Identity Management Feature Limitations

In the current release, the identity management feature has the following limitations:

  • IPv4 support only. IPv6 to MAC bindings are not captured.

  • For Kerberos snooping, clients must have a direct Layer 2 connection to the switch; that is, the connection must not cross a Layer 3 boundary. If the connection does cross a Layer 3 boundary, the gateway's MAC address gets associated with the identity.

  • Kerberos snooping does not work on fragmented IPv4 packets.

  • Kerberos identities are not detected when both server and client ports are added to identity management.

  • Kerberos does not have a logout mechanism, so mapped identities are valid for the time period defined by the Kerberos aging timer or the Force aging timer.

  • Kerberos snooping applied ACLs can conflict with other ACLs in the system. The identity management feature registers itself in the user space SYSTEM zone; for details, see .