cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

731
Views
10
Helpful
2
Replies
Highlighted
Cisco Employee

TrustSec-ACI Policy Plane Integration - ISE questions

Hi,

 

In regards to TrustSec-ACI Policy Plane Integration, what is the high availability architecture between ISE and ACI, assuming both solutions are fully redundant (i.e. multiple ISE PANs/MNTs/PSNs and ACI-DC Controllers)? How does the failover function (if any)?

 

Also, in order to setup the integration, the various Cisco guides available mention that the SXP service is required to be enabled.  Does this mean an SXP connection is setup from ISE PSNs to ACI-DC Controllers, or is it just for internal ISE purposes?

 

From packet captures in the lab, I dont see any SXP connections however I do see active TCP connections over port 443 between the ISE PAN and ACI-DC Controller...

 

Thanks,

Denis

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: TrustSec-ACI Policy Plane Integration - ISE questions

Hi,

for HA, you can enter the 3 IPs of an APIC cluster into the ISE settings for integration. ISE connects to APIC from the Primary PAN and upon PAN failover, the Secondary PAN should take over.

SXP is NOT used between ISE and APIC, it is REST API as you have seen. The SXP service you enable on the ISE side defines the SXP domains (and hence the mappings in those domains) that get sent to APIC. SXP is also used to distribute mappings learned from via REST API from APIC to network devices in the Enterprise.

Regards, Jonothan.

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: TrustSec-ACI Policy Plane Integration - ISE questions

Hi,

for HA, you can enter the 3 IPs of an APIC cluster into the ISE settings for integration. ISE connects to APIC from the Primary PAN and upon PAN failover, the Secondary PAN should take over.

SXP is NOT used between ISE and APIC, it is REST API as you have seen. The SXP service you enable on the ISE side defines the SXP domains (and hence the mappings in those domains) that get sent to APIC. SXP is also used to distribute mappings learned from via REST API from APIC to network devices in the Enterprise.

Regards, Jonothan.

View solution in original post

Highlighted
Cisco Employee

Re: TrustSec-ACI Policy Plane Integration - ISE questions

Thanks!