Skip to content
  • There are no suggestions because the search field is empty.

Cisco APIC and Cisco ISE Integration

Unified SGT policy enforcement between Cisco APIC and Cisco ISE via pxGrid

 

Overview

What it does: Integration enables exchange of group context (EPG/ESG ↔ SGT) over pxGrid so APIC and ISE can normalize and share group bindings for unified policy enforcement across fabrics.
When to use: When you need consistent SGT-based policy enforcement between ISE and ACI, or when you want ISE to publish SGTs and bindings that APIC consumes as External EPGs.

Prerequisites

  • ISE configuration: pxGrid and SXP must be enabled on ISE; configure outbound SGT domain rules and ACI connection objects in ISE.
  • APIC configuration: Ensure tenant/VRF/L3Out/EPG basics are in place; APIC must resolve ISE FQDN via DNS and be able to reach ISE over the required ports.
  • Scale and design decisions: Decide single‑pod vs Multi‑Pod, number of tenants, and whether bi‑directional context sharing is required. Plan for up to three ISE connections per fabric and validate ISE version compatibility before production.
  • Operational: Expect a brief cluster takeover window if changing the APIC node used for the ISE connection; plan maintenance windows for initial sync.

How to verify and view integration in the APIC UI

Integrations tab
  • Navigate: Integrations > ISE Integrations.
  • Inspect tiles: Overview shows servers, topics, and external EPG counts. Connections shows admin state, mode, and topics. Endpoints shows DC bindings and SGT endpoints. Configuration lists published EPGs/ESGs and subscribed SGTs. History contains audit logs.
Tenants tab
  • Navigate: Tenants > <tenant> > Networking > L3Outs > External EPGs.
  • View External EPGs: SGTs published from ISE appear as External EPGs. Objects managed by ISE display a banner indicating they must be modified from ISE.

Configure route leaking for shared services

  • Purpose: Share IP prefixes learned via campus SGT L3Out across VRFs so shared services can be reached.
  • High level steps: Create an External EPG with Shared Route Control Subnet enabled; attach a shared contract; ensure the matching SGT and contract are deployed from ISE so the policy plane allows prefix leakage.

Guidelines, limitations, and scale considerations

  • Scale highlights: Plan for supported site and object counts when designing production deployments; validate expected published EPG/ESG counts and binding volumes against your fabric capacity.
  • Key limitations: One SGT per ISE‑to‑ACI connection; configuration rollback is not supported and manual resync may be required after changes; DEC cannot coexist in the same L3Out in some designs.
  • Operational notes: Initial programming of external EPGs by ISE can cause brief traffic disruption; test and validate in lab environments for Multi‑Pod and multi‑tenant scenarios.

Troubleshooting and recommendations

  • Common issues: DNS resolution failures between APIC and ISE, pxGrid not enabled on ISE, mismatched SGT naming across multiple ISE connections, and contract mismatches that prevent route leakage.
  • Recommendations: Test integration in a lab first; validate DNS and pxGrid connectivity; document SGT naming conventions; schedule initial sync during maintenance windows; monitor audit logs in the APIC Integrations > History view for errors.