Configuration Limits in Secure Workload
Cloud Connectors
Connectors
- Secure Workload Virtual Appliances for Connectors
Label Limits
Limits Related to Policies
Additional Features
Data-In or Data-Out

Configuration Limits in Secure Workload

This chapter outlines the configuration limits within Cisco Secure Workload, emphasizing the constraints on resource allocation, policy enforcement, and system performance to ensure optimal security management. Maximum limits for various resources, including the number of workloads, policies, and users that can be managed simultaneously. Understanding these limits is crucial for network engineers to design scalable architectures. It details the constraints on security policies, such as the maximum number of micro-segmentation policies and the implications of exceeding these limits on system performance.

The chapter provides guidelines on monitoring system performance indicators to prevent degradation when approaching configuration limits. It provides guidelines on monitoring system performance indicators to prevent degradation when approaching configuration limits.

Secure Workload has defined thresholds for effective operation. Exceeding these thresholds can lead to degraded performance or potential security vulnerabilities. Regular monitoring and adjustment of configurations are recommended to stay within optimal operational parameters.

The limits for various features in Secure Workload vary depending on the version and platform.

Attention

Due to recent GUI updates, some of the images or screenshots used in the user guide may not fully reflect the current design of the product. We recommend using this guide in conjunction with the latest version of the software for the most accurate visual reference.

Cloud Connectors


Cloud Connectors	Metric	Limit	Scale	Virtual Networks	Kubernetes Clusters
AWS Connector	Total number of flows exported by AWS connector	15000 flows per second	5 accounts per connector	5 per account	5 per account
Azure Connector	Total number of flows exported by Azure connector	15000 flows per second	5 subscriptions per connector	5 per subscription	5 per subscription
Google Cloud Platform	Total number of flows exported by GCP connector	15000 flows per second	5 projects per connector	5 per project	5 per project

Note

A maximum of 50 connectors, including cloud connectors, can be configured in a cluster across all tenants.
The workloads managed by cloud connectors in Secure Workload require workload licenses, therefore, ensure that your total workloads are licensed and within the cluster limits.

Connectors

Note

A maximum of 50 connectors, including cloud connectors, can be configured in a cluster across all tenants.
For limits applicable to individual connectors, see What are Connectors.

Connector

Metric

Limit

AnyConnect Connector

Total number of AnyConnect endpoints supported by one AnyConnect connector

5000 endpoints

Note

The number of AnyConnect endpoints across all AnyConnect Proxy sensors is limited by the number of sensors supported by the Secure Workload appliance.

AnyConnect Connector

Number of LDAP attributes that could be labelled on inventories of AnyConnect endpoints

6 attributes

AWS Connector

Total number of flows exported by AWS connector

15000 flows per second

F5 Connector

Total number of flows exported by F5 connector

15000 flows per second

NetFlow Connector

Total number of flows exported by one NetFlow connector

15000 flows per second

NetScaler Connector

Total number of flows exported by NetScaler connector

15000 flows per second

ERSPAN Connector

Total number of flows exported by ERSPAN connector

15000 flows per second

Secure Workload Virtual Appliances for Connectors


Appliance	Metric	Limit
Secure Workload Ingest Appliance	Number of connectors on one appliance	3
	Number of appliances per root scope	100
	Number of appliances per cluster	500
Secure Workload Edge Appliance	Number of connectors on one appliance	6
	Number of appliances per root scope	1
	Number of appliances per cluster	Number of root scopes

Label Limits

Table 1. SaaS
Feature	Metric	Limit
Label limits	Maximum number of IP Addresses that can be labeled per tenant (CMDB only).	6,000 / 100 licenses
Label limits	Maximum number of subnets that can be labeled per tenant (CMDB only).	120 / 100 licenses

Limits Related to Policies


Feature	Metric	Limit
Automatic policy discovery (formerly ADM)	Maximum number of member workloads (endpoints) allowed for automatic policy discovery run on a single scope.	10,000
	Maximum number of conversations allowed for automatic policy discovery run on a single scope.	10,000,000
	Maximum number of member workloads (endpoints) allowed for automatic policy discovery on a branch of the scope tree.	37,500
	Maximum number of conversations allowed for automatic policy discovery on a branch of the scope tree.	20,000,000
	Maximum number of total unique workloads (endpoints) allowed for automatic policy discovery run.	15,000,000
	Maximum number of exclusion filters in Default Policy Discovery config.	100
	Maximum number of exclusion filters allowed per workspace.	100
	Maximum number of submissions allowed for Automatic Policy Discovery.	5
Concrete policies	Aggregate size of policies on agents installed on non-Kubernetes workloads.	2.5 MB (About 2000 policies, depending on complexity)
Concrete policies	Aggregate size of policies on agents installed on Kubernetes nodes.	7.5 MB (About 6000 policies, depending on complexity)

Additional Features

Feature

Metric

Limit

Alerts

Number of instances supported within a root scope

256

Number of instances supported across root scopes

1024

Number of latest alerts that are displayed per root scope (per status category- ACTIVE,SNOOZED, MUTED, CLOSED)

5000

Maximum alert rate to preview in UI

60 per minute.

Note

If more than 60 alerts are sent per minute then UI will show a summary message indicating that alerts were sent to the DataTap but are suppressed in UI. Note that the 60 alerts per minute apply to the rate at which alerts are sent to datataps, and does not apply to the alert time nor event time and is unrelated to any specific batch of data.

Number of alerts configured per root scope (via modal)

1000

Maximum number of alerts processed by Alerts App per minute batch

20000

Compliance App

Number of workspaces supported

128

Data-In or Data-Out


Feature	Metric	Limit	8RU/39RU/SaaS/-
Data Taps	Number of data taps supported per appliance	10	-

Cisco Secure Workload User Guide SaaS, Release 3.9

Bias-Free Language

Book Title

Cisco Secure Workload User Guide SaaS, Release 3.9

Chapter Title