HSRP traffic between Routers separated by HA Firewall.

alex.hesse@gmail.com · ‎05-14-2020

We are trying to implement both HSRP between our Edge Routers, as well as implementing HA on our Firewalls. Currently, they are all completely separate devices logically and physically. Traffic destined for External is directed through Router01 through various SLA automated commands on all of the devices. 01 and 02 devices are in different buildings, with fiber connections between them.

Topology: EXTERNAL -> Router01 -> Firewall01 -> Core Switch01 -> Core Switch02 -> Firewall02 -> Router02 -> EXTERNAL

Traffic between the Core switches is L2. '

Traffic between Core switches and firewalls are L2.

Traffic between Firewalls and Routers are L3.

We are attempting to implement HSRP on the routers, and HA on the firewalls, but are having trouble with any configuration that would allow the HSRP traffic to transverse the firewalls in HA mode.

The proposal being thrown out is having a new VLAN between the Routers and Core Switches, so the Topology would be:

Router01 -> Core Switch01 -> Core Switch02 -> Router02

Obviously not ideal, since that is simply having a connection that would bypass the firewalls, so we are looking for alternatives.

marce1000 · ‎05-14-2020

- But as you state yourself in the last sentence of your post HSRP is routing-standby-protocol , forming a kind of 'virtual ha routing services' for devices behind or before it's framework depending on how you see it. It does not make sense to firewall it or more deeply the firewalls should 'rest' at another place in the network diagram and or topology (after or before the virtual/hsrp-router (e.g.))

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !