In the current release, the identity management feature has the following limitations:
IPv4 support only. IPv6 to MAC bindings are not captured.
For Kerberos snooping, clients must have a direct Layer 2 connection to the switch; that is, the connection must not cross a Layer 3 boundary. If the connection does cross a Layer 3 boundary, the gateway's MAC address gets associated with the identity.
Kerberos snooping does not work on fragmented IPv4 packets.
Kerberos identities are not detected when both server and client ports are added to identity management.
Kerberos does not have a logout mechanism, so mapped identities are valid for the time period defined by the Kerberos aging timer or the Force aging timer.
Kerberos snooping applied ACLs can conflict with other ACLs in the system. The identity management feature registers itself in the user space SYSTEM zone; for details, see .