Switches and HA using Check Point Express and Nokia IP 260s

[adrianwi]

Switches and HA using Check Point Express and Nokia IP 260s

Hello. I am new to the Nokia (IP 260) and Check Point Express platforms. I am configuring a network for HA (active/passive) using Check Point Express and two Nokia IP 260s. Check Point has recommended a that a dedicated switch or hub be placed between the Nokia appliances for synchronization purposes (instead of a crossover cable). This sounds easy enough.

What type of a switch (managed, unmanaged, etc.) should be placed in front of the two Nokia IP 260s. Specific hardware recommendations would be welcome if they are known issues with some switches. Otherwise, I have considered at basic Dell PowerConnect switches (such as the PowerConnect 2708 or PowerConnect 2216). The only other piece of this is that these switches will be on the edge (the first device interfacing with an Internet Connection provided at a data center).

Any thoughts concerning this would be appreciated. Thank you,
-Adrian

[Lackie]

You can use any type of switch, either managed or unmanaged. I'm using cheap old netgear hubs/switches in my lab here as that is all that I need to test. Most impementations that I hear of use Cisco switches but I think that's because they are the most popular. There have been a few issues with using any switches (moreso Cisco but I'm not sure if that's because they seem to be used more) but nothing that can't be worked around on either the switch or Nokia side.

If using switches (rather than hubs) the most common problems are with MAC address caching, there were problems with Spanning tree/portfast but haven't seen those problems in a while.

If you have access to the Nokia support site if you do a search for 'VRRP switches' you should find a bit of information.

If you need more information, let us know.

[adrianwi]

Quote:

Originally Posted by Lackie

There have been a few issues with using any switches (moreso Cisco but I'm not sure if that's because they seem to be used more) but nothing that can't be worked around on either the switch or Nokia side.

Thank you for the prompt reply and this note suggesting that almost anything will work.

Quote:

Originally Posted by Lackie

If using switches (rather than hubs) the most common problems are with MAC address caching, there were problems with Spanning tree/portfast but haven't seen those problems in a while.

I recall hearing something like this (concerning issues with the MAC address caching which can interfere with VRRP?). I provided a couple specific Dell PowerConnect model switches (which seem to be like re-branded or limited functioning Cisco switches) which should work here. The thought of using basic switches (or even hubs) is appealing. In the event one of them fails it would require little effort and time to configure a replacement.

Quote:

Originally Posted by Lackie

If you have access to the Nokia support site if you do a search for 'VRRP switches' you should find a bit of information.

Unfortunately, I do not yet have access to the Nokia support site. Are there other resources that I might review?

Attached (hopefully) to this post is a PNG image with the basic network topology to be used in this configuration. One of my concerns is whether device B needs an IP address (as I am still learning how VRRP works in terms of virtual IP addresses) and how to best secure this device as it is directly connected to an open Internet connection. I do not want any management access exposed.

Additionally, I would expect that devices connected to object G could be configured with external/public IP addresses (rather than using private IP addresses which may be used as part of the VRRP configuration).

Thank you again for the help,
-Adrian


In case the PNG attachment is not accessible here is less well formatted version of the image:
[data center/Inet-A]
|
|
[switch or hub)-B]
| |
| |
| |
[IP 260-C]---[hub-D]---[IP 260-E]
| |
| |
| |
[switch or hub-G]
|
|
[..."protected" hosts...]