Can I configure these so that a secondary enforcer takes over for the primary if there is a failure? Can I configure more than 2 for Fail over.
J>Only 2 for HA.
Is the number enforcers dictated by..
-- number of clients?
J>Yes,see article link below.
-- dhcp scopes?
J>No, applicable only to DHCP integrated.DHCP appliance was EOL announced in 12.1, so not supported in 12.1 moving forward.
-- latency between networks?
J>No in general,however Gateway is 1GBps NIC in-line. LAN can be centralized as well but should consider 'dot1x critical' on switches -a cisco command on cisco gear as an example.
-- number of mac addresses?
J>We now support 32MB enforcer profile, good for about 1 million MAC address , and you should be using wildcarding perhaps as well.
J> Please check this article: http://www.symantec.com/business/support/index?page=content&id=TECH92260&locale=en_US
I am looking for something that can help me decide on how many we need.
J>helps if you specifiy the enforcer type :).
I know the enforcer does snmp and there is a MIB for it that I can import.
-- What version of snmp does the appliance support?
J>version 2, just 5 SNMP traps.
Time synchronization will be very important with this device and the rest of the network. I know the device supports ntp.
J>yes and in UI for 12.1.
-- Does the appliance support encrypted ntp?
J>No.
Can I synch it to my redhat servers running ntp and md5 hashes? Just like I have my switches and routers.
-- Does it support a backup time server...a primary and a secondary?
J>No, but you could use a DNS alias.