switch to a juniper firewall

suthomas1 · ‎10-07-2012

Hi,

We have a 3750 as core switch with critical oracle servers ( production & development ) connected to this. The goal is to have these servers behind a firewall, which is to be done by logically routing the traffic towards the device.

Now, we need to connect the 3750 with two juniper srx firewall physically. The oracle server VLAN will be removed from 3750 and same layer 3 vlan will be created in the juniper firewall. How do i connect the 3750 to the two junipers.

what configurations will be involved, on a logical basis. I understand this is a cisco forum, but any logical ideas will be helpful.

Thanks.

Reza Sharifi · ‎10-08-2012

Hi,

How do i connect the 3750 to the two junipers.

You mean physically?

If yes, the Juniper SRX come with on board copper and fiber (SPF) port. Depending on your distance and port availability on the switch and the firewall, you can connect via fiber 10 Gig, 1Gig, or 1Gig copper.

What model SRX and 3750 do you have?

HTH

suthomas1 · ‎10-08-2012

3750-X and SRX 650.

I would appreciate help on how to configure this link between the single 3750 connecting to two SRX.

SVO RMAOne · ‎12-12-2012

Hello

Sent from Cisco Technical Support iPad App

ALIAOF_ · ‎10-09-2012

Bleh Juniper lol, any ways I'm assuming you already have the firewalls connected to the 3750. So in that case why remove the Orcale Server VLAN from 3750 and add it to Juniper?

Leave it on the core, add an interface on the Juniper firewall for that VLAN. Connect that interface to the same VLAN on the 3750 and make the firewall interface IP default gateway on your Oracle servers.

Note: I would first test this scenario out like you can pick a completely separate IP scheme and setup a VLAN on 3750 and then setup the interface on the firewall, connect it to the switch and have a test server or computer connect to the same VLAN on the switch with the firewall interface as a gateway.

suthomas1 · ‎10-10-2012

Thanks for that input. But, i didnt get it fully. The current VLAN for the oracle servers are VLAN 100(production) , 110( development) , 112(testing) . There are requirements that user vlan ( VLAN 50 ) will only be able to access VLAN 100 and not vlan 110 , 112.

Taking this setup into consideration, do you mean to add vlan 100 on Juniper, connect this port to interface on vlan 100 in 3750?

Any change on the servers cannot be done, nor can it be physically moved.

Appreciate your inputs.

ALIAOF_ · ‎10-10-2012

I am attaching a quick diagram hope that helps a bit more. Let us know if you have any questions.

suthomas1 · ‎10-11-2012

Thanks again. But am sorry , i couldnt get the second option of assigning the vlans on juniper interfaces and then connecting them to 3750. how do i assign the ports on 3750 terminating the single link from juniper.

ALIAOF_ · ‎10-11-2012

On Juniper firewalls you can either create a VLAN and connect that to a trunk port of the switch. Or if you create L3 interfaces on Juniper something like this:

ethernet1 = 192.168.1.1/24 VLAN 100

ethernet2 = 192.168.2.1/24 VLAN 200

Then you connect those ports to the switch and setup the switch port on that VLAN.

VLAN 100 IP on the switch is 192.168.1.254

VLAN 200 IP on the switch is 192.168.2.254

Default gateway for the devices on VLAN 100 would become 192.168.1.1 and 192.168.2.1 for the VLAN 200.

Rick Morris · ‎11-13-2012

What is the topology for this?

are the servers connected behind the firewall?

Meaning:

3750 ---- FW ---- SW ---- Server?

What I am looking for is how this is layed out. If you connect the firewall and the server to the same core switch without routing through the FW are you basically wanting to do hairpin routing?

host ------> (int 1/0/1) 3750 ---------->WAN or LAN

| ^

(1/0/2) v | (1/0/3)

Juniper FW

Is this what you are wanting to do?

suthomas1 · ‎11-20-2012

the servers are currently connected to the 3750 core switch. the firewall is to be introduced so that all servers will have firewall as their gateway.

We'll remove the layer 3 server interfaces from the 3750 and configure it on the new juniper firewall. the route for the servers will be pointed towards the new firewall cluster.

please let me know , if i am not descriptively clear here. thanks in advance!

ALIAOF_ · ‎11-20-2012

Which Juniper do you have netscreen or SSG?

You can leave the switch the way it is but change the default gateway on the servers to the Juniper. So lets say you have the servers on VLAN100, switch IP is 10.10.10.1, on the Juniper you can create an interface or sub-if (you'll have to trunk that port then to the switch) and then IP that interface as 10.10.10.254. On the servers make 10.10.10.254 default gateway instead of 10.10.10.1