• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1437
  • Last Modified:

Handoff HSRP to Juniper Firewall

Can I hand do a handoff from an HSRP device directly to a Juniper SSG5 firewall?  I was told I would need to put a pair of swithes after the HSRP router and then hand it off to the firewalls.  I am trying to create rednundant ISP connectins to the site.
0
NytroZ
Asked:
NytroZ
1 Solution
 
TimotiStCommented:
These would be 2 usual setups:
1.

   internet   internet
      |          |
     FW----------FW
      |          |
    switch----switch
      |          |
    router    router
      |          |
     [LANswitches]

2.

   internet   internet
      |          |
     FW----------FW
      |          |
    router    router
      |          |
     [LANswitches]

Open in new window


Both can work, but in the first version you can't really do layer2 interface tracking between router and firewall, since there is a switch in between.

Tamas
0
 
Sanga CollinsSystems AdminCommented:
You can use dual-wan setup with juniper ssg firewalls. They allow for multiple virtual routers in the config so you would only need the HSRP device and one switch to send traffic to 2 seperate ports on the ssg.

BTW what HSRP device are you using. This would help Experts provide more detailed solutions for you.
0
 
NytroZAuthor Commented:
The two devices doing HSRP are Juniper EX 4200 switches.  I am using 2 devices for redundancy.
0
 
NytroZAuthor Commented:
I was hoping I could hand off the connection off of the data center's core routers directly into my Juniper SSG5 firewalls but I was told that there would need to be a switch before teh firewalls to accept the connection from the HRSP routers.



internet                internet
      |                         |
Corer Router       Core Router
      |                          |
     FW----------  ------------FW
      |                           |          
Load Bal switch---------LB switch
      |                           |
  [LANswitches]          LANswitches]
0
 
FideliusCommented:
So if I understand correctly your "Core Routers" are EX4200. In that case you don't need additional switches as EX4200 can handle it.

If in your current configuration, ports toward FW's are L3 ports, you will need to change them to access ports in for example - VLAN 5.
Create SVI (switch virtual interface) in VLAN 5 on both EX4200 and configure HSRP between them.
Firewall interfaces toward EX4200 and HSRP interfaces must be in same subnet.
Also you will need L2 connection between EX switches for VLAN 5.

That should be it.

Regards!
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now