changing the IP packet header and putting its own IP address as the source of the traffic. Hence, you lose the "origin" of the traffic. You can still glean the origin via the NAS IP Address field in the RADIUS packet. But ISE doesn't use that field. It uses the IP/UDP Source IP Address.

View solution in original post

Damien Miller · ‎06-24-2019

The suggested way of configuring the load balancer would be to pass through the NAD IP. The alternative, source nat, would mask the NAD IP.

There are some decent ISE load balancing guides if you go down this route.
https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759

Jason Kunst · ‎06-24-2019

I would recommend checking out the presentation on performance and scale there are slides under the resources showing you the different options and recommendations

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

Also under http://cs.co/ise-guides there are load balancing docs

Arne Bier · ‎06-24-2019

short answer is yes, if the load balancer is not doing Source NAT'ing.

If the load balancer is doing Source NATing, then it's changing the IP packet header and putting its own IP address as the source of the traffic. Hence, you lose the "origin" of the traffic. You can still glean the origin via the NAS IP Address field in the RADIUS packet. But ISE doesn't use that field. It uses the IP/UDP Source IP Address.