Re: HSRP with Juniper Firewall

khan300 · ‎09-14-2017

Hi,
Can HSRP be done with a Juniper firewall ? I'll have 2 Cisco routers doing HSRP and these 2 routers will be connected to a Juniper FW (SRX-220H).

Is it possible to do it or we will need a cisco switch between the Juniper FW and the 2 routers ? Please let me know the best design possible.

Thanks

Seb Rupik · ‎09-14-2017

Hi there,

The Juniper FW will be able to forward to the HSRP VIP (like any other network vendor kit). It would not be able to participate in the HSRP group, but this would not be required in your tolpology.

cheers,

Seb.

khan300 · ‎09-14-2017

What do you mean by groups ? Aren't they by default in a single group ? Hope this won't affect the communication. Also how would we configure the juniper firewall for this ?

Seb Rupik · ‎09-14-2017

Your Cisco routers will be configured to be in the same HSRP group, the group ID would have been assigned as part of the configuration, but yes in your scenario there will be one group.

On your rotuers, the interfaces participating in the HSRP group will have a line:

standby <group_id> <ip_address>

You want the Juniper router to have its default route directed to that IP.

cheers,

Seb.

Julio E. Moisa · ‎09-14-2017

Hi,

HSRP is Cisco Propietary, now if you want the HSRP on the Cisco Devices only for redundancy and the firewall will be pointing to the Virtual IP of the HSRP, yes you can do that, but the common scenario is having 2 firewalls configured in cluster otherwise you need a switch to interconnect the 3 devices and use only one subnet, it could be a /29, for example:

Router 1

IP address (.2)
HSRP Active -------------

Virtual IP (.1) SWITCH <------> Firewall (IP address .4)

3 ports on the same VLAN

Router 2 -----------------

IP Address (.3)

Standby
Virtual IP (.1)

So the firewall will be pointing to the virtual IP, commonly the scenario with 2 firewalls is:

Router1 ------- Firewall 1 (Active)
Active
Virtual IP (.1) CLUSTER of the firewalls - IP address for both (.4)

Router 2 -------- Firewall 2 (Standby)
Standby
Virtual IP (.1)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

shaps · ‎09-14-2017

I have also seen issues if you add authentication with juniper connecting to cisco and had to use plain text passwords or none at all.

khan300 · ‎09-14-2017

Yeah but in this scenario we will have only 1 juniper FW, not cluster. Is it possible then ?

Whats the the best practice ? To use a switch between them ? Or to use without the switch and make the FW do the switching for the 2 Cisco routers.

Julio E. Moisa · ‎09-14-2017

Hi,

Yes, you can use 1 firewall only but the best way is install a switch between them or 2 switch in stack so you will connect each router to each the swiches separately and the firewall to one of them. Remember you have a point a failure: the firewall so we need to minimize the point of failures, 2 switches should be the best approach.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

khan300 · ‎09-20-2017

So on the router side I'll have 2 interfaces on each router going to the switches which will be stacked.

what configuration should I put on the 2 interfaces of each router in this case ? Duplicate the configuration on each interface ? Ether channel them ? Can we have a sample config here ?

Thanks