Cisco does not allow trunk or dynamic ports to be authenticated by Dot1x. Why? Physically protecting a trunk port on a distribution or edge network seems cost ineffective. Why not add another hurdle so Mallory can’t simply start vlan hopping if he gets to a trunk port?

I understand dot1x can be compromised via a MitM with a transparent bridge under any scenario but why does Cisco explicitly disallow enabling it (or not allowing it to take effect if the port config changes to dot1x)?

What’s the downside of complicating gaining access to the vlans on the trunk?