Restrictions for SGT Inline Tagging
-
Cisco TrustSec manual configurations and 802.1x configurations can coexist only if Security Association Protocol is not configured.
-
The following restrictions apply on the Cisco Catalyst 9600 Series Supervisor 2 Module with SGT Inline Tagging:
-
System generated packets for the egress interface are not sent with Cisco TrustSec tag on the Cisco TrustSec enabled interface.
-
VLAN-based SGT assignment and VLAN-based enforcement is not supported.
-
Q-in-Q VLAN tagging is not supported with Cisco TrustSec header.
-
In a multisite VXLAN fabric, handoff is not supported.
-
Flexible NetFlow, Policy-based Routing (PBR), Quality of Service (QoS), etc SGT features are not supported.
-
Broadcast, unknown unicast, and multicast (BUM) traffic will not be tagged with a SGT or Cisco TrustSec header.
-
With the Dynamic Host Control Protocol (DHCP) Snooping enabled, DHCP packets ingress on Cisco TrustSec enabled ports will be discarded.
-