These terms are commonly used to describe Cisco ISE and Cisco ACI integration:

• EPG: Used in Cisco ACI. An EPG is a logical entity that contains a collection of endpoints. EPGs are associated to a single bridge domain and used to define security zones within a bridge domain.

• ESG: Used in Cisco ACI. An ESG is a logical entity that contains a collection of physical or virtual network endpoints. An ESG is associated to a single VRF instance instead of a bridge domain.

• Inbound SGT domain rules: Used in Cisco ISE to map incoming SGT bindings with specific SGT domains.

• Outbound SGT domain rules: Used in Cisco ISE to designate target destinations for specific SGT bindings.

• Workload classification rules: Used in Cisco ISE to assign primary and secondary SGTs to workloads.

• Secondary SGTs: SGTs that can be tagged along with primary SGT.

Note that the following terminology changes are made in Cisco ISE Release 3.4:

Cisco ISE Release 3.3 and earlier	Cisco ISE Release 3.4 and later
SXP mapping	SGT binding
SXP domain	SGT domain

Cisco ISE supports packets coming from the Cisco ACI domain to the TrustSec domain by synchronizing EPGs and ESGs, and creating correlating SGTs in Cisco ISE. These SGTs map the endpoints configured in Cisco ACI and create correlating SGT bindings in Cisco ISE.

Cisco ACI supports the packets that are sent from the TrustSec domain to the Cisco ACI domain by synchronizing the SGTs and creating correlating EEPGs. Cisco ACI creates subnets under EEPG based on the SGT bindings from Cisco ISE. These subnets are deleted from Cisco ACI, when the corresponding SGT bindings are deleted in Cisco ISE.

When an EPG or ESG is deleted in Cisco ACI, the synced EPG list is updated in Cisco ISE. If the EPG or ESG is not used in any of the inbound or outbound SGT domain rules, then it is deleted in Cisco ISE. When an EPG or ESG is deleted, the IP-SGT bindings learned from that EPG or ESG are also deleted from Cisco ISE and the corresponding IP-SGT delete events are sent through the pxGrid SXP topics.

If the EPG or ESG is used in an inbound or outbound SGT domain rule, then it is not deleted. You must delete that EPG or ESG manually. Alarms are raised in both cases.

When an SGT is added to an outbound SGT domain rule in Cisco ISE, an EEPG is created in Cisco ACI. When the SGT is deleted from the outbound SGT domain rule, the corresponding EEPG is deleted in Cisco ACI.

If the connection with the Cisco ACI server is lost, the connection status is marked as Disconnected in the Workload Connections page, and an alarm is raised. After the connection is reestablished, the connection status is marked as Connected. Cisco ISE resynchronizes the data when the connection is reestablished. Configuration drift checks are performed for all resources and an alarm is raised if any mismatch is found. Similar checks are performed whenever Cisco ISE is restarted or the Cisco ACI connection status changes from Suspend to Connected.