HSRP question

Unanswered Question
Jun 10th, 2008


Tomorrow I have to configure HSRP between two Cisco routers and a non-Cisco firewall.

The first router provides WAN connectivity, the second is for back-up reasons.

The firewall Trusted port is for the customer LAN and the Untrusted I can connect towards the WAN.

As the firewall and the two routers have to be in the same ethernet segment. Correct?

So can I put a transparent switch between the FW and the routers?

Or is there any other solution to do this?

The primary router is a 1841 and a 878 as back-up.

There is no switch card in the 1841, so I can only use the on-board IF's.

Thanks for the help


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Edison Ortiz Tue, 06/10/2008 - 12:54

As the firewall and the two routers have to be in the same ethernet segment. Correct?


So can I put a transparent switch between the FW and the routers?


One thing to keep in mind. HSRP is a Cisco proprietary protocol and you will be dealing with a non-Cisco device if are planning to include the FW in the HSRP configuration.

If the HSRP configuration is only between the 2 routers, you are fine. If it's involving the FW, you need to configure VRRP which is IEEE standard.




fab5freddy Wed, 06/11/2008 - 02:20


Thank you for your help.

Could you say if I can use the fa if on the 1841 and a fa if on the 878 instead of using a transparent switch?

Thank you


Jon Marshall Wed, 06/11/2008 - 04:30


Not sure what you are asking here. If you want to have the 1841, 878 and the FW on a common subnet then you will need a switch to connect them all.

For HSRP you would use the fa on both routers, connect them into the switch and connect the FW interface into the switch as well.


fab5freddy Wed, 06/11/2008 - 04:38


Maybe this drawing may help you understanding my problem.


\switch----UT IF Firewall


WAN---- 878

Or can I do the next:


| \

| UT IF Firewall

WAN---- 878-----/

In this setup I wont use the switch but make a connection with an ethernet cable between the 1841 second fa interface and a second fa IF on the 878, all in the same VLAN.

Thanks for the help.

Good replies will be awarded



fab5freddy Wed, 06/11/2008 - 04:42

Oops, there goes my drawing.

An other try...

I would make an ethernet connection between: fa0/0 on the 1841 and the UT on the FW

fa0/0 on the 878 and the UT on the FW

fa0/1 on the 1841 and the fa0/1 on the 878

Good or bad idea.

STP won't be a prob since 2 of the 3 connections are L3



Jon Marshall Wed, 06/11/2008 - 04:49


Could you just clarify

1) What is the UT on the firewall. Do you have multiple interfaces on the firewall because you are talking about connecting the 1841 to the firewall and the 878 to the firewall separately.

2) Do you intend for the firewall to participate in HSRP because as Edison pointed out it won't as HSRP is cisco proprietary.


fab5freddy Wed, 06/11/2008 - 04:55


Sorry if my info is incomplete.

There are 2 UT(untrusted) interfaces on the firewall(info from the client)

I don't need HSRP on the non-Cisco firewall.

Thanks for the info

Jon Marshall Wed, 06/11/2008 - 05:00

No problem.

You need a common subnet for HSRP. So you would need to pair up your interfaces

1841 fa0, 878 fa0 + 1 UT interface = 1 subnet

1841 fa0/1, 878 fa0/1, + 1 UT interface = 1 subnet

And to achieve the above you would need a switch.

But i'm not sure this is what you want. You wrote

"STP won't be a prob since 2 of the 3 connections are L3"

To run HSRP you need to make them L2 connections so they can be in the same subnet.

Could you explain exactly what it is you are trying to achieve.


fab5freddy Wed, 06/11/2008 - 05:04


Thank you for the input.

What I like to do is to connect the firewall to the WAN using two connections, one as primary and the second as back-up.

I thought that I could use the switch ports on the routers and make a L3 between the routers and the firewall.

If there is no other solution than using a switch well than I will use a sw...

Thank you


Jon Marshall Wed, 06/11/2008 - 05:10


Ah okay, then if this is what you want to do you don't need HSRP at all. And you wouldn't need to connect the 1841 to the 878.

HSRP is used for end hosts to have a virtual address. But if you are going to be using L3 connectivity between your firewall and the routers then it becomes largely redundant.

The question then becomes how are you going to ensure one UT is used for primary and one for backup. Does the firewall support a routing protocol such as OSPF and what routing protocol are you using on your WAN router ?


fab5freddy Wed, 06/11/2008 - 06:05


Thank you for yor answer.

I will check this with the client.



This Discussion