Restrictions for Cisco TrustSec SGT Caching
The global SGT caching configuration and the interface-specific ingress configuration are mutually exclusive. In the following scenarios, a warning message is displayed if you attempt to configure SGT caching both globally and on an interface:
If an interface has ingress SGT caching enabled using the cts role-based sgt-cache ingress command in interface configuration mode, and a global configuration is attempted using the cts role-based sgt-caching command, a warning message is displayed, as shown in this example:
Device> enable Device# configure terminal Device(config)# interface gigabitEthernet 1/0/1 Device(config-if)# cts role-based sgt-cache ingress Device(config-if)# exit Device(config)# cts role-based sgt-caching There is at least one interface that has ingress sgt caching configured. Please remove all interface ingress sgt caching configuration(s) before attempting global enable.
This restriction specifically applies only to Layer 3-routed port interfaces. Also, the port must be a trusted port for SGT caching to work.
Because SGT caching internally uses the NetFlow ternary content-addressable memory (TCAM) space, at any time on an interface, you can enable only either Flexible NetFlow or SGT caching in a given direction.
If global configuration is enabled using the cts role-based sgt-caching command, and an interface configuration is attempted using the cts role-based sgt-cache ingress command in interface configuration mode, a warning message is displayed, as shown in this example:
Device> enable Device# configure terminal Device(config)# cts role-based sgt-caching Device(config)# interface gigabitEthernet 1/0/1 Device(config-if)# cts role-based sgt-cache ingress Note that ingress sgt caching is already active on this interface due to global sgt-caching enable.
IPv6 SGT caching is not supported.
SGT caching cannot be performed for the link-local IPv6 source address.
A link-local address is a network address that is valid only for communications within the network segment (link) or the broadcast domain that the host is connected to. Link-local addresses are not guaranteed to be unique beyond a single network segment. Therefore, devices do not forward packets with link-local addresses. Because they are not unique, SGT tags are not assigned for packets with source as link-local IPv6 address.
SGT caching cannot coexist on the same port interface that has Application Visibility and Control (AVC), Wired Device AVC (WDAVC), Encrypted Traffic Analysis (ETTA,) or NetFlow/Flexible NetFlow features configured. An error message is displayed on the console if both SGT caching and one of these features are configured on the same interface.
When SGT caching is enabled along with any of the above mentioned features, the following error message is displayed on the console: SGT Caching cannot be configured. Remove the configuration. However; the SGT Caching feature is displayed in the output of the show running-config command. You need to manually remove SGT caching and reconfigure it, after removing the feature that cannot co-exist with it.