How do we get the static IP-SGT mappings defined in ISE to propagate to the VLAN-level on the Nexus 7K's?? This needs to be automated in a similar manner like it propagates to the default VRF on the Nexus 7K's.
Troubleshooting done :
ISE is speaker and all other devices in enterprise are listeners.
Current setup, ISE push IP-SGT mappings at VRF level onto Nexus. Client is connected behind an access port VLAN due which not working properly.
Started troubleshooting on the N7K where traffic from AC client 10.xx.xx.29 9xx4 trying to reach 10.xx.xx.7 2xxx1
Enforcement not happening correctly as <9xx4,2xxx1> should deny as per SGACL matrix on ISE.
NX-DC# show logging ip access-list cache detail | i 10.xx.xx.29
The IP-SGT mapping propagated from ISE to the N7K vrf should bind, as long as the N7K isn't learning a conflicging mapping from a higher priority source. As long as the device has the correct IP-SGT mapping, the egress policies associated with those mappings should apply.
From your problem description, I believe you're saying 10.x.x.29 should have SGT-9xx4 and 10.x.x.7 should have SGT-2xxx1 and the egress policy should deny it, but it does not appear to enforce correctly until you manually add a VLAN mapping on the N7K?
While the problem is occurring, have you verified that the enforcement device has the correct IP-SGT mappings for the source and destination? Can you provide output from "sh cts ro sgt-m | i 10.x.x.7" and "sh cts ro sgt-m | i 10.x.x.29" from the enforcement device?
Also, can you verify that egress policy is correct in both directions on the enforcement device? Please provide output from the N7K of the following two commands: "sh cts ro poli from 9xx4 to 2xxx1" and "sh cts ro poli from 2xxx1 to 9xx4".