In the current release, the identity management feature has the following
limitations:
IPv4 support only. IPv6 to MAC bindings are not captured.
For Kerberos snooping, clients must have a direct Layer 2 connection
to the switch; that is, the connection must not cross a Layer 3 boundary. If the
connection does cross a Layer 3 boundary, the gateway's MAC address gets associated with
the identity.
Kerberos snooping does not work on fragmented IPv4 packets.
Kerberos identities are not detected when both server and client
ports are added to identity management.
Kerberos does not have a logout mechanism, so mapped identities are
valid for the time period defined by the Kerberos aging timer or the Force aging
timer.
Kerberos snooping applied ACLs can conflict with other ACLs in the
system.
