cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1319
Views
1
Helpful
4
Replies
Cisco Employee

Maximum SGT per Device.

Hello everyone


In Admin guide says that even ISE supports 65,535 SGTs the maximum recommended is 4,000.

The question is: when the devices (switches, routers, ASA, etc) download the environment data from ISE is there a limit depending on the device type on how many of the SGTs it can have on its table?


Thanks in advanced.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Maximum SGT per Device.

Hi Emmanuel,

sorry for the delay.

if the platform can download/install a PAC and securely communicate with ISE then it will be able to download all the SGT's provisioned (up to a tested maximum of 4000).

Now, there may be limits with what you can do with them per platform. For example, the 3850 can enforce using 256 different destination SGTs at any one time. Also, the Cat4k can only enforce for 2000 DGTs for switched traffic.

But for downloading, you're good to go.

Regards, Jonothan.

View solution in original post

4 REPLIES 4
Cisco Employee

Re: Maximum SGT per Device.

Hi Emmanuel,

sorry for the delay.

if the platform can download/install a PAC and securely communicate with ISE then it will be able to download all the SGT's provisioned (up to a tested maximum of 4000).

Now, there may be limits with what you can do with them per platform. For example, the 3850 can enforce using 256 different destination SGTs at any one time. Also, the Cat4k can only enforce for 2000 DGTs for switched traffic.

But for downloading, you're good to go.

Regards, Jonothan.

View solution in original post

Cisco Employee

Re: Maximum SGT per Device.

Thank you veyr much for your answerJonothan, this iinformation is very useful.

Highlighted
Cisco Employee

Re: Maximum SGT per Device.

"But for downloading, you're good to go."

 

Does this mean you can exceed the 256 SGT Destination limit can be exceeded?  I'm trying to micro segment up to 1200 users in a residential dormitory type environment so 265 will easily be exceeded.

VIP Advocate

Re: Maximum SGT per Device.

An Idea for you to consider. You could use a single SGT for all students and have a deny ip SGACL in the matrix. This would stop any student to student communication. If you have a student that needs two devices talking to each other, you could break that student's devices out in to a new SGT.