Restrictions for Flexible NetFlow Export of Cisco TrustSec Fields
-
The security group tag (SGT) value that is exported in FNF records is zero in the following scenarios:
-
The corresponding packet is received with an SGT value of zero from a trusted interface.
-
The corresponding packet is received without an SGT.
-
The SGT is not found during the IP-SGT lookup. (The SGT is not found in the same packet because the packet is received without an SGT.)
-
When a flow record has SGT and Destination Group Tag (DGT) fields (or only either of the two), and if both these values are not applicable, a flow will still be created with zero values for SGT and DGT. The flow records are expected to include source and destination IP addresses, along with SGT and DGT fields.
-