I'm not sure I'm following you completely, still digging into the technology a bit. To clarify currently I have a similar setup in a lab as you described, in that I have ISE configured to be a speaker to a nexus switch that is then a speaker to the access layer 9300 switches. The Nexus learns the dynamic mappings from the auth sessions via SXP and then the 9300 learns the static ip->sgt mappings via SXP from the nexus reflector(s), in addition to the local dynamic mappings. What I am trying to do in the short term is keep most of the SGT configurations on the 9300's versus the 4k routers since they technically will be replaced with sd-wan devices, I don't want any dependencies on the wan routers that drives the code version I deploy on the sd-wan boxes, at least not initially.
The only reason I suggested leveraging WAN edge was because it would fewer SXP connections than going to each access switch which can be a scaling issue. Total mappings support on the Cat 9k's is also quite limited, they can only handle 10,000 IP-SGT mappings where as an ISR can support 125,000+. It sounds like you have a fairly large environment, so 10k mappings could easily be a scale issue.
I would want to inline tag everything in the LAN to enable east west enforcement anyways. You would be dealing with fewer connections and no inline tagging work to add in for the future state. When (if) SDWAN ever supports native SGT inline tagging, then you would still need inline tagging in the LAN up to the router, you would just be dropping the SXP connections on the router when moving to SDWAN inline tagging. I have not spun up the SDWAN code on an ISR, but I know the commands are there for inline tagging, not sure if SXP is still in there, I would want to go this route if possible. I haven't tested it on SDWAN code, but after this discussion I think I will when I get time in the next couple of weeks.
Your understanding of the mapping flow sounds correct, ISE will speak all static mappings you manually create as well as dynamic mappings created during authorization. It is a single point of truth for all IP-SGT mappings regardless of how they are generated, unless manually tagged on NADs.
If you are just starting with Threat Response for the first time, use our quick start guides for Umbrella, Email Security, or Firepower. You can also check out our module configuration videos on YouTube and the in-produ...
If you own AMP for Endpoints, you can manage users within the AMP dashboard. If you have other Cisco products, you can manage users at https://castle.amp.cisco.com/my/users.
Learn more about Threat Response here, or check out other FAQs he...
Threat Response is free with selected Cisco Security products. To get access, simply go to the login page for your region - NA, EU, or APJC* - and either log in or click to create an account. You can also watch this 1 min v...
Threat Response is not a SIEM, but it can work alongside a SIEM to speed up investigations. For instance, via the browser plugins, Threat Response provides additional response capabilities directly from within the web-based interfaces of a SIEM.