We help IT Professionals succeed at work.

3500 switch in front of pix firewall to make parallel with another Juniper firewall seup

typertec asked
Medium Priority
Last Modified: 2012-05-06
HI experts,
Jr. Level engineer here.

In this scenerio, I want to setup a new firewall to be parallel with an existing firewall. I will use the new firewall to configure a vpn to another remote site. Currently the setup is like this:

T1 connection -> 3700 router (belongs to ISP) -> PIX -> 3560 switch

I'm going to stick a Cisco 3500 switch behind the ISPs 3700 router. That way I can plug the PIX and Juniper into the 3500 switch and make them parallel with each other.

With the 3500 switch, all I plan to do is a "wr erase" + " reload" and that's it. Maybe I'll set a password. Do you see any problem with this? Should I create a VLAN? If I create a VLAN do I have to use the subnet mask provided by their ISP? They only have a /29 so I would hate to burn a static IP on a VLAN interface.

Watch Question

Firstly, you can not create a VLAN, you do not have enough address space, and if you did you would need to either get more address space or make the interface on the 3700 a trunk with two sub interfaces.

Use a single broascast domain and assign an unused real address to the Juniper, you already have atleast one assigned to the PIX, and one assigned to the 3700 (your default-gateway).

So long as the 3700 is configured "normally" the setup you have defined will work just fine.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Oh and I recommend you DO NOT put an IP address on your 3500.  Run a permanent console cable to it for OOB management.  There is nothing worse than a security threat target sitting just outside your boundary.


You should make a VLAN on the 3500 switch for remote management, monitoring of the switch, troubleshooting of network problems that arise, etc.  

Connect the 3500 switch to the 3560 switch. Make the port an access port on both sides to your management VLAN,  and enable port security on the 3560 side with the defined MAC address of the 3500.

Your only defined VLAN on the 3500 should be that management vlan.  A 3500 is a Layer 2 switch, anyways.

Shutdown all the ports on the 3500 that you aren't using,  and config an outside VLAN for the access ports containing the 3700 and the two firewalls; again, use of port security is recommended, to avoid accidents  (like someone accidentally plugging an inside interface "back" into the switch when some sort of maintenance is being done).

Make sure that outside VLAN isn't VLAN 1.

For the Juniper and PIX to be in parallel  both _will_ need  static IPs  routable by your ISP router.

You need to manage that 3500, but i'd use your own private ip space to do that, and put the 3500 management interface behind the firewall for its protection.


Mysidia and Rowansmith,

Thank you for your input. Mysidia, you said to create an outside VLAN on the 3500 and set the ports that the pix and juniper are plugging in for that VLAN. Will that work if I don't have access to the ISPs 3700 router?

current setup diagram again.
T1 ->3700 Router fa/01 (ISP) -> Fa0/1 PIX fa0/0 - 3560 switch.

Absolutely, configure the port you have plugged the ISP router into as an access port, config the two firewall ports as access ports.

'switchport mode access'

You don't need access to a device to make its port be part of a port VLAN,  you would only need access to the device or to have settings changed if it was  performing 802.1q  trunking to your firewall

Ports in are always in a VLAN, by the way,   by default  (on an unconfigured switch), all ports are in VLAN 1,  also known as the "native" VLAN.

The problem of course with putting a port in VLAN 1, is VLAN1 is by default native VLAN,  through various trickery, a port in VLAN 1  or the native vlan on either side of a trunk can potentially send traffic to any VLAN.

VLAN 1 is also the VLAN the switch uses by default for such things as tftp, various management functions.    Hence the reason to keep 'untrusted' ports away from VLAN 1.

So across all connected switches, it is best to ensure VLAN 1  is  always your internal protected management network, and is always the native VLAN of every trunk connection.

VLAN 1  should be kept completely isolated, even traffic to and from your internal network and VLAN 1  should not be allowed.

(The only way for a user to get into or out of VLAN 1  should be through one of your network management workstations)

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.