3500 switch in front of pix firewall to make parallel with another Juniper firewall seup

Posted on 2009-02-07
Last Modified: 2012-05-06
HI experts,
Jr. Level engineer here.

In this scenerio, I want to setup a new firewall to be parallel with an existing firewall. I will use the new firewall to configure a vpn to another remote site. Currently the setup is like this:

T1 connection -> 3700 router (belongs to ISP) -> PIX -> 3560 switch

I'm going to stick a Cisco 3500 switch behind the ISPs 3700 router. That way I can plug the PIX and Juniper into the 3500 switch and make them parallel with each other.

With the 3500 switch, all I plan to do is a "wr erase" + " reload" and that's it. Maybe I'll set a password. Do you see any problem with this? Should I create a VLAN? If I create a VLAN do I have to use the subnet mask provided by their ISP? They only have a /29 so I would hate to burn a static IP on a VLAN interface.

Question by:typertec
    LVL 11

    Assisted Solution

    Firstly, you can not create a VLAN, you do not have enough address space, and if you did you would need to either get more address space or make the interface on the 3700 a trunk with two sub interfaces.

    Use a single broascast domain and assign an unused real address to the Juniper, you already have atleast one assigned to the PIX, and one assigned to the 3700 (your default-gateway).

    So long as the 3700 is configured "normally" the setup you have defined will work just fine.

    LVL 11

    Expert Comment

    Oh and I recommend you DO NOT put an IP address on your 3500.  Run a permanent console cable to it for OOB management.  There is nothing worse than a security threat target sitting just outside your boundary.

    LVL 23

    Expert Comment

    You should make a VLAN on the 3500 switch for remote management, monitoring of the switch, troubleshooting of network problems that arise, etc.  

    Connect the 3500 switch to the 3560 switch. Make the port an access port on both sides to your management VLAN,  and enable port security on the 3560 side with the defined MAC address of the 3500.

    Your only defined VLAN on the 3500 should be that management vlan.  A 3500 is a Layer 2 switch, anyways.

    Shutdown all the ports on the 3500 that you aren't using,  and config an outside VLAN for the access ports containing the 3700 and the two firewalls; again, use of port security is recommended, to avoid accidents  (like someone accidentally plugging an inside interface "back" into the switch when some sort of maintenance is being done).

    Make sure that outside VLAN isn't VLAN 1.

    For the Juniper and PIX to be in parallel  both _will_ need  static IPs  routable by your ISP router.

    You need to manage that 3500, but i'd use your own private ip space to do that, and put the 3500 management interface behind the firewall for its protection.

    Author Comment

    Mysidia and Rowansmith,

    Thank you for your input. Mysidia, you said to create an outside VLAN on the 3500 and set the ports that the pix and juniper are plugging in for that VLAN. Will that work if I don't have access to the ISPs 3700 router?

    current setup diagram again.
    T1 ->3700 Router fa/01 (ISP) -> Fa0/1 PIX fa0/0 - 3560 switch.

    LVL 23

    Accepted Solution

    Absolutely, configure the port you have plugged the ISP router into as an access port, config the two firewall ports as access ports.

    'switchport mode access'

    You don't need access to a device to make its port be part of a port VLAN,  you would only need access to the device or to have settings changed if it was  performing 802.1q  trunking to your firewall

    Ports in are always in a VLAN, by the way,   by default  (on an unconfigured switch), all ports are in VLAN 1,  also known as the "native" VLAN.

    The problem of course with putting a port in VLAN 1, is VLAN1 is by default native VLAN,  through various trickery, a port in VLAN 1  or the native vlan on either side of a trunk can potentially send traffic to any VLAN.

    VLAN 1 is also the VLAN the switch uses by default for such things as tftp, various management functions.    Hence the reason to keep 'untrusted' ports away from VLAN 1.

    So across all connected switches, it is best to ensure VLAN 1  is  always your internal protected management network, and is always the native VLAN of every trunk connection.

    VLAN 1  should be kept completely isolated, even traffic to and from your internal network and VLAN 1  should not be allowed.

    (The only way for a user to get into or out of VLAN 1  should be through one of your network management workstations)


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    The following recovery method will work on All Cisco Switchs that run ISO software. You will need a good copy of the IOS version you want you use saved on your PC and a Com's Cable. The software for these switches comes as a .tar file. Tar is …
    When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now