Restrictions for Cisco TrustSec SGT Caching
The global Security Group Tag (SGT) caching configuration and the interface-specific ingress configuration are mutually exclusive. In the following scenarios, a warning message is displayed if you attempt to configure SGT caching both globally and on an interface:
If an interface has ingress SGT caching enabled using the cts role-based sgt-cache ingress command in interface configuration mode, and a global configuration is attempted using the cts role-based sgt-caching command, a warning message is displayed as shown in this example:
Device> enable Device# configure terminal Device(config)# interface gigabitEthernet 1/0/1 Device(config-if)# cts role-based sgt-cache ingress Device(config-if)# exit Device(config)# cts role-based sgt-caching There is at least one interface that has ingress sgt caching configured. Please remove all interface ingress sgt caching configuration(s) before attempting global enable.
This restriction specifically applies only to Layer 3 routed port interfaces. Also, the port must be a trusted port for SGT Caching to work.
As SGT Caching internally uses the Netflow (ternary content-addressable memory) TCAM space, at any time on an interface, we can either enable Flexible NetFlow or SGT caching in one direction.
If global configuration is enabled using the cts role-based sgt-caching command, and an interface configuration is attempted using the cts role-based sgt-cache ingress command in interface configuration mode, a warning message is displayed as shown in this example:
Device> enable Device# configure terminal Device(config)# cts role-based sgt-caching Device(config)# interface gigabitEthernet 1/0/1 Device(config-if)# cts role-based sgt-cache ingress Note that ingress sgt caching is already active on this interface due to global sgt-caching enable.
IPv6 SGT Caching not supported.
SGT caching is not performed for the link-local IPv6 source address.
A link-local address is a network address that is valid only for communications within the network segment (link) or the broadcast domain that the host is connected to. Link-local addresses are not guaranteed to be unique beyond a single network segment. Therefore, routers do not forward packets with link-local addresses. Because they are not unique, SGT tags for the packets with source as link-local IPv6 address are not assigned.
SGT Caching cannot co-exist on the same port interface that has the Application Visibility and Control (AVC), WDAVC, Encrypted Traffic Analysis (ETTA,) or Netflow features configured. An error message is displayed on console, if both SGT Caching and one of these features are configured on the same interface.