Hi Greg

it's a bit confusing as previously i thought that IP-SGT mappings learned via SXP by ISE simply can be published to PxGrid for its consumers to learn that mappings w/o the need to additionally configure SXP pipe between PxGrid consumer & ISE:

Cisco Identity Services Engine Administrator Guide, Release 3.0 - pxGrid [Cisco Identity Services Engine] - Cisco

• Publish and subscribe to SXP bindings (IP-SGT mappings) through pxGrid. For more information about SXP bindings, see the Security Group Tag Exchange Protocol section in the Segmentation chapter of the Cisco ISE Administrators Guide.

what is the benefit from above publishing if admin still need to configure SXP communication between PxGrid consumer & ISE?

also triggered drawback is that if static IP-SGT mapping must be consumed by PxGrid subscriber, it's mandatory to configure SXP session between PxGrid subscriber & IP-SGT-mapping provider/speaker . could u pls share documents where this restriction/limitation is announced?

Thanks in advance

Information about how the FMC consumes SGT bindings from ISE and how to configure it can be found in the Cisco Secure Firewall Management Center Device Configuration Guide.

As stated in the guide regarding the required option Publish SXP Bindings on PxGrid:

"This option makes ISE send the SGT mappings out using SXP. You must select this option for the threat defense device to “hear” anything from listing to the SXP topic. This option must be selected for the threat defense device to get static SGT-to-IP address mapping information. It is not necessary if you simply want to use SGT tags defined in the packets, or SGTs that are assigned to a user session."

Yes. i saw it. Is that statement specific to FMC/FTD, or other ISE's PxGrid consumers (like CheckPoint FW) r required to have SXP-peering with ISE as well? Other words is having both PxGrid consumer role & SXP-peer of ISE rule of thumb for the IP SGT static mappings to be learnt? 

thanks

Static IP-SGT mappings are only published by ISE via the SXP Topic. For another consumer to learn these, they would need to support the ability to subscribe to the SXP Topic.

To be clear, this is not a real SXP peering. As the documentation says:

"This does not have to be a real device, you can even use the management IP address of the threat defense device. The table simply needs at least one device to induce ISE to publish the static SGT-to-IP address mappings."

Greg, pardon for being annoying around it but i really dont understand now how does it work & how it relates to PxGrid.

Does IP-SGT static mapping get populated via SXP-topic in PxGrid whilst subject mapping's consumer (PxGrid subscriber) must be declared in ISE's SXP-peer-list to make ISE as PxGrid controller aware about consumer's IP-SGT-mapping learning need?

or does it work different way?

P.S. on Technical Overview - pxGrid API - Document - Cisco Developer i've read that ISE'simplementation of "pxGrid will use port 8910 on ISE for pxGrid-related REST and Websocket communication" which seems to be owned by STOMP-speaking program module or whatever it is... is it up-to-date for ISE 3.X?

P.P.S. it's very pity CCO doesnt have documents clearly explaining this interoperation :0(