TrustSec DNAC, ISE and ACI with Multiple Tenants

MFloresG5 · ‎02-13-2023

Architecture:

ACI Implementation with Multiple Tenants ( v5.2.(7f)
Each Tenant with a L3Out
Single ISE Cluster Instance managing Auth/Authz request for all the organizations/Tenants
DNAC v 2.3.3.6

Scenario:

We are implementing TrustSec whowever everywhere we look for integration documentation - it is stated that TrustSec with ACI + ISE only supports single Tenant with single L3Out.

Has anybody implemented TrustSec with DNAC + ISe + ACI with multiple tenants and multiple L3Outs if so how?

How about ACI with SR-MPLS utilizing Infra Tenant to inject EEPGs and IEPGs exchange with ISE
How about the common tenant?
How about the infra tenant?

andy!doesnt!like!uucp · ‎02-13-2023

looks like there is no chances:
Solved: ISE 3.0 Integration with ACI - Limitations? - Cisco Community

MFloresG5 · ‎02-18-2023

Hello andy!doesnt!like!uucp

Thank you so much for your reply. We did reviewed this integration and we are definitely able to observer the limitations. I really appreciate you taken the time to guide us.

jedolphi · ‎02-14-2023

Hi can't be done today through an SD-Access/ISE-ACI integration. You can use an Cisco Secure Firewall between SD-Access and ACI domains to implement SGT-EPG policy, if that's suitable. ACI Endpoint Update App loads EPG:IP into firewall. ISE loads SGTs into firewall. More information here: https://www.ciscolive.com/on-demand/on-demand-library.html?search=BRKSEC-2116#/session/1670019637340001nvJI