Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1490
Views
3
Helpful
4
Replies

Max number of sub-levels for MAB group structure

Go to solution
Flavio Costa
Cisco Employee
Cisco Employee

‎01-18-2016 08:24 AM

Hi experts,

Are there indications or suggestions on the maximum number of sub-levels for MAB group structure?

We are talking about:

1 main group with 20 indentation subgroups. These 20 subgroups will have indentation again in a total (max) of 110 groups (ditributed between the mentioned 20 groups), and again an indentation of a total of 1.000 groups whouch would be distributed between the 110 groups.

1 Accepted Solution

Accepted Solutions

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee
In response to Flavio Costa

‎01-29-2016 09:43 AM

HI Falvio,

I'm not sure I understand what follow-up you are looking for.  You can only have 500 endpoint groups.

You can have sub-groups, I think the limitation is 32 sub groups - but honestly that is not what endpoint Identity groups were ever meant to do / be structured as.  You would be much better off leveraging a combination of groups/attributes, such as Network Device Groups + Endpoint Identity Groups.  Trying to manually maintain 500 endpoint groups just doesn't seem logical from an operational expense perspective.

Aaron

View solution in original post

4 Replies 4

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee

‎01-19-2016 11:48 AM

[EDIT - sorry, I answered originally for NDGs, not Endpoint Groups]

Endpoint groups is ~500 max.  Keep in mind, they are for MUCH more than just MAB, so calling them MAB groups is a bit of a limiting misnomer.  I would like to know a little more about your use case if that's ok.  WHat types of classifications of endpoints are you looking at, and with a tree that deep/wide - how do you plan to maintain the endpoint groups and their members?

Go to solution
Flavio Costa
Cisco Employee
Cisco Employee
In response to Aaron Woland

‎01-21-2016 04:55 AM

  Use case: we need to maintain a "memory" of the locations in which the endpoints are placed (1000 locations more or less), with 20 endpoints per location as an average.

  The classification (of endpoints) will be associated to a static policy, therefore, an endpoint will have a static policy (classification) and a MAB group (membership), tied to the installation location.

  The authorization would be simpler, being based on the main group which will contain these child groups, divided in macro areas and sharpened in indentation groups (something like Region > District > Location).

0 Helpful

Go to solution
Flavio Costa
Cisco Employee
Cisco Employee
In response to Aaron Woland

‎01-29-2016 06:15 AM

Hey sir, any updates on it?

0 Helpful

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee
In response to Flavio Costa

‎01-29-2016 09:43 AM

HI Falvio,

I'm not sure I understand what follow-up you are looking for.  You can only have 500 endpoint groups.

You can have sub-groups, I think the limitation is 32 sub groups - but honestly that is not what endpoint Identity groups were ever meant to do / be structured as.  You would be much better off leveraging a combination of groups/attributes, such as Network Device Groups + Endpoint Identity Groups.  Trying to manually maintain 500 endpoint groups just doesn't seem logical from an operational expense perspective.

Aaron

Customers Also Viewed These Support Documents