Cisco Secure Workload User Guide SaaS, Release 3.8

Flows and Endpoints


Metric	Limit	8RU/39RU/SaaS/-
Number of concurrent servers (virtual machine or bare metal) from which telemetry data can be analyzed by Secure Workload.	Up to 10,000 with detailed flow telemetry Up to 20,000 with conversation-only flow telemetry	8RU
	Up to 37,500 with detailed flow telemetry Up to 75,000 with conversation-only flow telemetry	39RU
Number of flow events that can be processed by Secure Workload.	up to 500,000 per second	8RU
	up to 2 million per second	39RU
Number of actively tracked flows that can be processed by Secure Workload.	up to 10,00,000 per second	8RU
	up to 2,00,000 per second	39RU

Tenants, Child Scopes, Inventory Filters, and Roles


Metric	Limit	8RU/39RU
Number of workloads in full fidelity mode	10000	8RU
Number of workloads in full fidelity mode	37500	39RU
Number of tenants	7	8RU
Number of tenants	35	39RU
Number of child scopes per tenant	1000 *	8RU
Number of child scopes per tenant	5000	39RU
Number of child scopes across tenants	7000	8RU
Number of child scopes across tenants	35000	39RU
Number of workspaces per tenant	1000 *	8RU
Number of workspaces per tenant	3500 *	39RU
Number of workspaces across tenants	5000	8RU
Number of workspaces across tenants	20000	39RU
Number of inventory filters per tenant	1000 *	8RU
Number of inventory filters per tenant	5000 *	39RU
Number of inventory filters across tenants	7000 *	8RU
Number of inventory filters across tenants	35000 *	39RU
Number of Roles per child scope	6	8RU
Number of Roles per child scope	6	39RU

Note

* If conversation mode is enabled on all agents, Secure Workload supports up to two times the mentioned limits for limits marked with an asterisk (*). For details, see Conversation Mode.

Cloud Connectors


Cloud Connectors	Metric	Limit	Scale	Virtual Networks	Kubernetes Clusters
AWS Connector	Total number of flows exported by AWS connector	15000 flows per second	5 accounts per connector	5 per account	5 per account
Azure Connector	Total number of flows exported by Azure connector	15000 flows per second	5 subscriptions per connector	5 per subscription	5 per subscription
Google Cloud Platform	Total number of flows exported by GCP connector	15000 flows per second	5 projects per connector	5 per project	5 per project

Note

A maximum of 50 connectors, including cloud connectors, can be configured in a cluster across all tenants.
The workloads managed by cloud connectors in Secure Workload require workload licenses, therefore, ensure that your total workloads are licensed and within the cluster limits.

Connectors

Note

A maximum of 50 connectors, including cloud connectors, can be configured in a cluster across all tenants.
For limits applicable to individual connectors, see What are Connectors.

Connector

Metric

Limit

AnyConnect Connector

Total number of AnyConnect endpoints supported by one AnyConnect connector

5000 endpoints

Note

The number of AnyConnect endpoints across all AnyConnect Proxy sensors is limited by the number of sensors supported by the Secure Workload appliance.

AnyConnect Connector

Number of LDAP attributes that could be labelled on inventories of AnyConnect endpoints

6 attributes

AWS Connector

Total number of flows exported by AWS connector

15000 flows per second

F5 Connector

Total number of flows exported by F5 connector

15000 flows per second

NetFlow Connector

Total number of flows exported by one NetFlow connector

15000 flows per second

NetScaler Connector

Total number of flows exported by NetScaler connector

15000 flows per second

Secure Workload Virtual Appliances for Connectors


Appliance	Metric	Limit
Secure Workload Ingest Appliance	Number of connectors on one appliance	3
	Number of appliances per root scope	100
	Number of appliances per cluster	500
Secure Workload Edge Appliance	Number of connectors on one appliance	6
	Number of appliances per root scope	1
	Number of appliances per cluster	Number of root scopes

Label Limits


Feature	Metric	Limit	8RU/39RU
Label limits	Maximum number of IP Addresses that can be labeled across all root scopes	1,500,000 *	39RU
		500,000 *	8RU
	Maximum number of subnets that can be labeled across all root scopes	200,000	39RU
		50,000	8RU

Note

* When conversation mode is enabled on all agents, Secure Workload can support up to two times the mentioned limits (limits marked with an asterisk (*)). For more information, see Conversation Mode.

Limits Related to Policies


Feature	Metric	Limit
Automatic policy discovery (formerly ADM)	Maximum number of member workloads (endpoints) allowed for automatic policy discovery run on a single scope.	10,000
	Maximum number of conversations allowed for automatic policy discovery run on a single scope.	10,000,000
	Maximum number of member workloads (endpoints) allowed for automatic policy discovery on a branch of the scope tree.	37,500
	Maximum number of conversations allowed for automatic policy discovery on a branch of the scope tree.	20,000,000
	Maximum number of total unique workloads (endpoints) allowed for automatic policy discovery run.	15,000,000
	Maximum number of exclusion filters in Default Policy Discovery config.	100
	Maximum number of exclusion filters allowed per workspace.	100
Concrete policies	Aggregate size of policies on agents installed on non-Kubernetes workloads.	2.5 MB (About 2000 policies, depending on complexity)
Concrete policies	Aggregate size of policies on agents installed on Kubernetes nodes.	7.5 MB (About 6000 policies, depending on complexity)

Additional Features

Feature

Metric

Limit

Alerts

Number of instances supported within a root scope

256

Number of instances supported across root scopes

1024

Number of latest alerts that are displayed per root scope (per status category- ACTIVE,SNOOZED, MUTED, CLOSED)

5000

Maximum alert rate to preview in UI

60 per minute.

Note

If more than 60 alerts are sent per minute then UI will show a summary message indicating that alerts were sent to the DataTap but are suppressed in UI. Note that the 60 alerts per minute apply to the rate at which alerts are sent to datataps, and does not apply to the alert time nor event time and is unrelated to any specific batch of data.

Number of alerts configured per root scope (via modal)

1000

Maximum number of alerts processed by Alerts App per minute batch

20000

Compliance App

Number of workspaces supported

128


Feature	Metric	Limit	8RU/39RU/-
Number of tracked inventory items	Maximum number of IP Addresses that can be tracked across all root scopes	1,500,000 *	39RU
		500,000 *	8RU
	Maximum number of subnets that can be tracked across all root scopes	200,000	39RU
		50,000	8RU

Data-In or Data-Out


Feature	Metric	Limit	8RU/39RU/SaaS/-
Data Taps	Number of data taps supported per appliance	10	-

Bias-Free Language

Book Title

Cisco Secure Workload User Guide SaaS, Release 3.8

Chapter Title

Limits

Results

Chapter: Limits

Configuration Limits in Secure Workload

Flows and Endpoints

Tenants, Child Scopes, Inventory Filters, and Roles

Cloud Connectors

Connectors

Secure Workload Virtual Appliances for Connectors

Label Limits

Limits Related to Policies

Additional Features

Data-In or Data-Out

Was this Document Helpful?

Contact Cisco