Hello Damien (or anyone else in the forums),

Can anyone answer my question in response to Damien's regarding the placement of the PSNs or possibility of using L3 routing to a LB while keeping my PSNs in their current VLAN?

Thanks!

I have not seen cases of L3 routing between PSN and the "inside network" of a load balancer.  Typically the PSN will have a default gateway set as the "inside" address of the Load Balancer to allow the non-SNAT'd traffic to return to its originator (that came in via the VIP).

If you need CoA then you cannot SNAT on the VIP, because this breaks ISE.  e.g. imagine you had 1000 switches that you wanted to manage as a single IP in ISE, then normally you would perform SNAT on the VIP.  ISE doesn't interpret the NAS-IP-Address attribute - it uses the IP Header's Source IP Address as the origin information.  This is why SNAT breaks the CoA operation because there is no way to singularly address any one of those 1000 switches any longer.

In the same example of 1000 switches, if you used ISE just for TACACS, then I would recommend SNAT on the VIP, because you don't use CoA in TACACS.  It would make the management in ISE very easy (one entry).  Of course you should extend that scenario to having two VIPs (for HA).  Then ISE has two entries :-) - still better than 1000 entries :)

Hi @Terence Lockette 

Have a look at this posting I did a while back about implementing Guest Portals across two PSN's without a load balancer.  It's the sure way to make this work reliably.

https://community.cisco.com/t5/identity-services-engine-ise/guest-ha-design-with-two-psn-s-and-no-load-balancer/td-p/3503000

Not sure if relying on DNS alone will do the trick - you might run into "weird situations". Rather make it deterministic.

I screwed up my terminology earlier.  On Citrix it is RNAT, you rewrite the PSN IP as the VIP going back to the NAD.  

So 100% agree, I would avoid source NAT from NAD to ISE, have the Citrix/LB pass the original NAD source IP.