06-10-2008 11:48 AM - edited 03-03-2019 10:18 PM
Hello
Tomorrow I have to configure HSRP between two Cisco routers and a non-Cisco firewall.
The first router provides WAN connectivity, the second is for back-up reasons.
The firewall Trusted port is for the customer LAN and the Untrusted I can connect towards the WAN.
As the firewall and the two routers have to be in the same ethernet segment. Correct?
So can I put a transparent switch between the FW and the routers?
Or is there any other solution to do this?
The primary router is a 1841 and a 878 as back-up.
There is no switch card in the 1841, so I can only use the on-board IF's.
Thanks for the help
Frederic
06-10-2008 12:54 PM
As the firewall and the two routers have to be in the same ethernet segment. Correct?
Correct.
So can I put a transparent switch between the FW and the routers?
Yes.
One thing to keep in mind. HSRP is a Cisco proprietary protocol and you will be dealing with a non-Cisco device if are planning to include the FW in the HSRP configuration.
If the HSRP configuration is only between the 2 routers, you are fine. If it's involving the FW, you need to configure VRRP which is IEEE standard.
HTH,
__
Edison.
06-11-2008 02:20 AM
Edison
Thank you for your help.
Could you say if I can use the fa if on the 1841 and a fa if on the 878 instead of using a transparent switch?
Thank you
Frederic
06-11-2008 04:30 AM
Frederic
Not sure what you are asking here. If you want to have the 1841, 878 and the FW on a common subnet then you will need a switch to connect them all.
For HSRP you would use the fa on both routers, connect them into the switch and connect the FW interface into the switch as well.
Jon
06-11-2008 04:38 AM
Hello
Maybe this drawing may help you understanding my problem.
WAN----1841
\switch----UT IF Firewall
/
WAN---- 878
Or can I do the next:
WAN----1841----\
| \
| UT IF Firewall
WAN---- 878-----/
In this setup I wont use the switch but make a connection with an ethernet cable between the 1841 second fa interface and a second fa IF on the 878, all in the same VLAN.
Thanks for the help.
Good replies will be awarded
Greetings
Frederic
06-11-2008 04:42 AM
Oops, there goes my drawing.
An other try...
I would make an ethernet connection between: fa0/0 on the 1841 and the UT on the FW
fa0/0 on the 878 and the UT on the FW
fa0/1 on the 1841 and the fa0/1 on the 878
Good or bad idea.
STP won't be a prob since 2 of the 3 connections are L3
Greetings
Frederic
06-11-2008 04:49 AM
Frederic
Could you just clarify
1) What is the UT on the firewall. Do you have multiple interfaces on the firewall because you are talking about connecting the 1841 to the firewall and the 878 to the firewall separately.
2) Do you intend for the firewall to participate in HSRP because as Edison pointed out it won't as HSRP is cisco proprietary.
Jon
06-11-2008 04:55 AM
Hello
Sorry if my info is incomplete.
There are 2 UT(untrusted) interfaces on the firewall(info from the client)
I don't need HSRP on the non-Cisco firewall.
Thanks for the info
06-11-2008 05:00 AM
No problem.
You need a common subnet for HSRP. So you would need to pair up your interfaces
1841 fa0, 878 fa0 + 1 UT interface = 1 subnet
1841 fa0/1, 878 fa0/1, + 1 UT interface = 1 subnet
And to achieve the above you would need a switch.
But i'm not sure this is what you want. You wrote
"STP won't be a prob since 2 of the 3 connections are L3"
To run HSRP you need to make them L2 connections so they can be in the same subnet.
Could you explain exactly what it is you are trying to achieve.
Jon
06-11-2008 05:04 AM
Jon
Thank you for the input.
What I like to do is to connect the firewall to the WAN using two connections, one as primary and the second as back-up.
I thought that I could use the switch ports on the routers and make a L3 between the routers and the firewall.
If there is no other solution than using a switch well than I will use a sw...
Thank you
Frederic
06-11-2008 05:10 AM
Frederic
Ah okay, then if this is what you want to do you don't need HSRP at all. And you wouldn't need to connect the 1841 to the 878.
HSRP is used for end hosts to have a virtual address. But if you are going to be using L3 connectivity between your firewall and the routers then it becomes largely redundant.
The question then becomes how are you going to ensure one UT is used for primary and one for backup. Does the firewall support a routing protocol such as OSPF and what routing protocol are you using on your WAN router ?
Jon
06-11-2008 06:05 AM
Jon
Thank you for yor answer.
I will check this with the client.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide