cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1488
Views
3
Helpful
4
Replies

Max number of sub-levels for MAB group structure

Flavio Costa
Cisco Employee
Cisco Employee

Hi experts,

Are there indications or suggestions on the maximum number of sub-levels for MAB group structure?

We are talking about:

1 main group with 20 indentation subgroups. These 20 subgroups will have indentation again in a total (max) of 110 groups (ditributed between the mentioned 20 groups), and again an indentation of a total of 1.000 groups whouch would be distributed between the 110 groups.

1 Accepted Solution

Accepted Solutions

HI Falvio,

I'm not sure I understand what follow-up you are looking for.  You can only have 500 endpoint groups.

You can have sub-groups, I think the limitation is 32 sub groups - but honestly that is not what endpoint Identity groups were ever meant to do / be structured as.  You would be much better off leveraging a combination of groups/attributes, such as Network Device Groups + Endpoint Identity Groups.  Trying to manually maintain 500 endpoint groups just doesn't seem logical from an operational expense perspective.

Aaron

View solution in original post

4 Replies 4

Aaron Woland
Cisco Employee
Cisco Employee

[EDIT - sorry, I answered originally for NDGs, not Endpoint Groups]

Endpoint groups is ~500 max.  Keep in mind, they are for MUCH more than just MAB, so calling them MAB groups is a bit of a limiting misnomer.  I would like to know a little more about your use case if that's ok.  WHat types of classifications of endpoints are you looking at, and with a tree that deep/wide - how do you plan to maintain the endpoint groups and their members?

  Use case: we need to maintain a "memory" of the locations in which the endpoints are placed (1000 locations more or less), with 20 endpoints per location as an average.

  The classification (of endpoints) will be associated to a static policy, therefore, an endpoint will have a static policy (classification) and a MAB group (membership), tied to the installation location.

  The authorization would be simpler, being based on the main group which will contain these child groups, divided in macro areas and sharpened in indentation groups (something like Region > District > Location).

Hey sir, any updates on it?

HI Falvio,

I'm not sure I understand what follow-up you are looking for.  You can only have 500 endpoint groups.

You can have sub-groups, I think the limitation is 32 sub groups - but honestly that is not what endpoint Identity groups were ever meant to do / be structured as.  You would be much better off leveraging a combination of groups/attributes, such as Network Device Groups + Endpoint Identity Groups.  Trying to manually maintain 500 endpoint groups just doesn't seem logical from an operational expense perspective.

Aaron