Identity Management Feature Limitations

In the current release, the identity management feature has the following limitations:

• IPv4 support only. IPv6 to MAC bindings are not captured.
• For Kerberos snooping, clients must have a direct Layer 2 connection to the switch; that is, the connection must not cross a Layer 3 boundary. If the connection does cross a Layer 3 boundary, the gateway's MAC address gets associated with the identity.
• Kerberos snooping does not work on fragmented IPv4 packets.
• Kerberos identities are not detected when both server and client ports are added to identity management.
• Kerberos does not have a logout mechanism, so mapped identities are valid for the time period defined by the Kerberos aging timer or the Force aging timer.
• Kerberos snooping applied ACLs can conflict with other ACLs in the system.

IDM is not supported on LAG ports.