Hi,
What hardware do you have? These devices will need to support trustsec enforcement, which will allow you to use SGACL (switches/routers) or SG Firwall (ASA or FTD). Refer to the trustsec matrix here, to determine if your hardware supports enforcement.
I assume you are using ISE? If so you could deploy IP/SGT Static bindings using SXP to send the bindings of the servers to the switch/router/firewall acting as the enforcement point.
HTH