I had a query for a client. I have been asked to install a layer 3 switch (3750 IP base) in a flat L2 network. We are to redesign the current network such that there is segregation between the vlans and through inter-vlan routing we are to have them communicate without any filtering. Now, some curveballs I am facing with this setup have to do with a client machine that needs to be configured with a public IP so that it doesn't get NATTED and instead recieves a public IP directly. How would I do this? Would I need to implement a nat-exception/no NAT on the firewall for this? I don't exactly work on firewalls hence haven't much of a clue how to do this on the firewall appliance. Just to fill in that the L3 switch is connected directly to the inside port of the firewall.
The client machine will be recieving a public IP directly and for that VLAN then I will have to route two subnets. One subnet will be for the existing subnet on that vlan and the second subnet will be for the public IP on the machine in the same vlan. Due to design constraints I will have to have two subnets on the same vlan. Is it possible to route two different subnets on a vlan. If so then I will have to assign two IP addresses to the SVI on the 3750 (One primary and the second secondary) I suppose so that the hosts on the second subnet can have a default gateway to point out to as well in order to route the traffic. Please guide me with this setup. Looking forward to hear more on this.
Is is possible for you to move the machine to a DMZ on the firewall? You can then give it a public IP and it's protected from outside users going directly into your trusted network.
Thanks for the reply. No, not quite since it's a Juniper firewall and that isn't our domain as we are Cisco Partners. The firewall is also being managed by a different vendor. They client doesn't feel that security is it's most important goal at the moment hence the firewall only has an outside and inside port.
The host machine, specifically speaking it's a PolyCom video conferencing station. The firewall is an SSG 140 and yes the video conferencing machine lies behind the mentioned firewall. (inside).
Message was edited by: Waqas Raza
Well I simulated this in a lab environment:
in vlan 2 I included 2 hosts, both on diffrerent subnets. In vlan 3 I had 1 host in a separate subnet just for that vlan. I enabled 'ip routing globablly' first then for I gave vlan 2 two IP addresses; one primary and the other secondary so that those IP addresses may act as gateways for both subnets and that worked perfectly. So now the SVI has two IP's for both subnets. Now if I have a machine with a direct public IP address in the VLAN do I need to do any special configuration anywhere ie. firewall or L3 switch?