I have a large customer looking to leverage dynamic variables on their endpoints to lock certain endpoints into a particular department (serviced by a set of IDF), certain switches and potentially a certain port on a switch.  I can do all this easily using dynamic variable matching, but the customer asked how does this scale.  Do we have any data on dynamic variable performance?  The majority of the matches would use the Contains logic, but I do have one doing a MATCHES (Regex).

As an example I use the version under the network device to tag it with departments serviced by that switch "HR-Legal-IT-Any".  Then on the endpoint I add 3 custom attributes:

1. Department code
2. Switch
3. Port

Then my rules simply says:

1. Device:Version Contains Endpoint:Department Code
2. Network Access:Network Device Name Matches Endpoint:Switch
3. RADIUS:NAS-Port-ID Contains Endpoint:Port

So under the endpoint I can set the 3 attributes to say:

1. HR
2. .*
3. Ethernet

That would allow the device to connect to any switch coded for HR on any port.

I can set another endpoint like this:

1. Any
2. IDF-1
3. 1/0/1

To lock the device into the IDF-1 switch on port 1/0/1.

Just not sure how to measure scalability.