Advice needed on small switching project

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi all,

I have the privilege in my new role to take on a small networking project to separate a department of users away from one connectivity solution to another.
Basically it will be a private vpn from one site to another over their private network, the vpn will be written on the checkpoint firewall and I will have help with this.

I have been tasked with patching the fibre connections in 2 cabs and one comms room in the same building, testing this to make sure it functions ok and then install a Cisco switch either a 3550 or 2960.

Once I have installed the sfp and connected the fibre I will have to migrate around 50 users from this department into the Cisco so that they can then get out onto the network. The part im not sure on as this is my first project doing this, is what config solution on the Cisco I need to route the traffic from the users down through the 2 cabs and into the comms/server room to hit the checkpoint firewall. Presumably the firewall will do the rest and put the traffic out onto the vpn.

Is it as simple as a static route with the address range of the users and destination of the firewall or will I need to put on access lists or policy routing? It seems like a simple plan but I have been asked to come up with a solution and dont want to over think it if I need something as simple as a static route.

Any basic advice would be great, I dont want anyone to help me with the config just a basic idea of what types of solution I could use.

Cheers in advance guys,

Millsie

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Aren't you going to be given an interface on the Checkpoint that's inside your client IP range?

 

Yes, ill be given the ip address to point the traffic to on the checkpoint. I presume simple vlan assignment so the hosts once given IP addresses traffic can pass onto the switch and just make the checkpoint the default gateway?

The traffic will pass down through the fiber patching down to the 1st floor where the checkpoint is located. My only other thought is what about resilience? Would I need to stack 2 switches so one can be used as back up and configure spanning tree to block one of the ports?

Cheers

 

Sounds about right. Unless you need to also route to another internal network without going through the firewall you should be running a pure layer 2 setup afaics.

You will want probably want to use etherchannel for your redundant inter-switch links.

 

Cheers for that.

I've just had a thought, how would I be able to provide redundant link with just 2 switches connected to the fibre circuit? Not possible presumably if all hosts are connected to one switch?!

 

Hi Millsie,

It sounds like a pretty nice project this one, here is what I would do.

If you are going with a 2960 it only supports an IPbase IOS image so its a simple layer 2 switch, be careful if you go with the 3550 as i believe they are EOL (I might be wrong) and when something goes wrong you wont be able to get a replacement from Cisco.

As long as you have the fiber port set to trunk on your new switch and allocate the client machines a new VLAN you should be ok. You will need to create a new sub interface on the fiber trunk that terminates on the Checkpoint firewall and you should be good. This method will mean its all layer 2 to the firewall and layer 3 firewall onwards. If you went with the 3550 you can use an IPservices image and do your inter-vlan routing / routing protocols ect... on the switch.

On redundancy, its dependent upon your topology. I thought you were only deploying 1 switch? However be careful with Checkpoint if you are using clustered firewalls, if they are nokia or gaia check the VRRP configuration includes failover for your new vlan. You will need to add it to the monitoring config otherwise when a failover occurs it wont flip this interface. If you are using secure platform (SPLAT) i think the topology table is automatically updated when you create the sub interface.

A few things that have caught me out before are; spanning tree and vtp. I would hate for you to plug a switch in and vtp bring your network down.

 

Cheers Braderz

What switch I use depends on the depth of the cab. However if they decide voice is included then I will have to use the layer 3 switch anyway in which case I will need to use sub interfaces as you suggest.
I am going to the site on wednesday to have a look and test the fibre through. Then my boss wants me to submit a solution. I am a bit nervous about it as this is my first project networking for this company!!

What i'll do is just submit a solution for both layer 2 and 3 and see what he thinks.

It turns out that they are not bothered about redundancy which makes my life easier I suppose so can just do 1 simple 2960 with the firewall as the gateway or if voice is to be included, 2 seperate vlans and a sub-interface.

Do you think i need to subinterface anyway for the firewall? Im not really up on checkpoint!

Cheers for your advice.

Millsie

 

Hi Millsie,

I think you are almost there, yes you will need a subinterface on the firewall (if you currently have the interface trunking other vlan's on that port).

Have you got a rough visio diagram of what you are planning to do? Pass it by me I'll see if there's any advice I can offer

Cheers!