This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
we are about to deploy ISE NAC at our campus.
as part of the design, i read about SGT Mapping.
can someone explain the SGT-To-IP Mapping? (how can it scale?)
can i map users (IP) to SGT?
from what i have read the use of SGT-To-IP Mapping is for few IP addresses and its cannot scale on a campus of thousands of users.
Your question is very generic and broad. Are you doing TrustSec on any devices in your infrastructure? Or are you just doing normal 802.1x/MAB authentication?
With ISE, IP-SGT mappings are dynamic based on your ISE authentication/authorization policies and you can also create static IP-SGT mappings if needed. The scalability of how many of those mappings a device can handle is platform/device specific. The following URL has the scalability numbers to give you an idea: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf
For example, if you are doing SGT enforcement on an ASA 5555-X, then that ASA can handle up to 500K IP-SGT mappings. A Firepower 4110 can handle up to 1M mappings.
SGT's were designed to give role/group based access within a network. So the thought was you wouldn't assign one per user/endpoint, but rather use one sgt per device/endpoint role. Users and endpoints requiring similar access would receive the same SGT/policy. It sounds like you may be looking for is to segment users from each other? The stated limit with ISE 2.4+ is 10,000 unique SGT's, but in theory this would be a pain to manage.
If you wanted to prevent user to user communication you could use a single SGT, define an SGACL that prevents them from talking to one another. It would act in a similar way to private vlans but be consistent on wired and wireless.