Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

HSRP with Juniper Firewall

Can HSRP be done with a Juniper firewall ? I'll have 2 Cisco routers doing HSRP and these 2 routers will be connected to a Juniper FW (SRX-220H).

Is it possible to do it or we will need a cisco switch between the Juniper FW and the 2 routers ? Please let me know the best design possible.



Seb Rupik
VIP Advisor

Hi there,

The Juniper FW will be able to forward to the HSRP VIP (like any other network vendor kit). It would not be able to participate in the HSRP group, but this would not be required in your tolpology.




What do you mean by groups ? Aren't they by default in a single group ? Hope this won't affect the communication. Also how would we configure the juniper firewall for this ?

Your Cisco routers will be configured to be in the same HSRP group, the group ID would have been assigned as part of the configuration, but yes in your scenario there will be one group.

On your rotuers, the interfaces participating in the HSRP group will have a line:


standby <group_id> <ip_address>


You want the Juniper router to have its default route directed to that IP.




Julio E. Moisa
VIP Mentor


HSRP is Cisco Propietary, now if you want the HSRP on the Cisco Devices only for redundancy and the firewall will be pointing to the Virtual IP of the HSRP, yes you can do that, but the common scenario is having 2 firewalls configured in cluster otherwise you need a switch to interconnect the 3 devices and use only one subnet, it could be a /29, for example:


Router 1

IP address (.2)
HSRP Active  -------------

Virtual IP (.1)                             SWITCH  <------>  Firewall (IP address .4)

                                             3 ports on the same VLAN

Router 2   -----------------

IP Address (.3)

Virtual IP (.1)


So the firewall will be pointing to the virtual IP, commonly the scenario with 2 firewalls is:


Router1                           -------    Firewall 1 (Active)
Virtual IP (.1)                                  CLUSTER of the firewalls - IP address for both (.4)


Router 2                         --------  Firewall 2 (Standby)
Virtual IP (.1)



>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

I have also seen issues if you add authentication with juniper connecting to cisco and had to use plain text passwords or none at all.

Yeah but in this scenario we will have only 1 juniper FW, not cluster. Is it possible then ? 


Whats the the best practice ? To use a switch between them ? Or to use without the switch and make the FW do the switching for the 2 Cisco routers.




Yes, you can use 1 firewall only but the best way is install a switch between them or 2 switch in stack so you will connect each router to each the swiches separately and the firewall to one of them. Remember you have a point a failure: the firewall so we need to minimize the point of failures, 2 switches should be the best approach. 



>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

So on the router side I'll have 2 interfaces on each router going to the switches which will be stacked.


what configuration should I put on the 2 interfaces of each router in this case ? Duplicate the configuration on each interface ? Ether channel them ? Can we have a sample config here ?