topic Re: Maximum SGT per Device. in Network Access Control

Maximum SGT per Device.

ecanogut — Mon, 11 Mar 2019 08:01:13 GMT

Hello everyone

In Admin guide says that even ISE supports 65,535 SGTs the maximum recommended is 4,000.

The question is: when the devices (switches, routers, ASA, etc) download the environment data from ISE is there a limit depending on the device type on how many of the SGTs it can have on its table?

Thanks in advanced.

Re: Maximum SGT per Device.

jeaves@cisco.com — Tue, 26 Sep 2017 16:19:08 GMT

Hi Emmanuel,

sorry for the delay.

if the platform can download/install a PAC and securely communicate with ISE then it will be able to download all the SGT's provisioned (up to a tested maximum of 4000).

Now, there may be limits with what you can do with them per platform. For example, the 3850 can enforce using 256 different destination SGTs at any one time. Also, the Cat4k can only enforce for 2000 DGTs for switched traffic.

But for downloading, you're good to go.

Regards, Jonothan.

Re: Maximum SGT per Device.

ecanogut — Tue, 26 Sep 2017 16:28:28 GMT

Thank you veyr much for your answerJonothan, this iinformation is very useful.

Re: Maximum SGT per Device.

adschaef — Sat, 22 Sep 2018 02:22:59 GMT

"But for downloading, you're good to go."

Does this mean you can exceed the 256 SGT Destination limit can be exceeded? I'm trying to micro segment up to 1200 users in a residential dormitory type environment so 265 will easily be exceeded.

Re: Maximum SGT per Device.

Damien Miller — Sun, 23 Sep 2018 02:47:16 GMT

An Idea for you to consider. You could use a single SGT for all students and have a deny ip SGACL in the matrix. This would stop any student to student communication. If you have a student that needs two devices talking to each other, you could break that student's devices out in to a new SGT.