Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

381

382

383

384

385

386

387

388

389

390

332 FastIron Configuration Guide

53-1002494-02

Hitless stacking

Security • 802.1X, including use with VLANs

• EAP with RADIUS

• IPv4 ACLs

• DHCP snooping

• Dynamic ARP inspection

• IP source guard

• Multi-device port authentication (MDPA),

including use with dynamic VLANs

• MAC port security

Supported security protocols and services are not

impacted during a switchover or failover, with the

following exceptions:

• 802.1X is impacted if re-authentication does not

occur in a specific time window.

• MDPA is impacted if re-authentication does not

occur in a variable-length time window.

• In some cases, a few IP source guard packets may

be permitted or dropped.

• If 802.1X and MDPA are enabled together on the

same port, both will be impacted during a

switchover or failover. Hitless support for these

features applies to ports with 802.1X only or

multi-device port authentication only.

• For MAC port security, secure MACs are

synchronized between the Active and Standby

Controllers, so they are hitless. However, denied

MACs are lost during a switchover or failover but

may be relearned if traffic is present.

Configured ACLs will operate in a hitless manner,

meaning the system will continue to permit and deny

traffic during the switchover or failover process.

However, dynamic ACLs are not supported for hitless

switchover and failover.

After a switchover or failover, the new Active Controller

will re-authenticate 802.1X or MDPA sessions that

were being forwarded in hardware. The hardware

continues to forward them (even with dynamic VLAN)

while re-authentication occurs. After trying to

re-authenticate for a certain amount of time

(depending on the number of sessions to re-authorize),

sessions that did not re-authenticate are removed.

Other services to

Management

• AAA

• DHCP

• sFlow

• SNMP v1, v2, and v3

• SNMP traps

• SNTP

• Traceroute

Supported protocols and services are not impacted

during a switchover or failover.

DNS lookups will continue after a switchover or failover.

This information is not synchronized.

Ping traffic will be minimally impacted.

NOTE: If the FCX stack is rebooted, sFlow is disabled

on standby and member units until the

configuration is synchronized between the

Active and Standby Controllers.

TABLE 56 Hitless-supported services and protocols

Traffic type Supported protocols and services Impact