Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
825
Views
0
Helpful
4
Replies

WSA Max Scale for IP-SGT Bindings

Damien Miller
VIP Alumni
VIP Alumni

‎06-25-2019 11:58 AM - edited ‎06-25-2019 02:01 PM

I was on the fence if this should go in to the ISE category or WSA, but because it's platform specific to the WSA I settled on here.

I wondering what is the maximum number of IP-SGT bindings the WSA platforms can support. I have a customer that has an existing ISE/PXGrid WSA integration leveraging TrustSec IP-SGT bindings for internet access.  They are relying on this integration quite heavily across their WSA's and we are looking at scaling the ISE environment. This expansion means a lot more than the existing 50k IP-SGT bindings.  

It's not listed in the TrustSec system bulletin so I wonder what's been tested. I'm worried we are going to hit a show stopping limit as the roll out continues and I would like to get in front of it.

The ask is specifically what the max ip-sgt bindings we can learn via pxgrid on s670/680/690 hardware before we pass any limits. 

 

 

Labels:
0 Helpful
4 Replies 4

shgrover
Cisco Employee
Cisco Employee

‎06-30-2019 11:01 PM

Hello Damien,

 

you shouldn't face nay issues with S670/S680 /S690 with 50K users. The in house testing has done with more than 150K users and enough memory was allocated so that it doesn't create any issues. Let us know if in case you face any issues or you have specific deployment related questions.

 

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to shgrover

‎07-01-2019 06:44 AM

So 150k would be the upper tested limit then?  It's currently 50k, but that will easily be 600k+ next year if Kerberos doesn't pan out.  

0 Helpful

shgrover
Cisco Employee
Cisco Employee
In response to Damien Miller

‎07-03-2019 09:58 AM

Damien,

I confirmed and I don't have the exact nos. and I am trying to find out the exact nos. They basically told me they don't care about the user base. 150K is the active/ logged in users and thus active IP/SGT bindings that they tested with.
0 Helpful

shgrover
Cisco Employee
Cisco Employee
In response to shgrover

‎07-03-2019 08:50 PM

Hello Damien,

 

I got some more insight into it. We have fixed memory allocated for users  & associated information  and not the nos. of Mappings/users.  Number of users are depending upon size of each record. If a user belongs to several groups, then a smaller number of users could fit in.  

 

Regards

Shikha Grover 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents