cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3697
Views
1
Helpful
4
Replies

Maximum SGT per Device.

ecanogut
Cisco Employee
Cisco Employee

Hello everyone


In Admin guide says that even ISE supports 65,535 SGTs the maximum recommended is 4,000.

The question is: when the devices (switches, routers, ASA, etc) download the environment data from ISE is there a limit depending on the device type on how many of the SGTs it can have on its table?


Thanks in advanced.

1 Accepted Solution

Accepted Solutions

jeaves@cisco.com
Cisco Employee
Cisco Employee

Hi Emmanuel,

sorry for the delay.

if the platform can download/install a PAC and securely communicate with ISE then it will be able to download all the SGT's provisioned (up to a tested maximum of 4000).

Now, there may be limits with what you can do with them per platform. For example, the 3850 can enforce using 256 different destination SGTs at any one time. Also, the Cat4k can only enforce for 2000 DGTs for switched traffic.

But for downloading, you're good to go.

Regards, Jonothan.

View solution in original post

4 Replies 4

jeaves@cisco.com
Cisco Employee
Cisco Employee

Hi Emmanuel,

sorry for the delay.

if the platform can download/install a PAC and securely communicate with ISE then it will be able to download all the SGT's provisioned (up to a tested maximum of 4000).

Now, there may be limits with what you can do with them per platform. For example, the 3850 can enforce using 256 different destination SGTs at any one time. Also, the Cat4k can only enforce for 2000 DGTs for switched traffic.

But for downloading, you're good to go.

Regards, Jonothan.

Thank you veyr much for your answerJonothan, this iinformation is very useful.

"But for downloading, you're good to go."

 

Does this mean you can exceed the 256 SGT Destination limit can be exceeded?  I'm trying to micro segment up to 1200 users in a residential dormitory type environment so 265 will easily be exceeded.

An Idea for you to consider. You could use a single SGT for all students and have a deny ip SGACL in the matrix. This would stop any student to student communication. If you have a student that needs two devices talking to each other, you could break that student's devices out in to a new SGT.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: