typertec
asked on
3500 switch in front of pix firewall to make parallel with another Juniper firewall seup
HI experts,
Jr. Level engineer here.
In this scenerio, I want to setup a new firewall to be parallel with an existing firewall. I will use the new firewall to configure a vpn to another remote site. Currently the setup is like this:
T1 connection -> 3700 router (belongs to ISP) -> PIX -> 3560 switch
I'm going to stick a Cisco 3500 switch behind the ISPs 3700 router. That way I can plug the PIX and Juniper into the 3500 switch and make them parallel with each other.
With the 3500 switch, all I plan to do is a "wr erase" + " reload" and that's it. Maybe I'll set a password. Do you see any problem with this? Should I create a VLAN? If I create a VLAN do I have to use the subnet mask provided by their ISP? They only have a /29 so I would hate to burn a static IP on a VLAN interface.
Jr. Level engineer here.
In this scenerio, I want to setup a new firewall to be parallel with an existing firewall. I will use the new firewall to configure a vpn to another remote site. Currently the setup is like this:
T1 connection -> 3700 router (belongs to ISP) -> PIX -> 3560 switch
I'm going to stick a Cisco 3500 switch behind the ISPs 3700 router. That way I can plug the PIX and Juniper into the 3500 switch and make them parallel with each other.
With the 3500 switch, all I plan to do is a "wr erase" + " reload" and that's it. Maybe I'll set a password. Do you see any problem with this? Should I create a VLAN? If I create a VLAN do I have to use the subnet mask provided by their ISP? They only have a /29 so I would hate to burn a static IP on a VLAN interface.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should make a VLAN on the 3500 switch for remote management, monitoring of the switch, troubleshooting of network problems that arise, etc.
Connect the 3500 switch to the 3560 switch. Make the port an access port on both sides to your management VLAN, and enable port security on the 3560 side with the defined MAC address of the 3500.
Your only defined VLAN on the 3500 should be that management vlan. A 3500 is a Layer 2 switch, anyways.
Shutdown all the ports on the 3500 that you aren't using, and config an outside VLAN for the access ports containing the 3700 and the two firewalls; again, use of port security is recommended, to avoid accidents (like someone accidentally plugging an inside interface "back" into the switch when some sort of maintenance is being done).
Make sure that outside VLAN isn't VLAN 1.
For the Juniper and PIX to be in parallel both _will_ need static IPs routable by your ISP router.
You need to manage that 3500, but i'd use your own private ip space to do that, and put the 3500 management interface behind the firewall for its protection.
Connect the 3500 switch to the 3560 switch. Make the port an access port on both sides to your management VLAN, and enable port security on the 3560 side with the defined MAC address of the 3500.
Your only defined VLAN on the 3500 should be that management vlan. A 3500 is a Layer 2 switch, anyways.
Shutdown all the ports on the 3500 that you aren't using, and config an outside VLAN for the access ports containing the 3700 and the two firewalls; again, use of port security is recommended, to avoid accidents (like someone accidentally plugging an inside interface "back" into the switch when some sort of maintenance is being done).
Make sure that outside VLAN isn't VLAN 1.
For the Juniper and PIX to be in parallel both _will_ need static IPs routable by your ISP router.
You need to manage that 3500, but i'd use your own private ip space to do that, and put the 3500 management interface behind the firewall for its protection.
ASKER
Mysidia and Rowansmith,
Thank you for your input. Mysidia, you said to create an outside VLAN on the 3500 and set the ports that the pix and juniper are plugging in for that VLAN. Will that work if I don't have access to the ISPs 3700 router?
current setup diagram again.
T1 ->3700 Router fa/01 (ISP) -> Fa0/1 PIX fa0/0 - 3560 switch.
Thank you for your input. Mysidia, you said to create an outside VLAN on the 3500 and set the ports that the pix and juniper are plugging in for that VLAN. Will that work if I don't have access to the ISPs 3700 router?
current setup diagram again.
T1 ->3700 Router fa/01 (ISP) -> Fa0/1 PIX fa0/0 - 3560 switch.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
-Rowan