Solved: MAC limitation and performance impact for adding to ISE database for MAC auth bypass

jlubick · ‎02-17-2020

1 trying to figure out if there is a known upper limit to the number of MACs that can be added to the ISE database for MAC auth bypass
2 Would the customer see a performance hit as the near they MAC limit?

Colby LeMaire · ‎02-17-2020

The maximum number of endpoints in ISE 2.6 is 2,000,000. Check out this post: https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

My guess is that as that number increases and gets large, the MAC lookup may take slightly longer; however, I wouldn't think it would be noticeable by the end user.

View solution in original post

Colby LeMaire · ‎02-17-2020

The maximum number of endpoints in ISE 2.6 is 2,000,000. Check out this post: https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

My guess is that as that number increases and gets large, the MAC lookup may take slightly longer; however, I wouldn't think it would be noticeable by the end user.

Damien Miller · ‎02-18-2020

I came in to a customers 2.4 deployment which was up to 4.9 million known endpoints in the context visibility database. There was no observable performance impact due to that. The only impact was to me as an admin, exporting the endpoint database resulted in a 5GB csv file that was a pain to use, excel no longer works since it's only happy with less than a million rows.

I have since enabled aggressive purge policies and dropped that back down to around 500k.

My experience has been that, profiling and accounting syslogs result in more of an impact than just having endpoints in the DB. the