Can HSRP be done with a Juniper firewall ? I'll have 2 Cisco routers doing HSRP and these 2 routers will be connected to a Juniper FW (SRX-220H).
Is it possible to do it or we will need a cisco switch between the Juniper FW and the 2 routers ? Please let me know the best design possible.
The Juniper FW will be able to forward to the HSRP VIP (like any other network vendor kit). It would not be able to participate in the HSRP group, but this would not be required in your tolpology.
Your Cisco routers will be configured to be in the same HSRP group, the group ID would have been assigned as part of the configuration, but yes in your scenario there will be one group.
On your rotuers, the interfaces participating in the HSRP group will have a line:
standby <group_id> <ip_address>
You want the Juniper router to have its default route directed to that IP.
HSRP is Cisco Propietary, now if you want the HSRP on the Cisco Devices only for redundancy and the firewall will be pointing to the Virtual IP of the HSRP, yes you can do that, but the common scenario is having 2 firewalls configured in cluster otherwise you need a switch to interconnect the 3 devices and use only one subnet, it could be a /29, for example:
IP address (.2)
HSRP Active -------------
Virtual IP (.1) SWITCH <------> Firewall (IP address .4)
3 ports on the same VLAN
Router 2 -----------------
IP Address (.3)
Virtual IP (.1)
So the firewall will be pointing to the virtual IP, commonly the scenario with 2 firewalls is:
Router1 ------- Firewall 1 (Active)
Virtual IP (.1) CLUSTER of the firewalls - IP address for both (.4)
Router 2 -------- Firewall 2 (Standby)
Virtual IP (.1)
Yeah but in this scenario we will have only 1 juniper FW, not cluster. Is it possible then ?
Whats the the best practice ? To use a switch between them ? Or to use without the switch and make the FW do the switching for the 2 Cisco routers.
Yes, you can use 1 firewall only but the best way is install a switch between them or 2 switch in stack so you will connect each router to each the swiches separately and the firewall to one of them. Remember you have a point a failure: the firewall so we need to minimize the point of failures, 2 switches should be the best approach.
So on the router side I'll have 2 interfaces on each router going to the switches which will be stacked.
what configuration should I put on the 2 interfaces of each router in this case ? Duplicate the configuration on each interface ? Ether channel them ? Can we have a sample config here ?