Solved: Re: ISE 3.0 Integration with ACI - Limitations?

leighharrison · ‎11-17-2021

Hello folks,

We have a project on where we're integrating ISE 3.0 with ACI and it looks as though we can only integrate with a single ACI pod and only 1 tenant within it.

Have other had the same? Is there a workaround or roadmap to allow 1 ISE instance to integrate with multiple ACI's or tenants?

Best, Leigh

Greg Gibbs · ‎11-17-2021

The current solution for TrustSec-ACI Policy Plane Integration has the limitation that it only supports a single L3Out, within a single Tenant, within a single ACI cluster. This applies to current versions of APIC-DC and ISE.

We cannot discuss roadmap on this public forum.

Another option for this type of multi-domain segmentation would be leveraging Cisco Secure Workload (formerly Tetration). Secure Workload supports integration with ISE via pxGrid to learn IP-SGT bindings and apply policies to the workloads using the providers native firewall based on source/destination SGTs.

See Cisco Secure Workload (formerly Tetration and Cisco ISE Integration Use Cases and Benefits) Solution Overview for more info and links.

View solution in original post

Greg Gibbs · ‎11-17-2021

The current solution for TrustSec-ACI Policy Plane Integration has the limitation that it only supports a single L3Out, within a single Tenant, within a single ACI cluster. This applies to current versions of APIC-DC and ISE.

We cannot discuss roadmap on this public forum.

Another option for this type of multi-domain segmentation would be leveraging Cisco Secure Workload (formerly Tetration). Secure Workload supports integration with ISE via pxGrid to learn IP-SGT bindings and apply policies to the workloads using the providers native firewall based on source/destination SGTs.

See Cisco Secure Workload (formerly Tetration and Cisco ISE Integration Use Cases and Benefits) Solution Overview for more info and links.

leighharrison · ‎11-18-2021

Thanks for the great reply, Greg.

Best, Leigh