Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2725
Views
10
Helpful
2
Replies

TrustSec-ACI Policy Plane Integration - ISE questions

Go to solution
dvan
Cisco Employee
Cisco Employee

‎07-26-2019 04:25 AM - edited ‎02-21-2020 11:08 AM

Hi,

 

In regards to TrustSec-ACI Policy Plane Integration, what is the high availability architecture between ISE and ACI, assuming both solutions are fully redundant (i.e. multiple ISE PANs/MNTs/PSNs and ACI-DC Controllers)? How does the failover function (if any)?

 

Also, in order to setup the integration, the various Cisco guides available mention that the SXP service is required to be enabled.  Does this mean an SXP connection is setup from ISE PSNs to ACI-DC Controllers, or is it just for internal ISE purposes?

 

From packet captures in the lab, I dont see any SXP connections however I do see active TCP connections over port 443 between the ISE PAN and ACI-DC Controller...

 

Thanks,

Denis

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎07-26-2019 09:10 AM

Hi,

for HA, you can enter the 3 IPs of an APIC cluster into the ISE settings for integration. ISE connects to APIC from the Primary PAN and upon PAN failover, the Secondary PAN should take over.

SXP is NOT used between ISE and APIC, it is REST API as you have seen. The SXP service you enable on the ISE side defines the SXP domains (and hence the mappings in those domains) that get sent to APIC. SXP is also used to distribute mappings learned from via REST API from APIC to network devices in the Enterprise.

Regards, Jonothan.

View solution in original post

2 Replies 2

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎07-26-2019 09:10 AM

Hi,

for HA, you can enter the 3 IPs of an APIC cluster into the ISE settings for integration. ISE connects to APIC from the Primary PAN and upon PAN failover, the Secondary PAN should take over.

SXP is NOT used between ISE and APIC, it is REST API as you have seen. The SXP service you enable on the ISE side defines the SXP domains (and hence the mappings in those domains) that get sent to APIC. SXP is also used to distribute mappings learned from via REST API from APIC to network devices in the Enterprise.

Regards, Jonothan.

Go to solution
dvan
Cisco Employee
Cisco Employee
In response to jeaves@cisco.com

‎07-28-2019 07:06 PM

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents