Martin
Thank you for your reply
I haven't looked at 3.8.1 yet - looks like i have some
reading / playing to do!
I wasn't going as far as fully meshed. The issues here
are that there aren't enough interfaces to allow for
the doubling up and the switches are on different
floors (running cables from from the first floor nokia
to the second floor switch is not going to be allowed
by the client - inter-floor traffic goes via the
expensive Cisco core switches).
I was intending to have a switch for each Nokia (they
are on different floors) , using VLANS to separate the
different interfaces and networks. The VLANS would run
across the 2 switches
Floor 1 Floor 2
|
|
--------- ----------
| SW A |---------------| SW B |
--------- -----------
|
|
--------- ----------
| FW A | | FW B
|
--------- -----------
|
|
--------- ----------
| SW C |---------------| SW D |
--------- -----------
| |
Switch ports A and C and B and D are VLANs on the 2
core switches.
The firewall sync and Cluster Sync networks also vlans
on the switches - sync goes from FW A to SW C to SW D
to FW B
Thus if a switch or a firewall goes down, the other
core takes the full load - normally the pair are in a
IP cluster.
>From the replies so far, I need to get the client's
cisco bods to create a VLAN across the switch pair and
set the "multicast MAC to unicast ip" arp and CAM
entries so that the packets to the cluster multicast
address are sent out of both switches
I think? :-)
Richard
--- Martin Hoz <[EMAIL PROTECTED]> wrote:
> If I understood it correctly, and what you want is
> to use a "full
> meshed scenario" where each Nokia has connected the
> same network to 2
> swtiches at the same time for high reselience,
> Another opton you have with Nokia, is to use 3.8.1
> and use 802.3AD
> (A.K.A. Etherchannel or Link Agreggation)
>
> The beauty of it, is that you have 2 physical
> interfaces that look as
> 1 interface to both the firewall and the IPSO
> operating system. If the
> interface or the switch is gone for any reason, you
> still have both
> Nokia gateways working... beautiful...
>
> You've detailed documentation in IPSO 3.8.1
> documentation. Also, you
> would need to establish te Etherchannel recognition.
> CIsco's web site
> has good information on it. I tested it with
> Catalyst 2900 switches
> running IOS 12 something, and Nokia IP380 hardware
> with IPSO 3.8.1 -
> like a charm...
>
> HTH.
> - Mart�n
>
>
> On Fri, 18 Feb 2005 08:34:33 +0100, Steinecke, Sven
> <[EMAIL PROTECTED]> wrote:
> > Hello Richard,
> > you can do it with portbased VLANs. We do it with
> our Checkpoints and they
> > work fine.
> >
> > Regards Sven
> >
> > -----Urspr�ngliche Nachricht-----
> > Von: Richard Turner
> [mailto:[EMAIL PROTECTED]
> > Gesendet: Freitag, 18. Februar 2005 00:17
> > An: [email protected]
> > Betreff: [FW-1] NG AI/Nokia IP Cluster across 2
> switches
> >
> > Hi,
> >
> > Has any one configured an NG AI/ Nokia IP Cluster
> over
> > 2 switches per virtual interface? I have setup
> many
> > clusters with the nokia's plugged in to one switch
> per
> > network but the customer wants to split the 2
> nokias
> > across 2 floors with ciscos for maximum
> resilience. I
> > can't see why there should be an issue - the 2
> ciscos
> > have a gig link, but is there something special to
> > configure to get this 2 work
> >
> > TIA
> >
> > Richard
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
