08-23-2011 05:34 AM
I have an FCX stack running the R07202d image and I need to enable some sort of DAI mechanism to satisfy a PCI requirement. As I read through the documentation, I see the following line, which concerns me:
Well..... Probably 90%+ of my host connections are technically "trunks" using either static trunk groups or 802.3ad link aggregation. Do I need to be concerned? Has anyone run into any issues with DAI and trunks?
Thanks in advance,
08-24-2011 02:52 AM
I do not know the answer, but would suggest you log a TAC ticket to find out the resion why they do not and if it applies to your setup.
Or even better would be someone from Brocade to answer this question here so we can all learn.
08-24-2011 06:22 AM
Well, the short answer from Brocade is that because there are multiple MAC addresses shared across the trunk ports, it could have the potential for some high CPU. It sounds like it can technically be done, but in an 'at your own risk' and/or 'unsupported' type implementation.
So, I can't do Port Security with trunks or link aggregation....
I can't do DAI with trunks or link aggregation for risk of pegging the CPU.....maybe.....
What options do I have in order to prevent ARP poisoning?
08-24-2011 06:36 AM
Well DAI is the way to protect against ARP poisoning.
I suggets you base line your set (if you have INM or Network advisor you can config it to get the CPU states) then enable DIA and see if the CPU does ever hit really high.
on very large networks I can see that this could be a problem, but if you are small to medimum in size then you may be ok. How manay MAC address are in you tables? If you can lab it even bettter, if not then you may have to suck it and see.
08-25-2011 06:43 AM
lab..... that's a good one... been begging for one ever since I started here.
I have a total of 200 entries in my current ARP table. I've been collecting CPU data for months now, so I should be able to see what this does Friday night. I think I'll be OK, as my setup is fairly small.
So here's another question for you. I have a handful of devices that are in an HA configuration. As such, a single IP can share more than one MAC address. Can I enter more than one inspection ARP entry for a single IP address, or would the best option be to just make those trusted ports?
08-26-2011 09:55 AM
Change of plans. I was able to figure out how to avoid making the change in order to satisfy the compliance issue. YAY!! No DAI needed!!!
Nonetheless, thank you for your feedback and suggestions.